Release Notes : 3-DNS Controller version 4.5.9

Applies To:

Show Versions Show Versions

3-DNS Controller versions 1.x - 4.x

  • 4.5.9
Release Notes
Software Release Date: 01/13/2004
Updated Date: 04/18/2019

Summary:

This release note documents version 4.5.9 of the 3-DNS software. You can apply the software upgrade to version 4.5 and later. For information about installing the software, please refer to the instructions below.

F5 now offers both maintenance-only and new feature releases. Version 4.5.9 is a maintenance-only release which includes security updates and enhancements that stabilize the version 4.5 software, but it contains no major new features. For more information on our new release policies, refer to SOL2965: Description of the F5 Networks software version number format.

Version 4.5.9 is a release that addresses an error in the 4.5 PTF-08 code.

Contents:


Minimum system requirements

The minimum system requirements for this release are:

  • Intel® Pentium® III 550MHz processor
  • 512MB disk drive or CompactFlash® card
  • 256MB RAM
  • Supported browsers: Microsoft® Internet Explorer 5.0, 5.5, or 6.0; Netscape® Navigator 4.7x

Note: The IM package for this PTF is quite large. If the disk drive in your platform does not meet the minimum requirement, you may not be able to successfully install this PTF.

[ Top ]

Installing the software

Important: If you are upgrading a 3-DNS Controller that belongs to a sync group, you must remove the controller from the sync group before you apply the PTF. Failure to do so may cause irrevocable damage to the controllers in the sync group that are running older versions of the software. Once you have upgraded all controllers to the same version, you can then re-create the sync group. For details on removing a controller from a sync group, see Removing a controller from a sync group. Once you have removed the controller from the sync group, you can proceed with the PTF installation.

Note:  If you are installing the 3-DNS Controller module on a BIG-IP system, refer to the BIG-IP version 4.5.9 note for instructions on installing the software. Installing the 4.5.9 software on BIG-IP version 4.5 also applies the upgrade to the 3-DNS module. The enhancements, fixes, and known issues for the 3-DNS Controller, however, are available only in the 3-DNS Controller version 4.5.9 release note.

Note:  If you have installed prior PTFs, this installation does not overwrite any configuration changes that you made for the prior PTFs.

The following instructions explain how to install the 3-DNS Controller version 4.5.9 onto existing systems running version 4.5 and later. The installation script saves your current configuration.

Once you install and license the software, refer to the Required configuration changes section, which contains important information about changes you must make before using the new software.

  1. Go to the Downloads site and locate the 3-DNS version 4.5.9 upgrade file, BIGIP_4.5.9_Upgrade.im.

    3-DNS is not listed as a product line on the Downloads site; the image file is listed under the BIG-IP 4.x product line.

  2. Download the software image.

    For information about how to download software, refer to SOL167: Downloading software from F5 Networks.

  3. If you downloaded the image file to a directory other than /var/tmp, copy the image file to the /var/tmp/ directory on your 3-DNS system.

     

  4. Install the PTF by typing the following command:
    im BIGIP_4.5.9_Upgrade.im

The 3-DNS Controller automatically reboots once it completes installation.

Updating the big3d agent

Warning:  If you have BIG-IP systems that are running software versions 4.5PTF-04 through 4.5PTF-08, we recommend that you do not update the big3d agent on those systems. For details, review the Updating the big3d agent and BIG-IP versions 4.5PTF-04 through 4.5PTF-08 known issue, in the Known issues section of this note.

After the PTF installation has completed, you need to install the new version of the big3d agent on all BIG-IP systems and EDGE-FX systems known to the 3-DNS Controller, as follows:

  1. Log on to the 3-DNS Controller at the command line.

  2. Type 3dnsmaint to open the 3-DNS Maintenance menu.

  3. Select Install and Start big3d, and press Enter.
    The 3-DNS Controller detects all BIG-IP systems and EDGE-FX systems in the network, and updates their big3d agents with the appropriate version of the agent.

  4. Press Enter to return to the 3-DNS Maintenance menu.

  5. Type Q to quit.

For more information about the big3d agent, see the 3-DNS Reference Guide.

[ Top ]

New features and fixes in this PTF

This PTF includes the following new features and fixes.

BIND Vulnerability VU#734644, ISC BIND 8 vulnerable to cache poisoning via negative responses (CR30822)
This PTF addresses the BIND vulnerability that is described in Vulnerability Note VU#734644 on the CERT® Coordination Center Web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/734644.

[ Top ]

Features and fixes released in prior PTFs

The current PTF includes the following features and fixes released in prior PTFs, as listed below. (Prior PTFs are listed with the most recent first.)

Version 4.5 PTF-08

Global Availability or Ratio load balancing within a pool  (CR13112)
The 3-DNS Controller now properly handles larger configurations when you create a pool for a new or for an existing wide IP, and you use the Global Availability or Ratio load balancing methods.

Log messages for enabled objects  (CR25809)
The 3-DNS Controller now generates a log entry when a disabled object is re-enabled, either by a user or by the system.

Changing the prober IP address for a host  (CR26318)
In the Configuration utility, on the Modify Host screen, if you change the prober IP address to an address other than the default, you can now reset the prober IP address back to the default (which is 127.0.0.1) without editing the wideip.conf file.

Enhancements to the big3d agent and service checks using the TCP protocol (CR26325)
You can now configure the big3d agent to fully close the connection when performing a service check (rather than having the agent just send a reset packet). For information on configuring this option, see Fully closing TCP connections.

Redundant systems and synchronizing the regkey.license file  (CR27020)
When you save a .ucs file on a unit in a redundant system, the save process no longer synchronizes the regkey.license file between the two units. Note that this issue affected only redundant systems.

BIG-IP version 3.3.1 and compatibility with 3-DNS Controller version 4.5  (CR27201)
The big3d agent that is shipped in 3-DNS Controller version 4.5 no longer causes fatal errors on a BIG-IP system version 3.3.1 if you update the big3d agent on the BIG-IP system to the newer big3d agent.

New option to save UCS files without including private keys  (CR27236)
You can now save a UCS file without including the private keys stored in the /config/bigconfig/ssl.key directory (only keys from this directory are excluded). To create a UCS file that does not include these private keys, use the following bigpipe command:
b config support save <filename>

Sync groups and the default wideip.conf file  (CR27366)
If you manage your 3-DNS Controllers using a sync group, and on one of the sync group members you delete the wideip.conf file and then restart the 3dnsd daemon, the 3dnsd daemon creates a new default wideip.conf file that contains only basic system configuration information. The new wideip.conf file no longer causes the sync process to overwrite the wideip.conf file of the other sync group members with the newer file, effectively erasing the real configuration.

Viewing router and link status in the Configuration utility  (CR27776)
The router status now displays correctly on the Metrics & Limits statistics screen, in the Configuration utility, when all the links for a router are down (red ball).

New Link Discovery setting for BIG-IP systems and 3-DNS Controllers  (CR27790)
You can now specify whether the 3-DNS Controller automatically adds (discovers) the default router and associated links, by using the Link Discovery option, for the following server types: BIG-IP and 3-DNS. If you want the 3-DNS Controller to discover only system settings and virtual servers for these server types, then you select OFF for the Link Discovery setting. Note that the Discovery option must be set to ON in order for the Link Discovery option to work. For details on configuring the Link Discovery setting, see Configuring link discovery, in the Optional configuration changes section of this note.

The Check Static Depends settings and load balancing virtual servers  (CR27919)
When the Check Static Dependencies global setting and the Check Static Depends setting for a specific wide IP pool are different, the 3-DNS Controller no longer overrides the specific pool setting with the global setting.

The include geoloc "netIana.inc" directive and modifying the configuration using the Configuration utility (CR27929)
When you use the Configuration utility to modify your configuration, and you have added the include geoloc "netIana.inc" directive to the wideip.conf file, the Configuration utility no longer deletes the include directive when you make changes to the configuration.

Adding virtual servers to host configurations and Configuration utility errors  (CR27930)
The Configuration utility no longer experiences errors when you add more than one virtual server to a host server configuration.

The all-ip option for the big3d agent and self IP addresses  (CR28086)
When you enable the all-ip option for the big3d agent, the agent now uses all of the configured self IPs addresses, including floating self IP addresses on redundant systems.

Upgrades and overwriting the 3dns_snmptrap.conf file  (CR28152)
When you upgrade to the current PTF, the upgrade no longer overwrites the existing 3dns_snmptrap.conf file during the upgrade process. If you have added custom traps to the file, you no longer need to create a backup file before you apply the upgrade.

ECV service checks and FTP status code 125  (CR28295)
An ECV service check on the FTP service no longer causes the controller to incorrectly mark a virtual server as down (red ball) if that virtual server returns the FTP status code 125 in response to the ECV query. The 3-DNS Controller now recognizes the FTP status code 125.

ECV service monitors and setting the ECV scan level to None  (CR28606)
When you configure ECV service monitors for a wide IP, and you set the scan level to None, those ECV service monitors are now recognized and probed by the 3dnsd process. Additionally, the ECV service monitors are now properly displayed on the ECV Statistics screen in the Configuration utility.

Configuring multiple router objects using the Configuration utility  (CR29204)
Configuring multiple router objects no longer causes the Configuration utility to produce errors.

The Discovery setting and BIG-IP systems running the 3-DNS module  (CR29270)
If you are running the 3-DNS module on a BIG-IP system, the options for the Discovery setting now display properly for both server types, in the Configuration utility.

The Restart big3d command in the 3-DNS Maintenance menu  (CR29390)
The Restart big3d command, in the 3-DNS Maintenance menu, now restarts the big3d agent as expected.

Using a wildcard port in a wide IP port list and errors in the Configuration utility   (CR29455)
The Configuration utility no longer experiences errors when you configure a wildcard port (port 0) in a wide IP port list.

The checktrap.pl script and the enterprise OID in traps  (CR29481)
When the checktrap.pl script issues traps, it now sends the correct enterprise OID in the trap.

System errors and deleting paths that are in use by a peer sync group member  (CR29682)
The 3-DNS Controller no longer experiences system errors when the system tries to delete a path that is in use by a peer sync group member. Note that this occurred in very rare circumstances, when the controller was under extreme load.

System errors and using the Round Robin LDNS option in a pool that has no virtual servers  (CR29712)
The 3-DNS Controller no longer experiences system errors if you enable the Round Robin LDNS option on a pool that has no virtual servers configured.

Updating the big3d agent on BIG-IP systems running version 4.2PTF-01 through 4.2PTF-05 software  (CR29783)
When you install the updated big3d agent on BIG-IP systems running the following software versions:  4.2PTF-01, 4.2PTF-02, 4.2PTF-03, 4.2PTF-04, 4.2PTF-05, the 3-DNS Controller now properly recognizes these software versions.

Timer error in BIND  (CR29795)
A rare issue with timer updates in the BIND version 8 code has been fixed.

Adding disabled virtual servers to existing wide IPs and load balancing  (CR29943)
When you add a virtual server to an existing wide IP, and the virtual server state is disabled or disabled by parent, the 3-DNS Controller no longer ignores the disabled status and uses the virtual server for load balancing.

Version 4.5 PTF-07

The 4.5 PTF-07 release contained an important fix for BIG-IP Link Controller, and support for new BIG-IP Blade Controllers.

Version 4.5 PTF-06

The 4.5 PTF-06 release included the following features and fixes.

Limits for current connections on BIG-IP systems (CR27048)
When you set a limit on current connections for a BIG-IP system, and that connection limit has been exceeded, the 3-DNS Controller no longer uses the virtual server belonging to the BIG-IP system as a response to a query.

Fallback load balancing method and Round Robin load balancing mode (CR27590)
If you set the fallback load balancing method for a wide IP pool to Round Robin, and no virtual servers in the pool are available for load balancing, the 3-DNS Controller no longer returns only the first virtual server listed in the pool.

Adding virtual servers to hosts and Configuration utility errors (CR27926)
The Configuration utility no longer experiences fatal errors when you add a virtual server to an existing host definition.

Version 4.5 PTF-05

The 4.5 PTF-05 release included the following features and fixes.

Specified gigabit duplex setting on switches with fixed duplex settings  (CR27755)
If your 3-DNS Controller is using gigabit interfaces and is plugged into a switch with a fixed duplex setting, you no longer need to configure the 3-DNS Controller gigabit interface and the port on the switch to Auto before applying this PTF. The link between the 3-DNS Controller and the switch now functions correctly.

Router link status no longer displays incorrectly  (CR27756)
Receiver 3-DNS Controllers in a sync group now correctly probe the state of the router links that are in their own data center. When the controller monitors virtual servers in the same data center, the virtual servers inherit the correct state of the router link.

bigpipe system configuration commands now function properly  (CR27759)
The bigpipe commands that write system configuration information (such as b save and b list) now function properly on the 3-DNS Controller.

Version 4.5 PTF-04

The 4.5 PTF-04 release included the following features and fixes.

Changing the CORBA port number using the Configuration Utility (CR19780)
You can no longer change the CORBA port number using the Configuration Utility. The CORBA IIOP port should be set only to the default setting of 683.

SNMP traffic and a VLAN that has port lockdown enabled (CR22677)
A VLAN configured with port lockdown enabled no longer accepts SNMP traffic, unless you have explicitly enabled the SNMP port using the open_snmp_port global setting.

Disabling SNMP and rebooting the controller (CR22762)
When you disable SNMP using the Configuration utility and you reboot the controller, the bigstart script no longer generates a new snmp.conf file.

Network failover option (CR23127)
You can now configure network failover using the Configuration utility. You use either hard-wired failover or network failover when you have a redundant system. You configure network failover on the System - General screen, in the Configuration utility. For more information on the settings on this screen, click Help on the toolbar.

Address translation for host virtual servers (CR24370)
You can now configure address translations for host virtual servers. If firewall devices in your network separate the 3-DNS Controller from the host servers, you can use address translations to ensure that the 3-DNS Controller distributes the routable address for the virtual server, rather than the actual address. To configure address translations for host virtual servers, see the Configuring address translations for host virtual servers section of this PTF note.

Upgrades and process checking in the snmpd.conf file (CR24450)
When you upgrade the software, the process checking entries (proc) in the snmpd.conf file are no longer populated with incorrect values.

Obsolete script (CR24478)
The 3-DNS Controller no longer uses the sync_requests script. This script has been removed from the controller.

Remote LDAP authentication and login errors (CR24487)
If you mistype the login name, as you are using remote LDAP authentication rather than RADIUS authentication, you no longer see a RADIUS error message.

Performance enhancements (CR24491)
The automatic discovery process, autoconf, has been improved so that it loads larger configurations more quickly.

Enabling one-time automatic discovery in the Setup utility (CR24565)
The Setup utility now includes an option to enable automatic discovery of the local system's configuration, and its peer's configuration, if applicable, when you run the Setup utility for the first time. Note that this option is most useful if you are running the 3-DNS Controller module on a BIG-IP system. You can find more information about automatic discovery (autoconf) in the 3-DNS Reference Guide, version 4.5.

Logging for synchronization (CR24598)
The synchronization process now generates informational and error log messages. You can view the synchronization log messages either by using the Configuration utility, or from the command line. To view the log messages using the Configuration utility, expand the Log Files item in the navigation pane, and then click 3-DNS.

Naming pools (CR24767)
When you create a new pool, and you use the name of a pool that already exists, the 3-DNS Controller no longer overwrites the original pool with the new pool's information.

LDAP authentication and user names (CR24880)
If you use LDAP authentication, and you use the user name, user, the system no longer fails to update the configuration.

Changing the iQuery protocol when you have a sync group configured (CR24927)
In the Configuration utility, on the System - General screen, when you change the iQuery Protocol setting from TCP to UDP, the synchronization process no longer breaks.

The OID for the shutdown trap in the SNMP MIB (CR25059)
The shutdown trap, in the SNMP MIB, now has the correct object identifier (OID) associated with it so this trap now functions properly.

Probing for host virtual servers and scalability (CR25153)
The service checks and probing for host virtual servers have been optimized so that the probing is more efficient. Host virtual server probes are better distributed throughout the probing interval, and require less system resources.

Broken links on the Configuration utility welcome screen (CR25249)
In the Configuration utility, under Additional Software Downloads on the welcome screen, the 3-DNS MIB and DNS MIB links now work properly.

The big3d agent for version 4.1.1 and version 4.1.1 PTFs (CR25251)
The big3d agent for products running version 4.1.1 software, or any version 4.1.1 PTF, is now included in this PTF. If you are running a version 4.1.1 system, be sure to update the big3d agent using the process in the Updating the big3d agent section of this PTF note.

Obsolete variables removed from system (CR25322, CR25325)
The following variables are now obsolete, and have been removed from the system:

Configuration utility format Command line format
Allow Fragmentation allow_frag
Probe From Distance probe_from_distance
n/a dump_regions

 

Several non-configurable variables no longer exposed in the Configuration utility (CR25324, CR25892)
The following non-configurable variables are no longer listed on the Global Statistics screen, in the Configuration utility:
dns_ttl, dump_regions, dump_topology, iquery_tag, link_compensate_inbound, link_compensate_outbound, link_compensation_history, link_limit_factor, link_prepaid_factor, lower_bound_pcnt_col, lower_bound_pcnt_row, max_link_over_limit_count, over_limit_link_limit_factor, paths_noclobber, persist_mask, probe_from_distance, resolver_rx_buf_size, resolver_tx_buf_size, rtt_allow_frag, rtt_retire_zero, rx_buf_size, tdapi_gap_ttl, tdapi_msg_ttl, timer_sync_state, traceroute_port, tx_buf_size.

The following settings were removed from the System - General screen, in the Configuration utility:
iQuery Settings, Transfer Buffer, iQuery Settings, Receive Buffer, Resolver Buffer Sizes, Transfer, Resolver Buffer Sizes, Receive.

Synchronization and removing the include geoloc "netIana.inc" directive (CR25402)
If you have a sync group configured, and you remove the include geoloc "netIana.inc" directive from one of the sync group members because you are not using Topology load balancing for any pool or wide IP, the synchronization process now removes the directive from the other members of the sync group.

Probing large configurations on BIG-IP systems and CPU usage (CR25407)
The big3d agent has been optimized so that it no longer consumes a large percentage of the CPU when the 3-DNS Controller is probing larger BIG-IP configurations.

BIG-IP virtual server status and node connection limits (CR25473)
When you have configured a node connection limit for a BIG-IP virtual server, the 3-DNS Controller no longer displays that virtual server as down (red ball) if the node connection limit is set to zero (0).

Error messages for the checkd process on standalone 3-DNS Controllers (CR25476)
If you have a standalone 3-DNS Controller, the checkd process (which is not used by the 3-DNS Controller) no longer generates error messages in the /var/log/bigd file.

Interoperating with SEE-IT® Network Manager (CR25573)
In 3-DNS Controller version 4.5, the format of the /VERSION file has been modified so that the version 4.5 software is now compatible with the SEE-IT Network Manager.

Synchronizing Link Controllers with 3-DNS Controllers (CR25753)
If your network includes both 3-DNS Controllers and Link Controllers, you can add the Link Controllers to the 3-DNS sync group, if you have one configured. For details on adding a Link Controller to a 3-DNS sync group, see the Adding a Link Controller to a 3-DNS sync group section of this PTF note.

New support for NetApp server (CR25847)
The 3-DNS Controller can now load balance to, and collect metrics from, the Network Appliance™ NetApp® server. In addition to load balancing to virtual servers on the NetApp server, the 3-DNS Controller can collect the following metrics: kilobytes per second throughput, packets per second throughput, current connections, disk usage percentage, memory usage percentage, CPU usage percentage.

You configure the NetApp server as a host server type. For more information on adding a NetApp server as a host server, see the Adding a NetApp server to the configuration section of this PTF note.

Errors in the 3dparse script and virtual server dependencies (CR26031)
If you configure a virtual server dependencies list for a virtual server that contains the virtual server itself, the 3dparse script no longer causes system errors.

Users with read-only or partial read/write permissions and deleting objects in the Configuration utility (CR26171)
Users who have read-only or partial read/write permissions for the Configuration utility can no longer delete self IPs for 3-DNS Controllers or for routers. By default, users with these permission levels are not able to delete any objects in the Configuration utility.

Loading large configurations and web server errors (CR26248)
When the 3-DNS Controller is loading a large configuration, you no longer see server errors in the Configuration utility.

Using the Hops load balancing method and CPU usage (CR26261)
The CPU usage no longer spikes under the following conditions:

  • You are using the Hops load balancing mode
  • You have configured a hops access control list (ACL) that consists of topology regions
  • You have set a probe threshold for topology

 

The OpenSSL package has been upgraded (CR26518)
The OpenSSL package has been upgraded to version 0.9.7a. This upgrade addresses several recent security issues with OpenSSL. For more information on the resolved security issues, see the CERT web site at http://www.cert.org.

Virtual servers with disabled VLANs and memory leak (CR26535)
A virtual server with a disabled VLAN no longer causes the 3-DNS Controller to experience a slow memory leak.

Version 4.5 encryption key size and system errors on previous software versions (CR26550)
The encryption key size in version 4.5 software is now backward-compatible with BIG-IP systems running previous software versions. The affected software versions are BIG-IP version 3.1 through BIG-IP version 4.2 PTF-09.

Log rotation for the ITCM.log file (CR26781)
The frequency of the log rotation for the ITCM.log file has been increased from once every 7 days to once every 24 hours. This improves the system efficiency if you are monitoring the controller with the iControl Services Manager.

RADIUS authentication for the default role on the 3-DNS Controller module (CR26931)
If you are running the 3-DNS Controller module on a BIG-IP system, the module no longer ignores the RADIUS authentication parameters for the default user role.

OpenSSL timing attack vulnerability (VU#997481) (CR26966)
The vulnerability that is outlined in VU#997481, Cryptographic libraries and applications do not adequately defend against timing attacks, has been addressed in this PTF. For details on the vulnerability, see http://www.cert.org.

Memory leak in the 3dnsd daemon and large configurations (CR27015)
The 3dnsd daemon no longer experiences a memory leak if a BIG-IP definition in the configuration contains more than 50 virtual servers, and you are using automatic discovery (autoconf).

Script to set up core capture
We have added a new script to automate core capturing on a 3-DNS Controller, if the controller has a hard drive. The script runs automatically after you install this PTF and reboot the system. It provides functionality to enable and disable core capture.

After you install this PTF, the script runs, and creates the /var/crash directory. In addition, if the swap partition on the primary drive is not sufficiently large to capture the core file, but another unused partition is found to be, that partition is used for core capture.

You can disable this functionality with the following command:
config_savecore -disable

You can re-enable the functionality with the following command:
config_savecore -enable

Important: As long as this functionality is enabled, you see the message savecore: no core dump during boot time.

Version 4.5 PTF-03

There were no features or fixes for 3-DNS Controller in version 4.5 PTF-03.

Version 4.5 PTF-02

The 4.5 PTF-02 release included the following features and fixes.

Enhancements to load balancing
This PTF adds two new load balancing modes, Drop Packet and Explicit IP. We recommend that you use these new load balancing modes only for the fallback method. The 3-DNS Controller uses the fallback method when the preferred and alternate load balancing modes do not provide at least one virtual server to return as an answer to a query. When you specify the Drop Packet mode, the 3-DNS Controller does nothing with the packet, and simply drops the request. (Note that a typical LDNS server iteratively queries other authoritative name servers when it times out on a query.) When you specify the Explicit IP mode, the 3-DNS Controller returns the IP address that you specify as the fallback IP as an answer to the query. Note that the IP address that you specify is not monitored for availability before being returned as an answer. When you use the Explicit IP mode, you can specify a disaster recovery site to return when no load balancing mode returns an available virtual server.

You can configure the new load balancing modes for the fallback method either using the Configuration utility or from the command line. For information on configuring the fallback method with the new load balancing modes, see the Configuring the Drop Packet and Explicit IP load balancing modes section of this PTF note.

Large configurations and misleading error messages (CR19843)
When the 3dnsd process is loading a large configuration, you may see a warning message now, instead of an error message.

Updated 3-DNS Reference Guide PDF (CR22017)
The 3-DNS Reference Guide has been updated to include Appendix A, 3-DNS Configuration File. The updates to this appendix include the revised data structures and the new configuration options for routers and links.

UDP checksums and TFTP packets  (CR22113, CR25181)
In rare instances, the checksums for TFTP packets were incorrect. This issue has been resolved.

Apache web server and the CERT Coordination Center vulnerability, VU#672683 (CR24689)
This PTF addresses the vulnerability in the Tomcat package for the Apache web server that is described in Vulnerability Note VU#672683 on the CERT® Coordination Center web site. For more information on the vulnerability, see http://www.kb.cert.org/vuls/id/672683.

Turning off automatic synchronization and persistent LDNS requests (CR24869)
If you turn off automatic synchronization on a 3-DNS Controller, and if the 3dnsd process on that controller loses network communications with the other 3dnsd processes in the network, the controller now synchronizes LDNS requests that occur during the time that the 3dnsd process is offline.

iControl BaseServer::get_interfaces function and the 3dnsd process (CR24912)
The following iControl function, ITCMGlobalLB::BaseServer::get_interfaces, no longer causes the 3dnsd process to stop running when you specify an invalid type within the function.

Synchronization and the netIana.inc file (CR24928)
The include geoloc "netIana.inc" directive is now synchronized between the members of a sync group.

Root servers list for BIND (CR25064)
The root servers list file for BIND, root.hint, has been updated to include the most current list of root servers.

Errors on the System - General screen in the Configuration utility (CR25143)
You can now change any of the settings on the System - General screen in the Configuration utility, and you no longer see error messages when you do so.

Invalid metrics statistics and graphs for down remote links (CR25146)
The Link Statistics screen, in the Configuration utility, no longer displays very large, invalid values for remote links that are down (red ball). The link statistics graphs now accurately display the data for both the link that is down, and any available links.

Path probing requests and data centers with no defined router (CR25155)
If a data center contains at least one 3-DNS Controller, BIG-IP system, or EDGE-FX system, the big3d agent now issues path probing requests to that data center, regardless of whether you have defined a router for the data center.

Using a serial terminal as a console (CR25183)
This PTF fixes the serial terminal as the console functionality, as described in the 3-DNS Reference Guide, Chapter 6, Monitoring and Administration, so that it works with all 2U controller platforms.

Version 4.5 PTF-01

The 4.5 PTF-01 release included the following fix.

CA-2002-31, Multiple Vulnerabilities in BIND
This PTF addresses the security vulnerabilities that are listed in CERT® advisory, CA-2002-31, Multiple Vulnerabilities in BIND. This PTF upgrades the BIND package to version 8.3.4. For more information on the CERT advisory, see http://www.cert.org/advisories/CA-2002-31.html.

[ Top ]

Required configuration changes

Once you have installed the software, you must make the following required configuration changes.

Updated big3d agent for version 4.5 and later (CR25255)
The big3d agent has been updated, and is not compatible with the previously-released big3d agents. Therefore, you must distribute the updated big3d agent to the BIG-IP systems in your network so that the metrics collection on the 3-DNS Controller functions properly. For details on distributing the updated big3d agent, see the Updating the big3d agent section of the installation instructions for this PTF.

[ Top ]

Optional configuration changes

Once the software is installed, you have the option of making any or all of the following configuration changes.

Adding a Link Controller to a 3-DNS sync group

If you have both 3-DNS Controllers and one or more Link Controllers in your network, you can add the Link Controllers to the 3-DNS Controllers' sync group in a few simple steps. There are three tasks to adding a Link Controller to a 3-DNS sync group:

  • Run the merge_configs script on the sync group's principal controller.

  • Add the Link Controller to the sync group using the principal controller's Configuration utility.

  • Run the 3dns_add script on the Link Controller.

The following sections explain the specific steps for each of the previous tasks. You must perform these tasks in the order they are listed.

Important: Before you add the Link Controller to the 3-DNS sync group, we recommend that you back up both the 3-DNS configuration and the Link Controller configuration.

To run the merge_configs script

From the command line on the principal 3-DNS Controller, run the merge_configs script by typing the following command, where <ip_address> is the IP address of the Link Controller that you want to add to the sync group.
/usr/local/bin/merge_configs -peer <ip_address>

To make the sync group aware of the Link Controller

Using the Configuration utility on the principal 3-DNS Controller, add the Link Controller to the sync group.

  1. In the navigation pane, click 3-DNS Sync.
    The Synchronization screen opens.

  2. On the toolbar, click Add to Group.
    The Add a 3-DNS to a Sync Group screen opens.

  3. Check the box next to the controller that you want to add to the sync group, and click Add.

To add the Link Controller to the sync group and start synchronization

The final step in adding the Link Controller to a 3-DNS sync group is to run the 3dns_add script on the Link Controller. The script moves the synchronized configuration to the Link Controller, and finalizes the sync group setup.

  • From the command line of the Link Controller, run the 3dns_add script.
    3dns_add
    The script runs, and finalizes the setup of the sync group.
[ Top ]

Adding a NetApp server to the configuration

You add a NetApp server to the 3-DNS configuration as a host.

To add a NetApp server using the Configuration utility

  1. In the navigation pane, expand the Servers item, and then click Host.
    The Host List screen opens.

  2. On the toolbar, click Add Host.
    The Add New Host screen opens.

  3. Add the settings for the NetApp server, and click Next.
    The Data Centers screen opens.

  4. Select the data center where the NetApp server is located, and click Next.
    The Configure Virtual Server screen opens.

  5. Add the settings for the virtual server, and click Finish.
    The Host List screen opens, where the new NetApp server is listed at the bottom of the list.

  6. In the Server Name column, click the name of the newly-created server.
    The Modify Host screen opens.

  7. On the toolbar, click SNMP Configuration.
    The Host SNMP Configuration screen opens.

  8. On the Host SNMP Configuration screen, configure the following settings:
    • Check the SNMP Enabled box.
    • In the Type list, select NetApp.
    • Modify the remaining settings, if required.


  9. Click Update.
    The 3-DNS Controller can now collect metrics and performance information about the NetApp server.

Note: For more information on any of the settings on the screens in the Configuration utility, click Help on the toolbar.

[ Top ]

Configuring the Drop Packet and Explicit IP load balancing modes

You can configure the fallback method using the new load balancing modes either by using the Configuration utility, or by editing the wideip.conf file from the command line. You can specify either the Drop Packet load balancing mode, or the Explicit IP load balancing mode. Note that if you specify the Explicit IP mode, you also specify a fallback IP address.

To configure the fallback method with the Drop Packet mode using the Configuration utility

  1. In the navigation pane, click Wide IPs.
    The Wide IP List screen opens.

  2. In the Wide IP column, click the name of the wide IP that you want to modify.
    The Modify Wide IP screen opens.

  3. On the toolbar, click Modify Pool.
    The Modify Wide IP Pools screen opens.

  4. In the Pool Name column, click the name of the pool that you want to modify.
    The Modify Load Balancing screen opens.

  5. In the Load Balancing Modes, Fallback box, select Drop Packet.

  6. Click Update.
    The Configuration utility updates the configuration with the changes.

To configure the fallback method with the drop_packet mode from the command line

  1. To ensure that the configuration files contain the same information as the memory cache, type the following command:
    3ndc dumpdb

  2. Open the /etc/wideip.conf file in a text editor (either vi or pico).

  3. Use the syntax highlighted in the following sample to configure the fallback method with the drop_packet mode.

  4. Save and close the file.

  5. Commit the changes to the configuration by typing:
    3ndc reload

 

Syntax example for the Drop Packet (drop_packet) load balancing mode.
wideip {
...
   pool {
      name     "Pool"
      dynamic_ratio     yes
      preferred     qos
      alternate     rr
      fallback     drop_packet
      address     <vs_ip_address>
      address     <vs_ip_address>

 

To configure the fallback method with the Explicit IP mode using the Configuration utility

  1. In the navigation pane, click Wide IPs.
    The Wide IP List screen opens.

  2. In the Wide IP column, click the name of the wide IP that you want to modify.
    The Modify Wide IP screen opens.

  3. On the toolbar, click Modify Pool.
    The Modify Wide IP Pools screen opens.

  4. In the Pool Name column, click the name of the pool that you want to modify.
    The Modify Load Balancing screen opens.

  5. In the Load Balancing Modes, Fallback box, select Explicit IP.

  6. In the Fallback IP box, type the IP address for the server or host to which you want the 3-DNS Controller to forward the packet.

  7. Click Update.
    The Configuration utility updates the configuration with the changes.

To configure the fallback method with the explicit_ip mode from the command line

  1. To ensure that the configuration files contain the same information as the memory cache, type the following command:
    3ndc dumpdb

  2. Open the /etc/wideip.conf file in a text editor (either vi or pico).

  3. Use the syntax highlighted in the following sample to configure the fallback method with the explicit_ip mode.

  4. Save and close the file.

  5. Commit the changes to the configuration by typing:
    3ndc reload

Syntax example for the Explicit IP (explicit_ip) load balancing mode.
wideip {
...
   pool {
      name     "Pool"
      dynamic_ratio     yes
      preferred     qos
      alternate     rr
      fallback     explicit_ip
      fallback_ip     <ip_address>
      address     <vs_ip_address>
      address     <vs_ip_address>

 

[ Top ]

Configuring address translations for host virtual servers

You can now configure address translations for host virtual servers. This is beneficial when there is a firewall separating the 3-DNS Controller from the host.

To configure an address translation for a host virtual server using the Configuration utility

  1. In the navigation pane, expand the Servers item, and then click Hosts.
    The Host List screen opens.

  2. In the Host column, click the name of the host whose virtual servers you want to modify.
    The Modify Host screen opens.

  3. On the toolbar, click Translate Virtual Server.
    The Modify Virtual Server Translations screen opens.

  4. On the toolbar, click Add Translate.
    The Add Translation to Host Virtual Server screen opens.

  5. In the Host Virtual Server list, select the virtual server for which you want to add an address translation.

  6. Add the translation settings, and click Add.
    The Modify Virtual Server Translations screen opens, where the virtual server and its translation are now listed.

Note: For more information on any of the settings on the screens in the Configuration utility, click Help on the toolbar.

[ Top ]

Configuring link discovery

If you want the 3-DNS Controller to detect the links and associated routers for a BIG-IP system, you can configure the Link Discovery setting for that BIG-IP system. By default, the Link Discovery setting is not enabled. Additionally, you can configure the Link Discovery setting for any 3-DNS Controllers you have in the configuration.

To configure link discovery using the Configuration utility

  1. In the navigation pane, expand the Servers item, and then click BIG-IP.
    The BIG-IP List screen opens.

  2. Click the name of the BIG-IP system that you want to modify.
    The Modify BIG-IP screen opens.

  3. In the Link Discovery box, select one of the following options:
    • OFF - When you select OFF, the 3-DNS Controller does not automatically detect the link and router information for the BIG-IP system, and add that information to the configuration.

    • ON - When you select ON, the 3-DNS Controller automatically detects the link and router information for the BIG-IP system, and adds that information to the configuration. With this setting, the controller automatically updates the configuration, including deleting link or router information if it is obsolete.

    • ON/NO DELETE - When you select ON/NO DELETE, the 3-DNS Controller automatically detects the link and router information for the BIG-IP system, and adds that information to the configuration. With this setting, the controller automatically updates the configuration if it changes, but does not delete any configuration information.

  4. Click Apply when you have finished.
    The controller updates the configuration with the new settings.
[ Top ]

Fully closing TCP connections

Use the following instructions to configure the big3d agent so that the agent fully closes partial TCP connections. Note that the default behavior for the big3d agent is to issue a reset packet (RST) for partial TCP connections.

To configure the big3d agent to fully close TCP connections

From the command line, type big3d -use-tcp-connect, and press Enter.

The following additional options are available for the big3d agent:

  • For syntax information, type big3d -h.

  • To revert back to default behavior, type bigstart restart big3d.
[ Top ]

Known issues

The following items are known issues in the current release.

Multiple Configuration utility sessions and modifying a configuration (CR9333)
The 3-DNS Configuration utility does not refresh properly when you have multiple Configuration utility sessions open for more than one F5 system, and you make a change to the 3-DNS Controller's configuration. The Configuration utility for the controller that you are not modifying updates automatically, while the Configuration utility for the controller that you are modifying does not update automatically. Note that this happens only when you are either enabling or disabling objects, or setting limits for an object. You can avoid this issue by opening only one browser session at a time when you are modifying a configuration.

Statistics screens and viewing 3-DNS status (CR9452)
When you disable a 3-DNS Controller that is a member of a sync group, the 3-DNS Statistics and Sync Group Statistics screens (in the disabled system's Configuration utility only) display an inaccurate status (a red ball) for all of the other 3-DNS systems in the same sync group. You can see the correct status of the systems in the 3-DNS Statistics and Sync Group Statistics screens of any enabled 3-DNS Controller in the sync group.

Prober statistics and Internet Explorer 5.0 and later (CR10153)
When you are viewing Histograms or Metrics on the Prober Statistics screen, you might encounter errors if you are using Microsoft Internet Explorer 5.0 or later. We recommend using the following procedure to view the Histograms or Metrics.

  1. In the navigation pane, expand the Statistics item, and click Probers.
  2. In the Prober Statistics screen, click either Metrics or Histogram.
    A dialog box appears.
  3. Select Save this file to disk and click OK.

The browser saves the file, and you can now open the file using Microsoft Excel.

ArrowPoint CS150 and metrics collection (CR10361)
The 3-DNS Controller collects metrics on packets per second and kilobytes per second only for HTTP traffic on the current ArrowPoint CS150 server.

The kilobytes per second rate as displayed for the ArrowPoint CS150 is approximately 16 times smaller than it should be. The total byte count returned from the ArrowPoint MIB is 16 times smaller than the total byte count that was actually handled.

Netscape Navigator and the Network Map (CR11161)
The Network Map does not display large configurations properly when you run Netscape on a UNIX or Linux platform. We recommend that you use a Windows-based browser to view large network configurations with the Network Map.

Network Map and multiple browser sessions (CR11173)
When you view the Network Map, you might get an error when you open additional browser sessions with Internet Explorer or Netscape Navigator. This error only occurs if the additional browser sessions use Java applets. We recommend that you close any additional browser sessions before viewing the Network Map.

Wide IP production rules (CR11710)
When you create a wide IP production rule with a Date/Time time variable, the production rule action does not stop in the time frame that you specify in the Stop Time box. We recommend that you do not configure a production rule with the Date/Time time variable.

Sync group names in the Configuration utility (CR14955)
In the Configuration utility, you may get an internal server error, and you may not be able to delete the sync group, if you use special characters in the sync group names. To avoid this error, use only alphanumeric, underscore ( _ ), hyphen ( - ) or space characters in the sync group names.

Adding servers using the Configuration utility and the Back button in Internet Explorer (CR15345)
Occasionally, when you add a new server to the 3-DNS configuration using the Configuration utility, and you are using the Configuration utility in a Microsoft® Internet Explorer browser session, you may get an error when you use the Back button to return to a previous screen. The error is benign, and you can click any item in the navigation screen to clear the error.

Opening PDF files from the 3-DNS Controller home screen (CR15901)
Occasionally, when you open any of the PDF files available on the home screen of the Configuration utility, the CPU usage for your work station may spike to 100%. To avoid this problem, right-click the name of the PDF file that you want to open, and choose Save Target As to save the PDF file on your workstation. You can then open the PDF file using Adobe® Acrobat® Reader, version 3.0 and later.

Enabling the IP classifier (CR18264)
If you use the Topology load balancing feature, you must make the following change to the wideip.conf file so the 3-DNS Controller can classify continent and country of origin for local DNS servers.

  1. From the command line, type the following command to ensure that the configuration files contain the same information as the memory cache.
    3ndc dumpdb
  2. Open the /etc/wideip.conf file using either the pico or vi text editor.

  3. Add the following line to the include statement in the wideip.conf file.
    include geoloc "netIana.inc"
    The include statement loads the IP classifier so Topology load balancing can classify LDNS requests.

  4. Save and close the wideip.conf file.

  5. Commit the change to the configuration:
    3ndc reload

Note: If you have a sync group configured, you must enable the IP classifier on each member of the sync group.

Upgrading the software and the MindTerm SSH Console (CR18436)
When you upgrade the software for 3-DNS Controller, you cannot use the MindTerm SSH Console, because the upgrade stops and restarts the SSH service. To upgrade the software, use a serial console instead.

Using the 3-DNS Controller in bridge mode (CR18873)
You cannot configure the 3-DNS Controller in bridge mode using a remote connection or using the Configuration utility. You must configure bridge mode using a local connection. For details on configuring bridge mode, see the Configuring bridge mode section of this release note.

Special characters in pool names and viewing the Network Map (CR19756)
When you use the colon character ( : ) in a pool name, and then try to view the Network Map, the Network Map does not display. To avoid this error, do not use the colon character in pool names.

The 3dpipe utility and pool names (CR20183)
The 3dpipe utility does not properly parse pool names that contain numbers only.

CPU usage statistics for EDGE-FX Caches (CR21325)
On the EDGE-FX Cache Statistics screen, in the Configuration utility, the 3-DNS Controller incorrectly reports the CPU usage statistic for the EDGE-FX Cache.

Time-to-live (TTL) values for resource records (CR22025)
If you set the pool TTL to a value that is different from the wide IP TTL, the dig command displays the wide IP TTL rather than the pool TTL in the answer packet. This occurs only when all the virtual servers in the pool are unavailable. Resource records in the DNS configuration are set with the wide IP TTL instead of the pool TTL. If you change the pool TTL, the TTL for the resource records does not change to the updated TTL. Therefore, when the 3-DNS Controller is unable to load balance a request, and returns the request to DNS, the resource record contains the wide IP TTL rather than the pool TTL.

Clean installations of the 3-DNS Controller software and the Default data center (CR23028)
When you install the 3-DNS Controller version 4.5 software, and you do not have a previous configuration file, the controller creates a default data center labeled Default. To move any objects that are in the Default data center to a data center that you create, see Moving objects from the Default data center to a newly-created data center section of this release note. Note that this occurs only on a BIG-IP system with the 3-DNS module.

Renaming a wide IP that has aliases using the Configuration utility and synchronization (CR23224)
When you rename a wide IP, and the wide IP has aliases, the order of the wide IP name and alias may appear in reverse order when you look at the wide IP in the Configuration utility of another controller in the sync group. Note that this error does not affect domain name resolution.

Configuring production rules (CR23327)
In the Configuration utility, when you create a production rule, you cannot use the Description box to add a description of the production rule. If you type text into the Description box, the controller ignores it, and the text is not saved.

Upgrading the software and home screen errors in the Configuration utility (CR23710)
When you are upgrading a 3-DNS Controller from version 4.2 to version 4.5, you may see the BIG-IP system home screen instead of the 3-DNS home screen. This occurs only once: after you upgrade the software and before you upgrade the license file using the new licensing process. Note that this does not affect the 3-DNS Controller module on the BIG-IP system.

Graph titles on the P95 Billing Estimate statistics screen (CR23770)
When you change the date or time range on the P95 Billing Estimate statistics screen in the Link Statistics, the titles on the graphs do not update to reflect the changes. If you are using Internet Explorer, you can update the titles by holding down the Control key, right-clicking in the screen, and then clicking Refresh. If you are using Netscape Navigator, you can update the titles by holding down the Shift key, right-clicking in the screen, and then clicking Refresh.

Date ranges on the P95 statistics screen (CR23784)
The graphs on the P95 statistics screen do not check for dates in the future. If you enter a date that is past today's current date, you may get inaccurate graphs.

Synchronization and modifying the configuration (CR24081)
If you are updating a configuration using the Configuration utility, and another member of the sync group initiates the synchronization process, you get a notification screen that indicates that you cannot update the configuration. To work around this issue, wait for a minute, click the browser's Back button, and continue updating the configuration. Note that this issue is most likely to occur when you are using multiple browser sessions to update the sync group's configuration. We recommend that you use only one browser session (and controller) to update the sync group's configuration.

Unit ID numbers for a redundant system and the auto-configuration process (Discovery) (CR24734)
The auto-configuration process does not recognize the unit ID numbers for the units in redundant system. The process does, however, properly add the configuration information for both units.

The Network Map and viewing wide IP information (CR24750)
In the Network Map, in the Configuration utility, when you highlight a wide IP, the information table displays an IP address for the wide IP. The IP address is not a valid IP address; rather it is a randomly generated number. Note that this error is benign because the 3-DNS Controller no longer associates an IP address with a wide IP.

The Network Map and viewing the enabled/disable status of a virtual server (CR24751)
When you disable a virtual server that is in a wide IP that has manual resume enabled, the information table in the Network Map does not display the correct status for the virtual server. To view the correct status for the virtual server, in the navigation pane, expand the Statistics item, and then click Virtual Servers. The E/D column displays the correct status for the virtual server.

Viewing wide IPs created in the 3-DNS Controller module from the Link Controller module (CR24842)
Wide IPs that you create in the 3-DNS Controller module that contain more than one pool display only the first pool of the wide IP in the Inbound LB screen in the Link Controller module. You may encounter this known issue only when you are running a BIG-IP system with both the 3-DNS Controller module and the Link Controller module.

Single data center configuration and default gateway probing  (CR25507, CR29281)
By default, the 3-DNS Controller, or another F5 product on behalf of a 3-DNS Controller, polls its default gateway with big3d using ICMP every two seconds. If no response is received from the default gateway, the 3-DNS Controller may mark all systems in the data center down. This behavior may be considered undesirable in a single data center configuration. If you have this type of configuration we recommend that you check to make sure that all 3-DNS Controllers, or F5 products probing on behalf of the 3-DNS Controller, are able to reach the default gateway through ICMP. If you are unable to configure all 3-DNS Controllers or F5 products probing on behalf of a 3-DNS Controller with ICMP access to the default gateway, we recommend that you limit probing to a single F5 product that is able to reach the default gateway through ICMP.

Configuring SSH access host restrictions (CR25530)
In previous versions, the /etc/ssh3/sshd2_config and /etc/sshd_config files controlled SSH access. Upgrading to version 4.5 ignores previously-configured SSH access restrictions configured in the /etc/ssh3/sshd2_config and /etc/sshd_config files. This upgrade reverts to an SSH access level that allows all hosts to connect. If you require restricted SSH access to certain networks/IP addresses, you need to reconfigure these restrictions once you have completed the upgrade. To do this, type the following command to start the Setup utility, and then press Enter:
setup
Choose option (S) Configure SSH, and set the restrictions you prefer.

Adding support access after initial setup (CR25821)
If you add support access with the (Y) Set support access option in the Setup utility after you complete the initial setup of the system, the support IP addresses are not added to the hosts.allow file. To correct this situation, run the (S) Configure SSH option in the Setup utility to re-initialize the SSH information on the system.

VLAN names and syntax errors (CR25890)
VLAN names that start with the text vlan, and are followed by any number of digits (for example, vlan123), cause a syntax error. We recommend that you do not use the text, vlan, as the initial portion of a VLAN name.

Creating invalid interface names (CR25950)
It is possible to create invalid interface names in your configuration by entering an invalid VLAN name from the command line. For more information about invalid VLAN names, see (CR25890).

Changing iControl settings and restarting the CORBA portal (CR26384)
If you use the Setup utility (setup) to change iControl settings, you must manually restart the CORBA portal. To restart the CORBA portal, type the following commands from the command line:

bigstart shutdown portal
bigstart startup

LDAP group name naming conventions (CR26418)
LDAP authentication for groups does not work properly when there are spaces in the group name. To avoid authentication issues with groups when you use LDAP authentication, do no use spaces in the group names.

Disabling the SNMP Auth Trap Enable setting using the Configuration utility (CR26610)
If you try to disable the Auth Trap Enable setting on the SNMP Administration screen in the Configuration utility, the SNMP configuration file, /etc/snmpd.conf , is modified with an incorrect setting of 0 (zero), and the following error is generated in the SNMP log:
"/etc/snmpd.conf: line ##: Error: authtrapenable must be 1 or 2To correct this error and disable the Auth Trap Enable setting, you can edit the /etc/snmpd.conf file, and change the authtrapenable value to 2, disable.

Losing connectivity during configuration of second unit in a redundant system (CR26705)
When you configure a unit from the command line Setup utility (setup), we recommend that you reboot the unit after you complete the configuration. This activates the license and allows traffic to pass through the system. Also, before you reboot the system, the unit is in the active mode and unlicensed. While the unit is in the active mode, the other unit in the redundant system is placed in standby mode. If left in this state, traffic cannot pass through the system.

Sync groups and upgrading software versions (CR26784)
When you are upgrading the software on 3-DNS Controllers that belong to a sync group, you must temporarily remove the controller you are upgrading from the sync group before you apply the upgrade. This is because the synchronization process cannot synchronize controllers that are running different software versions, including different PTF versions. See the Removing a controller from a sync group work-around, following the Known issues section of this release note, for configuration details.

The 3dns_add script and mixed versions of the 3-DNS software (CR26884)
If you are adding a new 3-DNS Controller to an existing sync group, the new 3-DNS Controller must be running the same version of the 3-DNS software as the controllers that are already in the sync group. If the controllers are running mixed versions of the 3-DNS software (for example, 3-DNS Controller, version 4.2 PTF-09, and 3-DNS Controller, version 4.5 PTF-03), the 3dns_add script fails because the script does not check versions. For more information on working with the 3dns_add script, see the 3-DNS Administrator Guide, version 4.5.

Changing the system IP address and updating the IP address for the CORBA portal in bigdb (CR27037)
If you change the IP address of the system using the Configuration utility, the system does not update the IP address for IIOP and FSSL for the CORBA portal in the bigdb. To change the CORBA address for IIOP and FSSL, run the Setup utility (setup) from the command line, and choose the option (I) Initialize iControl portal.

CompactFlash® media drives and logging for the named daemon (CR27132)
When the named daemon is running, it generates status and usage messages as part of its normal behavior. If you are running the named daemon on a system with a CompactFlash media drive, these messages may fill up the /var/log/messages file. To avoid this, periodically delete the status and usage messages for the named daemon.

RADIUS server configuration and Netscape  (CR27212)
If you configure remote login for RADIUS, and you set an invalid IP address for the primary RADIUS server, and a valid IP address for the secondary RADIUS server, you may not be able to log in using a Netscape browser. This can also happen if your primary RADIUS server is down. We recommend that you use an alternative browser with this type of configuration.

User administration for remote authentication using the Configuration utility  (CR27223)
With remote authentication configured, if you use the Configuration utility to add a new user, you may receive an internal server error message when you press Enter, and then click the Done button. The user is added when you press Enter. When using local authorization, the Enter key is ignored, and you must click the Done button in order to add a new user.

Auto-discovery and 127.0.0.X addresses (CR27252)
The auto-discovery process discovers all addresses on a BIG-IP system, even those in a non-routable address space (for example 127.0.0.X). This may cause the 3dnsd daemon to stop running. To avoid this issue, turn off auto-discovery for the BIG-IP systems that manage resources on a non-routable subnet, as detailed in the Turning off the auto-discovery process for a BIG-IP system work-around, which follows the Known issues section of this release note.

Deleting the default gateway pool using the Setup utility (CR27260)
The command line Setup utility, (setup), does not delete the default gateway pool when you remove all of the pool's members. To work around this issue, delete the default gateway pool using the browser-based Configuration utility.

User roles in a redundant system configuration  (CR27477)
If you modify the default role for a user on one unit in a redundant system, when you synchronize the configuration, the modified role setting is not copied over to the other unit. In order to have the same user roles specified on both units, you must configure this setting on both units in the redundant system.

Installing the PTF from CD and 3dnsd error messages (CR27501)
When you install the version 4.5 PTF-05 software from a CD, you may see the following error message just before you run the Setup utility:
ERR: An instance of 3dnsd (pid:xxx) is already running! Exiting.

The error message is benign and does not affect the software installation in any way.

SNMP probing with Foundry systems  (CR27667)
If you configure a Foundry system as a host and then use SNMP probing to get virtual server information from the Foundry system, the 3-DNS Controller may report a non-existent virtual server on the Foundry system.

SNMP version 2 with Foundry systems  (CR27758)
The 3-DNS Controller does not currently support using SNMP version 2 probing with Foundry systems.

Copper gigabit NICs and setting media speeds  (CR27772)
If you want to set media speeds, and you have a copper gigabit NIC, you must configure auto-negotiate between the 3-DNS Controller and the connected switches.

Using the Setup utility to configure the media type for an interface  (CR27793)
When you use the Setup utility to configure the media type for an interface, the BIG-IP system does not save this setting when you rerun the Setup utility. You must configure this setting each time you run the Setup utility.

Installing iQuery keys and errors in the install-key script  (CR27799)
The install-key script may display the following error message during the key exchange process:
ERROR: Cannot connect to any of the following selfIP(s) for a server:
This error message is incorrect and does not affect the iQuery key exchange process.

HTTP ECV service checks and file names (CR27823)
When you configure an HTTP ECV service check for a wide IP using the Configuration utility, the Configuration utility incorrectly adds a slash ( / ) to the beginning of the file name. To work around this issue, you can either configure the HTTP ECV service check in the wideip.conf file from the command line, or you can edit the wideip.conf file and remove the slash.

NameSurfer application and PTR records (CR27832)
The NameSurfer application deletes PTR records when you change the time-to-live (TTL) value.

MindTerm SSH console, Java™ Virtual Machine, and the Configuration utility (CR27864)
The Configuration utility may become unresponsive, when all of the following conditions are met:

  • You have Java Virtual Machine enabled on a Windows® workstation

  • You are using the Configuration utility to configure the system

  • You open a MindTerm SSH console session from the navigation pane

  • You return to the Configuration utility without closing the MindTerm SSH console

If you experience this problem, you must use the Windows Task Manager to close the browser session and the SSH session. To avoid this issue, we recommend that you either disable Java Virtual Machine while you are configuring the system, or that you close the MindTerm SSH console session before returning to the Configuration utility.

Hops calculations for Hops load balancing mode (CR27878)
The 3-DNS Controller is inaccurately calculating the number of hops for the Hops load balancing mode for inbound load balancing. This results in all configured links appearing to use the same number of router hops for inbound traffic. We recommend that you use one of the other load balancing modes for inbound load balancing. Note that this also affects the data for average router hops on the Internet Weather Map screen, in the Configuration utility.

Running 3-DNS Maintenance menu commands and 3dparse warning messages (CR27910)
If the wideip.conf file contains configuration errors (for example, you have a wide IP pool configured that does not contain any virtual servers), and you run one of the following commands in the 3-DNS Maintenance menu:  Install and start big3d, Check remote versions of big3d, or Configure SSH communication with remote devices, you see 3dparse warning messages on the console. The warning messages are benign, and do not affect the functionality of the commands.

Network Map and the enabled or disabled status for pool virtual servers (CR27923)
The Network Map does not display the correct enabled or disabled status for virtual servers, in the context of a wide IP pool. To see the correct enabled or disabled status of the virtual servers, view the Disabled Objects statistics screen.

SNMP version and probing (CR27971)
If you have enabled SNMP probing for a host or similar device, and you specify SNMP version 2, the SNMP probing may fail if the host or device is using SNMP version 1. This happens because SNMP version 2 uses 64-bit counters and SNMP version 1 uses 32-bit counters. To avoid this error, ensure that you specify the SNMP version (1 or 2) that corresponds with the SNMP version on the device that is being probed.

Setup utility and VLAN tag configuration  (CR28027)
If you use the Setup utility to configure VLAN tags or add new VLANs with tags and self IPs, and you use the command line utility to modify interfaces after VLAN tags are added, all of the tagged interfaces and associated data (self and shared IPs) are removed from the configuration files. You may need to reconfigure these settings, or use the backup file to restore these settings.

D35 system with system halt command  (CR28079)
If you use the system halt command on a D35 system and then press the Enter key to reboot the system, the system reboots, but it enters into a netboot cycle. If you have this issue, we recommend that you power cycle the system, or push the reset button.

Probing from the BIG-IP system  (CR28099)
When a BIG-IP system is the only F5 system in a data center, and you disable all factories in the BIG-IP definition, the BIG-IP system continues to probe the router in its data center. To avoid this issue, you can create a prober access control list (ACL) and add the router to the ACL.

Creating user-defined regions using the Configuration utility (CR28101)
In the Configuration utility, when you create a user-defined region for Topology load balancing, you get a syntax error if you add more than 39 entries to the custom region. To avoid this error if you are creating a large user-defined region (with more than 39 entries), we recommend that you create the custom region from the command line, by editing the wideip.conf file.

Reconfiguring a standalone system as a unit in a redundant system (CR28116)
If you have a standalone system that you later decide to reconfigure as a unit in a redundant system, the system may experience failures when you reconfigure the networking and IP addresses.

ECV check and SNMP traps  (CR28210)
If you configure an ECV check and enable SNMP traps on a BIG-IP system with a 3-DNS module, if the ECV check fails, SNMP traps messages for ECV failures are logged in the 3-DNS log file, but not in BIG-IP log file. The system logs trap messages for the failure of the associated virtual servers and wide IPs correctly.

Viewing toolbars in the Configuration utility and resizing the screen (CR28330)
If you resize the browser window when viewing the Configuration utility, you may not be able to see the entire toolbar on some of the screens. We recommend that, to avoid this problem, you maximize the browser window, and use a screen resolution of at least 1024 X 768.

Disabling the default data center (CR28348)
In the Configuration utility, you cannot disable the data center, Default. This data center is automatically created by the controller when you are running the 3-DNS Controller module on a BIG-IP system. We recommend that you create a new data center and move the servers from the data center, Default, to the newly-created data center. To do this, see the workaround Moving objects from the Default data center to a newly-created data center following this section of the release note.

Replacing 3-DNS systems and resetting the SSH key (CR28408)
Installing a replacement unit into your network breaks the trust relationship between the 3-DNS Controller and any devices with which it interacts. As a result, synchronization between the systems in the sync group stops, and you cannot update the big3d agent. You can correct this situation by removing the newer SSH key (on the replacement unit), and synchronizing the updated 3-DNS Controller with other 3-DNS Controllers or BIG-IP systems. Refer to the Resetting the SSH key work-around to reset the SSH key and synchronize the systems in your network. Note that you must reset the SSH key before you run the Configure SSH communication with remote devices command, on the 3-DNS Maintenance menu.

Modifying a data center configuration and memory errors (CR28459)
You may see a memory error in the Configuration utility, when all of the following conditions are met:

  • You have more than one data center configured.

  • You try to modify the configuration of the first data center listed on the Data Centers List screen.

If you need to modify the configuration of the first listed data center, we recommend that you do so by editing the wideip.conf file, from the command line.

The named -xfer command and transferring zone files (CR28497)
If you use the named -xfer command to transfer zone files from the command line, the command incorrectly translates the ORIGIN address as the CNAME address.

Displaying data centers with 1000 or more defined servers (CR28529)
If you have 1000 or more servers defined for a certain data center, the 3-DNS Controller Configuration utility may, when displaying the defined servers, display an error. Disregard this error, as the screen eventually displays correctly all of the defined servers.

bigpipe commands that contain invalid trailing arguments  (CR28581)
If you type a bigpipe command that contains an invalid trailing argument, the bigpipe utility produces a syntax error, but may run the command anyway. In this situation, the command should fail.

Rerunning the Configure DNS option in the Setup utility and overwriting an existing named.conf file  (CR28614)
In the Setup utility (setup), when you rerun the Configure DNS (D) option, you overwrite the existing named.conf file with an empty named.conf file. To avoid this issue, before you rerun the Configure DNS (D) option in the Setup utility, we recommend that you create a backup copy of the named.conf file. Once you have rerun the Configure DNS (D) option, you can copy the contents of the backup copy of the named.conf file into the new named.conf file.

The NameSurfer log file does not get rotated by the system  (CR28615)
The NameSurfer™ application, /var/log/namesurfer.log, does not get rotated. This can result in the log file becoming large. If you find that the NameSurfer log file has become too large, you can remove the file from the system, and then run the bigstart restart namesurfer command.

Using the virtual server dependencies option and disabled virtual servers  (CR28636)
When you intentionally disable a virtual server in one pool, and you have configured a dependency on that virtual server for a virtual server in another pool, the 3-DNS Controller may still use the disabled virtual server as a response to a request for virtual servers in the second pool.

Setting the length of time to disable a pool  (CR28901)
In the Configuration utility, when you disable a pool, you can specify an unrealistic time for the Length of time to disable setting. The Configuration utility does not enforce an upper limit for this setting. We recommend that you use caution when you specify a length of time to disable a pool.

Disabling the auto-discovery process and self IP addresses for servers  (CR29599)
When you have disabled, or turned off, the auto-discovery process for a particular server, the auto-discovery process ignores the setting and updates the server's configuration with new self IP addresses. To avoid this misconfiguration, we recommend that you disable global setting for the auto-discovery process by setting the autoconf option to no in the globals statement in the wideip.conf file.

Using the Sun ® Java® client and working with Topology  (CR29626)
If you have the Sun Java client (version 1.4.x) installed on your workstation, and you are using the browser-based Configuration utility to modify the topology statement, you cannot delete topology records. To work around this issue, we recommend that you modify the topology statement from the command line.

The auto-discovery process and obsolete self IP addresses  (CR29638)
If you have enabled the auto-discovery process, and you have changed the router configuration for a BIG-IP system, the auto-discovery process does not delete any self IP addresses that are made obsolete from the router update. The auto-discovery process does correctly add any new self IP addresses that are in the new router's network. Note that this issue occurs only when you have set the Discovery option to ON.

Error message in Configuration utility and valid range for VLAN tags  (CR29793)
The allowable values for VLAN tags are 1 through 4094. However, if you inadvertently specify a value that is outside of the allowable range, you see the following error message:
Error 335953 -- You have entered an invalid VLAN tag value. VLAN tags must be between 1 and 4096.
The error message incorrectly specifies a range of 1 through 4096, rather than 1 through 4094.

Enabling host virtual servers from the pool screen and errors in the Configuration utility  (CR29931)
If you disable a host virtual server from the Modify Virtual Servers screen, and then try to enable that virtual server from the Modify Pool Virtual Servers screen, the Configuration utility experiences internal errors. To avoid this issue, we recommend that you disable and enable host virtual servers from the Modify Virtual Servers screen only.

Wide IP port numbers replaced by service names and configuration errors  (CR29967)
In the Configuration utility, the 3-DNS Controller is automatically replacing wide IP port numbers with service names. If you subsequently modify any settings for the wide IP, you see an invalid port error message when you click Update. To work around this issue, when you modify the wide IP, change the wide IP port setting back to the port number before you click Update.

Reporting state for a proxy on a BIG-IP system  (CR30139)
When you have a proxy configured on a BIG-IP system, and the proxy is configured with a target server (rather than a target virtual server), the 3-DNS Controller reports the monitoring state of the proxy as unknown (a blue ball in the Configuration utility statistics screens).

Incorrect README.bind-config-sample file  (CR30228)
The /config/3dns/namedb/README.bind-config-sample file incorrectly states: # In /etc/namedb.samp/ you will find the following startup files for BIND:
127.0.0.zone
db.wip.f5.com
localhost.zone
named.conf
root.hint
This read me file should read: # In /config/3dns/namedb you will find the following startup files for BIND:
127.0.0.1.zone
db.wip.f5.com
localhost.rev
named.root
root.hint

Updating the big3d agent and BIG-IP version 3.1 systems  (CR30242)
Updating the big3d agent fails if you have BIG-IP systems that meet both of the following conditions:

  • The BIG-IP system is running version 3.1 software.

  • You have never updated the big3d agent on the system.

You can avoid this issue by stopping the big3d agent on the BIG-IP system before you perform the update. To stop the big3d agent, see the Stopping the big3d agent on a BIG-IP system, version 3.1 workaround following the Known issues section.

Inaccurate log message for host virtual server status  (CR30235)
When a host virtual server is marked down (red), the 3-DNS Controller sends a log message that says no nodes up. Instead, the log message should indicate that the virtual server is down.

Default routes and specifying a router for path probing  (CR30310)
When you have not configured a default route, but you specify a router for path probing, the big3d agent ignores the specified route and issues an error message because the agent cannot find a default route. To work around this issue, we recommend that you configure a default route.

Encrypted status messages for virtual servers and the big3d agent  (CR30445)
The big3d agent generates corrupted iQuery messages for the encrypted status messages for virtual servers, if the iQuery message does not end on an 8-byte boundary. Note that this happens when you have an odd number of virtual servers configured for a BIG-IP system or host.

Viewing data on the BIG-IP Statistics screen  (CR30464)
Occasionally, in the Configuration utility, the BIG-IP Statistics screen displays the BIG-IP data incorrectly.

Updating the big3d agent and BIG-IP versions 4.5PTF-04 through 4.5PTF-08 (CR31624)
After you install the 3-DNS software upgrade and update the big3d agents, whenever you reboot the BIG-IP system, the big3d agent does not automatically restart on BIG-IP systems running software versions 4.5PTF-04 through 4.5PTF-08. If you experience this issue, you can restart the big3d agent with this command: bigstart startup big3d. To avoid this issue, we recommend that you do not update the big3d agent on BIG-IP systems running software versions 4.5PTF-04 through 4.5PTF-08.

Round trip time and hops no longer work together, nor do UDP and ICMP (CR42529)
The round trip time (RTT) and latency (Hops) Quality of Service (QOS) coefficients no longer work together for QOS probing. If RTT and Hops are configured at the same time, the 3-DNS Controller uses RTT.

For local DNS (LDNS) probing, the 3-DNS Controller does not support using both UDP and ICMP. If you select UDP and ICMP, the 3-DNS Controller removes UDP from the list, and uses ICMP.

Changes in US and Canada Daylight Saving Time (CR58321)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.

Cisco CSS series (formerly ArrowPoint) servers and metrics collection
The 3-DNS Controller cannot collect the packets per second and the kilobytes per second metrics on Cisco CSS series (formerly ArrowPoint) software versions prior to 4.0.

3-DNS Controllers and CD upgrades
When you rebuild a 3-DNS Controller (or a BIG-IP system) using a CD, the SSH key changes. This breaks the trust relationship between the updated 3-DNS Controller and any devices with which it interacts. As a result, synchronization between the systems in the sync group stops, and you cannot update the big3d agent. You can correct this situation by removing the newer SSH key and synchronizing the updated 3-DNS Controller with other 3-DNS Controllers or BIG-IP systems. Refer to the Resetting the SSH key work-around to reset the SSH key and synchronize the systems in your network.

Solstice SNMP agent and metrics collection
The Solstice SNMP agent, which runs on some Sun systems, delays the updating of some metrics for longer than 30 seconds. As a result, in the 3-DNS SNMP Statistics screen the packet rates and kilobytes per second rates can fluctuate from a zero value to a real value. If you are polling Sun Solaris servers in your network, you may want to set the SNMP polling time on the 3-DNS Controller to an interval greater than 60 seconds.

[ Top ]

Work-arounds for known issues

The following sections describe work-arounds for some of the known issues listed in the previous section.

Configuring bridge mode (CR18873)

If you want to configure the 3-DNS Controller to run in bridge mode, you need to do so using a local connection to the 3-DNS Controller. First, you create a VLAN group that includes both the internal and external VLANs. Next, you delete the self IP address for the 3-DNS Controller, and re-assign the IP address to the newly-created VLAN group. Finally, you save the configuration. The following instructions detail how to configure bridge mode.

To configure bridge mode

  1. Open the Setup utility by typing setup from the command line.

  2. Type D, and press Enter, to configure the 3-DNS mode.

  3. Using the arrow keys, choose Bridge, and press Enter.

  4. Type Q to close the Setup utility.

  5. To create a VLAN group, type the following command:
    b vlangroup <vlan group name> vlans add <vlan 1> <vlan 2>

    where <vlan 1> and <vlan 2> are the names of the two networks you want to link with bridge mode.

  6. To delete the self IP address of the 3-DNS interface, type the following command:
    b self <ip address> delete

    where <ip address> is the IP address that you want to assign to the newly-created VLAN group.

  7. To assign the IP address that you deleted as the self IP address in the previous step to the VLAN group, type the following command:
    b self <ip address> vlan <group name> netmask <netmask>

  8. To save the changes you just made, type the following command:
    b save

  9. Last, to save the entire base network configuration, type the following command:
    b base save

The 3-DNS Controller saves the changes and you can now use the 3-DNS Controller in bridge mode.

[ Top ]

Moving objects from the Default data center to a newly-created data center (CR23028, CR28348)

The following instructions describe how to move objects from the default data center to a data center that you create.

To move objects from the data center, Default, to a newly-created data center

  1. In the navigation pane, click Data Centers. The Data Centers screen opens.

  2. On the toolbar, click Add Data Center.
    The Add New Data Center screen opens.

  3. Add the settings for your new data center, and click Add.
    The new data center is added to the configuration, and the Data Centers screen opens.

  4. On the Data Centers screen, click the Remove button for the Default data center.
    A popup screen opens, where you can select the new data center for any objects that are currently in the Default data center.

  5. In the Data Center column, select the data center that you just created, and click Update. Note that you must do this for each of the listed objects.
    The Data Centers screen opens, and the Default data center is no longer listed.

[ Top ]

Removing a controller from a sync group (CR26784)

If you are upgrading the software on 3-DNS Controllers that are in a sync group, you must remove the controllers from the sync group before you apply the software. This is because the synchronization process cannot synchronize controllers that are running different software versions, including different PTF versions.

Note: You can re-create the sync group once you have upgraded the software for all of the controllers that belong to the sync group.

To remove a controller from a sync group using the Configuration utility

  1. In the navigation pane, click 3-DNS Sync.
    The Synchronization screen opens.

  2. In the Remove column, next to the controller that you want to remove from the sync group, click the Remove button.
    A popup screen opens to confirm the removal of the controller.

  3. Click OK.
    The screen refreshes, and the controller is no longer listed as a member of the sync group.

  4. Repeat these tasks for any additional sync group members that you want to remove from the sync group.

Alternately, you can remove the entire sync group, instead of removing the controllers one at a time.

To remove a sync group using the Configuration utility

  1. In the navigation pane, click 3-DNS Sync.
    The Synchronization screen opens.

  2. On the toolbar, click Remove this Group.
    A popup screen opens to confirm the removal of the sync group.

  3. Click OK.
    The screen refreshes, and the Add a New Sync Group screen opens, where you can re-create your sync group once you have upgraded the software on all of the controllers that belong to the sync group.

[ Top ]

Resetting the SSH key (CR28408)

The following instructions describe how to reset the SSH key for a system that you have upgraded using a CD.

To reset the SSH key for an updated 3-DNS Controller

  1. From the command line of each 3-DNS Controller in the sync group that has not been upgraded, change to the /root/.ssh/ directory.

  2. In the known_hosts file, the authentication_keys file, and the authentication_keys2 file, remove the SSH key for the upgraded system. (The upgraded system's IP address is part of the key name in the file.)

  3. Run the 3dns_add command to update the newly installed 3-DNS Controller in the current sync group configuration:
    3dns_add

    The command imports the upgraded controller's configuration to the controller that has not yet been upgraded, synchronizing the controllers.

[ Top ]

Stopping the big3d agent on a BIG-IP system, version 3.1 (CR30242)

Before you can update the original big3d agent for a BIG-IP system, version 3.1, to the current version, you must stop all instances of the agent. Note that you can do this from the command line only.

To stop the big3d agent on the BIG-IP system

  1. At the command prompt, type the following, and then press Enter:
    ps -ax | grep big3d
    The system generates a list of all big3d instances, with process IDs (PID).

  2. Type the following command:
    kill -9 [pid]
    where [pid] is the process ID in the list you generated in step 1.

    Note:  Repeat this step until you have stopped all instances of the big3d agent.

  3. Once you have stopped the big3d agent, you can then update the big3d agent to the current version, as described in the Updating the big3d agent section of this PTF note.
[ Top ]

Turning off the auto-discovery process for a BIG-IP system (CR27252)

You can turn off auto-discovery for a BIG-IP system using the following process. We recommend that you do not use auto-discovery when you are managing a non-routable address space with the BIG-IP system.

To turn off auto-discovery for a BIG-IP system

  1. In the navigation pane, expand the Servers item, and then click BIG-IP.
    The BIG-IP List screen opens.

  2. In the BIG-IP name column, click the name of the BIG-IP system that you want to modify.
    The Modify BIG-IP screen opens.

  3. In the Discovery box, select OFF.

  4. Click Update.
    The Configuration utility updates the configuration with the changes.
[ Top ]