F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP 11.5.7 New and Installation
Release Notes : BIG-IP 11.5.7 New and Installation

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.5.7

BIG-IP APM

  • 11.5.7

BIG-IP GTM

  • 11.5.7

BIG-IP Link Controller

  • 11.5.7

BIG-IP Analytics

  • 11.5.7

BIG-IP LTM

  • 11.5.7

BIG-IP AFM

  • 11.5.7

BIG-IP PEM

  • 11.5.7

BIG-IP ASM

  • 11.5.7
Release Notes
Original Publication Date: 01/30/2019 Updated Date: 04/18/2019

Summary:

These release notes document the BIG-IP version 11.5.7 release. You can apply the software upgrade to systems running software versions 10.1.0 (or later).

BIG-IP Virtual Edition (VE) is a version of the BIG-IP system that runs as a virtual machine. Supported modules include Local Traffic Manager, Global Traffic Manager, Application Security Manager, Access Policy Manager, Application Acceleration Manager, Policy Enforcement Manager, Application Firewall Manager, and Analytics. BIG-IP VE includes all features of device-based BIG-IP modules running on standard BIG-IP TMOS, except as noted in release notes and product documentation.

Note: The BIG-IP VE product license determines the maximum allowed throughput rate. To view this rate limit, you can display the licensing page within the BIG-IP Configuration utility.

Contents:

Platform support

For comprehensive information about supported platforms, see:

Module combination and memory considerations

BIG-IP platform considerations

These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.

Most of the support guidelines relate to memory. The following list applies for all memory levels:

  • vCMP supported platforms
    • VIPRION B2100, B2150, B2250, B4200
    • VIPRION B4300 blade in the C4480(J102) and C4800(S100)
    • VIPRION B4450 blade in the C4480(J102) and C4800(S100)
    • BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v
    • BIG-IP i5800, i7800, i10800, i11800, i15800
  • PEM and CGNAT supported platforms
    • VIPRION B2100, B2150, B2250, B4300, B4340N, B4450N
    • BIG-IP 5x00v(s), 7x00v(s), 10x00v(s)
    • PEM for BIG-IP iSeries: i5800, i7800, i10800, i11800, i15800
    • CGNAT for BIG-IP iSeries: i2x00, i4x00, i5x00,i7x00,i10x00,i11x00,i15x00
    • BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition) (3 GB, 10 GB production and combination lab models)
    • PEM and CGNAT may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300/B4340N or another blade instead.
    • PEM is not supported on vCMP guests.
    • PEM is not supported on 8 GB platforms.
  • BIG-IP 800 and i850 platform support
    • The BIG-IP 800 and i850 platforms support Local Traffic Manager (LTM) only, and no other modules.

Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 6900 platforms and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

  • No more than three modules should be provisioned together.
  • On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
  • To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
  • Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less (VE and vCMP only)

The following guidelines apply to VE and vCMP guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM should not be provisioned, except as Dedicated

VIPRION and vCMP caching and deduplication requirements

Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.

  • AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
  • AAM supports disk-based caching functionality on VIPRION chassis or blades.
  • AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest / total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

For certain platforms, the vCMP host can allocate a single core to a vCMP guest. However, because a single-core guest has relatively small amounts of CPU resources and allocated memory, F5 supports only the following products or product combinations for a single-core guest:
  • BIG-IP LTM standalone only
  • BIG-IP GTM standalone only
  • BIG-IP LTM and GTM combination only

 

VE considerations

This version of the software is supported in the following configurations. For a list of VE hypervisor support, see the Virtual Edition and Supported Hypervisors Matrix.

Memory: 12 GB or more

All licensable module-combinations may be run on BIG-IP Virtual Edition (VE) guests provisioned with 12 GB or more of memory.

Memory: 8 GB

The following guidelines apply to VE guests configured with 8 GB of memory.

  • No more than three modules should be provisioned together.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to VE guests provisioned with less than 8 GB and more than 4 GB of memory.

  • No more than three modules (not including AAM) should be provisioned together.
  • Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.

Memory: 4 GB or less

The following guidelines apply to VE guests provisioned with 4 GB or less of memory.

  • No more than two modules may be configured together.
  • AAM should not be provisioned, except as Dedicated.
  • ASM should not be provisioned, except as Dedicated

Configuration utility browser support

The BIG-IP Configuration Utility supports these browsers and versions:

  • Microsoft Internet Explorer 11.x
  • Mozilla Firefox v40, or later
  • Google Chrome v44, or later

Compatibility of BIG-IQ products with BIG-IP releases

K14592: Compatibility of BIG-IQ products with BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.

Fixes, behavior changes, and known issues

For a comprehensive list of fixes, behavior changes, and known issues, see:

New in 11.5.7

There are no new features in this release.

Installation overview

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

Installation checklist

Before you begin:

  • Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating BIG-IP diagnostic data using the qkview utility.
  • Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see K7727: License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
  • Ensure that your system is running version 11.x or later.
  • Download the .iso file from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Check all DNSSEC Key generation's 'expiration' and 'rollover' date:time fields before performing a GTM sync group upgrade. If any of the DNSSEC Key generations are set to rollover or expire during the planned upgrade window, modify the date:time of the 'expiration' and/or 'rollover' fields to extend past the anticipated upgrade window, to a date:time when all units in the sync group will again have GTM config sync enabled.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running Application Acceleration Manager, set provisioning to Minimum.
  • If you are running Policy Enforcement Manager, set provisioning to Nominal.
  • If you are running Advanced Firewall Manager, set provisioning to Nominal.

Installing the software

You can install the software at the command line using the Traffic Management shell, tmsh, or in the browser-based Configuration utility using the Software Management screens, available in the System menu. Choose the installation method that best suits your environment.
Installation method Command
Install to existing volume, migrate source configuration to destination tmsh install sys software image [image name] volume [volume name]
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Sample installation command

The following command installs version 13.0.0 to volume 3 of the main hard drive.

tmsh install sys software image BIGIP-13.0.0.0.0.1645.iso volume HD1.3

Post-installation tasks

This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating diagnostic data using the qkview utility.
  3. Log on to the browser-based Configuration utility.
  4. Run the Setup utility.
  5. Provision the modules.
Note: You can find information about running the Setup utility and provisioning the modules in BIG-IP TMOS implementations Creating an Active-Standby Configuration Using the Setup Utility and Creating an Active-Active Configuration Using the Setup Utility.

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running.

Upgrading from version 11.x or later

When you upgrade from version 11.x or later, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 11.x

You cannot roll forward a configuration directly to this version from BIG-IP version 10.x or earlier. You must be running version 11.x (or later) software. For details about upgrading from earlier versions, see the release notes for the associated release.

Upgrading to 4th element versions from versions earlier than 11.5.0

You cannot directly update from pre-11.5.0 versions (e.g., v11.4.x, v11.2.x, etc.) to any 4th element version (e.g., v12.1.3.1, v13.1.0.1, etc.). Direct upgrade to 4th element versions is supported only from v11.5.0 and later. For pre-11.5.0 versions, you must first upgrade to v11.5.0 or later. The recommended upgrade path is from v11.4.1 to v12.1.3, and then to v12.1.3.1. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Upgrading earlier configurations

When you upgrade from an earlier versions of the software, you might need to know about or take care of these configuration-specific issues.

ID Number Description
223704 Import SCF that contain VLANs of the same name in different administrative partitions, operation fails with unknown operation error. Upgrading configurations with VLANs of the same name in different administrative partitions. Upgrade operation fails with a unknown operation error. When you import a single configuration file (SCF file) that contain VLANs of the same name that exist in different administrative partitions, the operation fails with a unknown operation error. Workaround: Before installing an SCF file, run the command: tmsh load sys config default. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected.
366172 Pre-v11.x configuration fails to load after upgrade. pre-v11.x configuration that was created with the bigpipe cli ip addr option set to name. Configuration load failure. A pre-v11.x configuration that was created with the bigpipe cli ip addr option set to name may cause configuration load failure on upgrade due to resolved names saved to the bigp.conf file rather than IP addresses. Workaround: The workaround is to change the cli setting to 'cli ip addr number', save the config on the pre-v11.x unit, and then run the upgrade.
378430 Upgrade to version 11.x fails with tmsh load failed error message "-- Upgrading to version 11.x. -- WAM policy containing no nodes." Upgrade to version 11.x fails. "When upgrading to version 11.x, with a WAM policy containing no nodes, the upgrade fails with the following error message: Tmsh load failed: 01071419:3: Published policy (/Common/empty_policy) must have at least one node. Unexpected Error: Loading configuration process failed." Workaround: "There are two options for working around this problem: 1. Before upgrading, add a new node to the empty policy with the default settings. Publish the policy and then upgrade. 2. Before upgrading, remove the empty policy from any applications and delete the policy. You may create a copy of the policy before deleting, as long as you do not publish the copied policy. Proceed to upgrade."
394873 Upgrade process does not update Tcl scripts Upgrading Tcl scripts (such as iRules). This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax. The upgrade process does not update Tcl scripts (such as iRules) in the configuration. Workaround: None.
398067 Mismatch failover unicast and management IP causes error when upgrading to 11.3.0 and later A system can exhibit an error if the management port IP address has been changed between the time the configuration was saved and the time the upgrade was executed. This occurs because releases preceding and including 11.3.0 do not automatically modify the unicast failover IP when the management IP address is changed, or vice versa. If the management port is being used for failover and has been modified since failover was configured, the mismatch causes an error when loading the configuration after upgrade to versions 11.3.0 and later. This is an example error: 0107146f:3: Self-device unicast source address cannot reference the non-existent Self IP (a failover IP); Create it in the /Common folder first. As of version 11.0.0, upgrade performs a check to ensure a failover unicast address actually exists. In configurations using the management port for failover, the management IP and unicast failover IP must be identical for failover to function properly. Workaround: The IP addresses must be identical before upgrading, so before upgrading, ensure that the management IP and unicast failover IP are identical.
401828 Invalid configurations for a SIP virtual server TCP virtual server with a UDP profile and a SIP profile, or a UDP virtual server with a TCP profile and a SIP profile. If such a configuration exists in previous versions, it loads in 11.3.x but may cause a core. The following configurations are invalid for a SIP virtual server: a) TCP virtual server with a UDP profile and a SIP profile. b) UDP virtual server with a TCP profile and a SIP profile. Workaround: "Fix the configuration manually, as follows: a) A SIP TCP virtual server must have TCP as one of its profile type. b) A SIP UDP virtual server must have UDP as one of its profile type."
435482 UCS containing filenames with spaces cannot be rolled forward from pre-11.4.0 to 11.4.0 or later. "This issue occurs when one of the following conditions is met: You attempt to upgrade a BIG-IP system from 11.3.0, or an earlier version, with a configuration that has configuration object names with spaces. You attempt to load a BIG-IP 11.3.0 or earlier UCS file, that has configuration object names with spaces, on BIG-IP 11.4.0 or a later version." The BIG-IP system upgrade or UCS load fails. "BIG-IP configuration object names that include a space may cause an upgrade or user configuration set (UCS) load to fail. As a result of this issue, you may encounter the following symptoms: Your attempts to upgrade the BIG-IP system or load a UCS fail. After loading a UCS file or upgrading from a configuration that has object names with spaces on BIG-IP 11.4.0 or a later version, the Configuration utility displays an error message similar to the following example: The configuration has not yet loaded. If this message persists, it may indicate a configuration problem. After loading a UCS file that has configuration object names that include spaces on BIG-IP 11.4.0 or a later version, a message appears similar to following example: Unexpected Error: Configuration cannot be saved unless mcpd is in the running phase. Save was canceled. See 'show sys mcp' and 'show sys service'. If 'show sys service' indicates that mcpd is in the run state, but 'show sys mcp' is not in phase running, issue the command 'load sys config' to further diagnose the problem." Workaround: "To work around this issue, you can boot back to the previous BIG-IP 11.3.0 or earlier version and rename all affected configuration objects to exclude spaces before upgrading or saving a UCS file. Impact of workaround: Performing the suggested workaround should not have a negative impact on your system."
436212 Upgrades may fail if the base configuration does not use the 'auto' media-sfp setting for SFP ports "The system being upgraded needs to have a copper SFP module installed in order to encounter this issue. There are two ways to arrive at this state: when upgrading and at runtime. This runtime error and its workaround is covered in SOL14556, available at http://support.f5.com/kb/en-us/solutions/public/14000/500/sol14556.html. When applying a UCS from a previous version of TMOS, this condition can also be triggered." The upgrade fails after booting into TMOS for the first time. "If a copper SFP module is installed and a configuration is loaded which sets that module's speed and duplex, this configuration might fail to load. The /var/log/ltm file shows an error similar to the following and the config fails to load. 01070318:3: The requested media for interface 1.1 is invalid." Workaround: "To work around this issue, edit /config/bigip_base.conf so that the lines specifying the 'media-sfp' setting are set to 'auto', similar to the following example. Once all interfaces using a non-auto setting are changed, the configuration should load. net interface 1.1 { media-sfp auto }"
449402 Pre-11.5.0 to 11.5.0 upgrades might fail to properly set ha-group reference in traffic-groups This affects users of ha-groups who upgrade from pre-11.5.0 to 11.5.0. Upgrading from 10.x works correctly. The problem occurs because of the 11.5.0 ha-group functionality in which failover settings are configured per traffic-group. Previously, ha-group failover settings were configured per device. The ha-group failover method might no longer function. Upgrades from pre-11.5.0 to 11.5.0 might fail to properly set the ha-group failover references in traffic-groups. Workaround: None. To correct this issue when upgrading from pre-11.5.0 to 11.5.0, manually associate ha-group failover settings directly with traffic-groups.
450050 respondclass profile presence in BIG-IP configurations causes upgrade failures "- Upgrading from 10.x to 11.x/12.x. - respondclass configuration directives exist in /config/bigip.conf, for example: profile respondclass XXXX { ... }" Configuration fails to load. "Following upgrade from 10.x to 11.x/12.x, the config file fails to load. An error similar to the following is logged: load_config_files: '/usr/libexec/bigpipe load' - failed. -- BIGpipe parsing error (/config/bigpipe/bigip.conf Line xxxx): 012e0020:3: The requested item (respondasm {) is invalid (<profile arg> | show | list | edit | delete | stats reset) for 'profile'." Workaround: It is safe in version 11.0.0 and later to manually delete the block: profile respondclass XXXX {.
488417 Config load failure with 'Input error: can't create user' after upgrade "This occurs when upgrading or rebooting a system on which the root admin account is disabled and replaced with a custom admin user account. This occurs on single-NIC virtual deployments in version 12.0.0, when a system on which the root admin account is disabled and replaced with a custom admin user account is rebooted. To verify single-NIC is enabled: tmsh list sys db provision.1nic. To verify a custom administrator has been defined: tmsh list sys db systemauth.primaryadminuser." "You cannot upgrade if the root admin account is disabled. On single-NIC virtual deployment configurations in version 12.0.0, the system fails to load the configuration after a reboot." "Unable to load config after upgrade or reboot if the admin account is disabled and replaced with a custom user. The system posts the message: 01070829:5: Input error: can't create user, role partition mapping, user does not exist, username, Unexpected Error: Loading configuration process failed. On single-NIC virtual deployments, if the admin account is disabled and replaced with a custom user, the system will experience this issue any time the system is rebooted. Logs similar to the following may appear in /var/log/ltm: notice sod[6214]: 010c005e:5: Waiting for mcpd to reach phase base, current phase is platform. notice mcpd[4672]: 01070829:5: Input error: can't create user, role partition mapping, user does not exist, security err tmsh[7444]: 01420006:3: Loading configuration process failed. emerg load_config_files: ""/usr/bin/tmsh -n -g load sys config partitions all base"" - failed. -- 01070829:5: Input error: can't create user, role partition mapping, user does not exist, security Unexpected Error: Loading configuration process failed. err mcpd[4672]: 01070422:3: Base configuration load failed." Workaround: "There is no workaround for this issue. To resolve this issue, you can reboot the BIG-IP system back to the previous working boot location that has the admin user disabled. For single-NIC virtual deployments, you can re-enable the default admin user account. To do so, perform one of the following procedures: Impact of workaround: Since the BIG-IP System is already in the inoperative state, performing the following procedure should not have a negative impact on your system. Rebooting the BIG-IP system back to the previous working boot location: Log in to the Traffic Management shell (tmsh) by typing the following command: tmsh To reboot the BIG-IP system to the desired boot location, type the following command syntax: reboot volume <boot_location> Re-enabling the default admin user account on BIG-IP system (for single-NIC virtual deployments): Azure BIG-IP Virtual Edition (VE): Log in to tmshby typing the following command: tmsh Re-enable the default admin user account by typing the following command: modify /sys db systemauth.primaryadminuser value admin Re-load BIG-IP configuration by typing the following command: load /sys config Amazon Web Services BIG-IP VE: Log in to tmshby typing the following command: tmsh Re-enable the default admin user account by typing the following command: modify /sys db systemauth.primaryadminuser value admin Update the password for the default admin user by typing the following command syntax: modify /auth user admin password <password> Re-load BIG-IP configuration by typing the following command: load /sys config"
490139 Loading iRules from file deletes last few comment lines This occurs when loading an iRule file from versions prior to 11.5.1. Although the comments are removed, this does not affect iRule functionality. Loading iRules from the iRules file deletes last few comment lines immediately preceding the closing bracket. Workaround: Put comments in places other than immediately above the closing bracket.
496663 iRule object in non-Common partition referenced from another partition breaks upgrade/config load This occurs when upgrading/loading a configuration containing an iRule in one non-Common partition that references an object in another non-Common partition. A configuration of this type can be saved only using pre-11.x versions of the software. The config upgrade fails, and the UCS/configuration files cannot be loaded. The system posts an error message similar to the following: 'myucs.ucs' failed with the following error message: 'Rule [/UNCOMMONPARTITION/RULEABC] error: Unable to find rule_object (...) referenced at line xyz: [element]'. iRule object in non-Common partition referenced from another partition results in upgrade/configuration load failure in 11.x/12.x. Workaround: None.
499694 LTM v10.2.x to v11.x upgrade misses partition name on node specific monitor Upgrade from v10.2.x to v11.x. "For nodes that have a specific monitor of ""none"", if the node is forced down and then re-enabled via tmsh or the node list in the GUI, the node will be marked down by the monitor. If the node is re-enabled from the node properties page in the GUI, this issue does not occur. For other monitor types or pool and pool member monitors, the issue is cosmetic." "When upgrading from v10.2.x to v11.x, the node monitor name does not acquire full path or partition information. Similarly, creating a node with a monitor via TMSH, the node monitor name does not show partition information; however, configuring a node via GUI does add partition information. If a node with a specific none monitor is later forced down and then re-enabled, the node will remain in a marked down by monitor state." Workaround: Load sys config base, then load sys config. Then in both the GUI and TMSH add partition info to the node monitor.
507109 inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade "This issue occurs when all of the following conditions are met: -- You create a Client SSL profile that does not inherit the certificate, key, and chain certificate settings from the parent profile. -- You upgrade to BIG-IP 11.5.1 (HF6 or later), 11.5.2, 11.5.3, or 11.6.0." An incorrect cert key chain is used in the profile. The inherit-certkeychain attribute of a child Client SSL profile can unexpectedly change after upgrade. Workaround: "Manually edit bigip.conf to contain the correct value. To do so, add the following line into child client ssl profile: inherit-certkeychain false Run the command: tmsh load sys config"
513239 Upgrade can fail to load config due to unsupported SSL profile cache-size attribute value SSL profile exists with cache-size greater than 262144 (if upgrading to version 11.0.0 though version 11.4.1) or greater than 4194304 (if upgrading to version 11.5.0 through 12.0.0). Upgrade from version 10.x to version 11.x fails. The system posts an version-specific error: -- If upgrading to version 11.0.0 through version 11.4.1: 01071313:3: The requested cache size value (4294967295) is out of range for client SSL profile (/Common/my_large_cache); should be in range from 0 to 262144. -- If upgrading to version 11.5.0 and later: 01071313:3: The requested cache size value (4294967295) is out of range for client SSL profile (/Common/my_large_cache); should be in range from 0 to 4194304. The configuration might fail to load upon upgrade from 10.x to 11.x if the configured SSL profile cache-size value exceeds the maximum supported value on 11.x. Workaround: Prior to upgrade, change the version 10.x cache-size to a value that is supported on the upgraded version. On versions 11.0.0 through 11.4.1, the supported range is from 0 to 262144; on version 11.5.0 and later, the supported range is from 0 to 4194304.
513501 Upgrading with overlapping DNAT/NAPT LSN pools causes configuration load failure. "On versions prior to 11.5.0, tmsh allowed users to configure overlapping DNAT and NAPT pools, even though this configuration is invalid and non-functional. Version 11.5.0 and later contain validation to prohibit such configurations. However, when upgrading versions newer than 11.5.0, a configuration that contains overlapping DNAT and NAPT pools fails to load." Configuration fails to load on upgrade. When upgrading from a version prior to 11.5.0 to 11.5.0 or newer, the configuration might fail to load with an error similar to the following: LSN pool is configured with a prefix address that overlaps with a prefix address on another LSN pool. Workaround: Edit bigip.conf and locate the overlapping LSN pools. Either remove one of the pools or change the mode on the DNAT pool to NAPT.
514729 10.2.1 system with SSL profile specifying ciphers 'DEFAULT:!HIGH:!MEDIUM' fails to upgrade to 11.5.1, 11.5.2, 11.5.3, or 11.6.0. "This issue occurs when a 10.2.1 system with an SSL profile specifying ciphers 'DEFAULT:!HIGH:!MEDIUM' is used on a system running version 11.5.1, 11.5.2, 11.5.3, or 11.6.0, either by upgrading, or by manual UCS installation. This is an example of such a profile. profile serverssl serverssl-low_encryption { defaults from serverssl ciphers ""DEFAULT:!HIGH:!MEDIUM"" }" "Upon reboot into version 11.5.1, 11.5.2, 11.5.3, or 11.6.0, or upon load of a UCS from 10.2.1, the configuration fails to load. The operation fails with an error similar to the following. 01070311:3: Ciphers list <list>' for profile <profile name> denies all clients" "SSL ciphers 'DEFAULT:!HIGH:!MEDIUM' is allowed in 10.2.1 but will prevent a config from loading in 11.5.1, 11.5.2, 11.5.3, or 11.6.0. This cipher specification is not relevant for software versions 11.5.1, 11.5.2, 11.5.3, or 11.6.0, because all the DEFAULT ciphers fall within HIGH and MEDIUM ciphers. Turning off HIGH and MEDIUM effectively leaves the system with no ciphers to select from. This is the DEFAULT for 11.5.1. !SSLv2:!SSLv3:!MD5:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4" Workaround: Search for this cipher 'DEFAULT:!HIGH:!MEDIUM' and modify before upgrading. For information about what value to use, see SOL13156: SSL ciphers used in the default SSL profiles (11.x - 12.x), available here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13156.html.
561539 [Upgrade] GTM pool member ratio setting to 0 is not honored when upgrading from v10.2.4 to v11.5.3. "1. Upgrade from v10.x to v11.x through 12.0.0 2. Have a Wide IP pool member ratio set to 0." Wide IP pool member ratio is changed to 1 (the default) from 0 after upgrading, potentially enabling selection of members that had been "disabled" with a ratio of 0. When upgrading from 10.x to 11.x Wide IP pool member ratio value is changed from 0 to 1. Workaround: Manually change ratio back to 0 after upgrade.
576521 If you have MSSQL proxy feature configured, you will lose it upon upgrading to v12.1.0 or later. This will occur on the upgrade to 12.1.0 or higher if you had the MSSQL proxy configured. MSSQL proxy is no longer supported. MSSQL proxy is removed from BIG-IP product. Workaround:

Issues when upgrading from earlier ASM versions

If you upgrade from an earlier version of ASM, note the following issues.

Upgrade warnings and notes

The Application Security Manager supports .ucs files from versions 10.1.0 and later of the Application Security Manager. Additionally, you may import policies exported from versions 10.1.0 and later of the Application Security Manager.

Warning: With the introduction of the Local Traffic Policies feature in BIG-IP version 11.4.0, HTTP Class iRule events and commands are no longer available. If you plan to upgrade to 11.4.0 or later, and your configuration contains an iRule that uses an HTTP class iRule event or command, please read K14409: The HTTP Class profile is no longer available in BIG-IP 11.4.0 and later.

Warning: Local Traffic Policies do not support regular expressions for matching. While the upgrade process is able to migrate simple glob expressions, manual administrator intervention is required in order to ensure that the policies are properly configured. If you plan to upgrade to 11.4.0 or later, and your configuration contains regular expressions or glob expressions, please read K14409: The HTTP Class profile is no longer available in BIG-IP 11.4.0 and later.

Important: The system creates its internal cookie in versions 10.2.4 and later (including all versions of 11.x) differently than in versions prior to 10.2.4. As a result, while upgrading your system from a version prior to 10.2.4 to version 10.2.4 or later, the system will produce the Modified ASM Cookie violation for existing browser sessions. If the security policy has the Modified ASM Cookie violation enabled and set to block traffic when this violation occurs, after upgrading to version 10.2.4 or later, the system will block traffic to the web application. However, since the TS cookie is a session cookie, the system will block traffic only until the browser session ends (the end-user restarts the browser). To prevent the security policy from blocking traffic until the end-user’s browser is restarted, before upgrading to version 10.2.4 or later, we recommend you disable the security policy from blocking the Modified ASM Cookie violation, upgrade, and wait long enough to allow all users to restart their browsers (two weeks are expected to be enough). After enabling the violation, we recommend you monitor the logs. If the Modified ASM Cookie violation appears, consider disabling the violation again for a longer period of time, or communicate to the users to restart their browsers.

HTTP protocol compliance failed sub-violations

If you upgrade or import a security policy from a version prior to 11.6.0, the system automatically enables the following HTTP protocol compliance-failed sub-violations, even if they were previously disabled:

  • Bad HTTP version
  • Null in request
  • Unparsable request content

You can manually disable these violations after the upgrade or import.

Layer 7

In version 11.4.0, local traffic policies replace HTTP Classes. When you create an ASM security policy, the system automatically creates a default Layer 7 local traffic policy. Note the following changes that occur to your system after upgrading from a version prior to 11.4.0:

  • A Layer 7 local traffic policy is created and the HTTP class is removed. If the HTTP Class name is different than the name of the security policy, upon upgrade, the system changes the name of the security policy to the name of the HTTP Class.
  • Security policies are now in folders (partitioned) like pools and virtual servers. Upon upgrade, the system places security policies in the folder to which the HTTP Class belonged. The system places security policies that were inactive in the /Common folder.
  • iRules that use HTTP Class do not work here. Users must manually change the HTTP Class part of the iRule to Policy after the upgrade.

ASM cookie security

As a result of changes made to the signing of ASM cookies, performing a clean upgrade may result in cookie violations and blocked traffic. To prevent these, F5 recommends that you perform the following actions before upgrading:

  • Disable the modified domain cookie violation, and re-enable it only after at least 24 hours have passed.
  • If you do not have a wildcard cookie, before the upgrade add an ASM allowed cookie to the security policy, with the name TS*.
  • Have all clients restart their browsers.

After upgrading, users must synchronize their Cookie Protection settings in the following cases:

  • Systems that share traffic but are NOT in the same device group
  • Systems from different versions that share traffic, even if they are in the same device group

Cookie signature validation

After upgrading, the system performs the following:

  • Turns on staging for all Allowed cookies
  • Applies signature checks on existing Allowed cookies
  • Adds a * wildcard Allowed cookie even if the user did not have on previously Upgrading to version 11.3.0 or later

Web scraping

There was a check box for enabling web scraping that was removed in version 11.3.0.

  • When you upgrade from versions 11.0.0 through 11.2.x, if the check box is enabled, the new Bot Detection setting has the option Alarm and Block enabled. If the check box is not enabled, the value is Off.
  • When you upgrade from versions prior to 11.0.0 (where there was no enable flag), the Bot Detection setting is based on the blocking check boxes for web scraping:
    • If the global Block check box is enabled, the value is Alarm and Block.
    • If the global Block check box is disabled, and the global Alarm check box is enabled, the value is Alarm.
    • If both Alarm and Block check boxes are disabled, the value is Off.

Brute Force

In versions prior to 11.3.0, if the Dynamic Brute Force Protection Operation Mode was Blocking, and the security policy’s Enforcement Mode was Transparent, the system blocked brute force attacks. In order to keep functionality after upgrading, the system continues to block brute force attacks if you upgrade to versions 11.3.0 or later, under these circumstances. However, in versions 11.3.0 and later, the functionality changed so that if the security policy’s Enforcement Mode is Transparent, so the system does not block brute force attacks even if the Dynamic Brute Force Protection Operation Mode setting is Alarm and Block (previously Blocking).

DoS profiles

In versions 11.3.0 and later, DoS profiles are assigned to virtual servers. Previously, they were assigned to security policies.

  • Upon upgrading DoS Profiles from versions prior to 11.3.0, all active security policies have their DoS settings migrated and assigned to the virtual server associated with the HTTP Class. If a virtual server had more than one HTTP Class assigned to it, it inherits the settings of the last in the list.
  • If you have a disabled DoS profile in a version prior to 11.3.0, and upgrade, after the upgrade the system automatically assigns the DoS profile to a virtual server. As a result, even though the system does not perform DoS protection, it still collects statistics, which impacts the system’s performance. To work around this issue, if you have a disabled DoS profile assigned to a virtual server, to improve system performance you should remove its association from the virtual server. (ID 405211)
  • We do not support exporting and importing DoS profiles.

Logging Profiles

In versions 11.3.0 and later, logging profiles are assigned to virtual servers. Previously, they were assigned to security policies. Upon upgrading logging profiles from versions prior to 11.3.0, all active security policies have their logging profile settings migrated and assigned to the virtual server associated with the HTTP Class. If a virtual server had more than one HTTP Class assigned to it, it inherits the settings of the last in the list.

XFF configuration (ID 405312)

In versions prior to 11.3.0, DoS profiles used the Trust XFF setting that was a security policy setting. The Trust XFF setting was renamed Accept XFF, and moved from a security policy property to a property of the HTTP profile. If you upgrade a DoS profile and a security policy with the Trust XFF setting enabled, after the upgrade, the new XFF configuration setting is disabled. If you want the DoS profile to continue trusting XFF, navigate to Local Traffic > Profiles > Services > HTTP > Properties screen, and enable the Accept XFF setting.

IP address whitelist

In version 11.2 we unified various whitelists for Policy Builder trusted IP addresses, and anomaly whitelists (DoS Attack Prevention, Brute Force Attack Prevention, and Web Scraping Detection) into a single list. When you upgrade, these separate lists are unified to a single whitelist (called the IP Address Exceptions List).

Security policy status after UCS installation

After you install a .ucs (user configuration set) file that was exported from version 10.1.0 or later, the system does not automatically apply changes that you made, but did not apply, to the security policies. The system enforces the web application according to the settings of the last set active security policy. However, the system preserves any changes to the current edited security policy, and marks the security policy as modified [M] if the changes have not been applied.

Running Application Security Manager on a vCMP system

If you are running Application Security Manager on a vCMP system: For best performance, F5 recommends configuring remote logging to store ASM logs remotely on Syslog servers rather than locally.

About changing the resource provisioning level of the Application Security Manager

After upgrading or installing a new version, before you can use the Application Security Manager, you must set the Application Security Manager resource provisioning level to Nominal. You can do this from the command line, or using the Configuration utility.

Important: Wait 5 minutes after you set the resource provisioning level before making any configuration changes to the Application Security Manager. The system overrides all configuration changes that were made before this process is completed. When the process is not complete, the system informs you by displaying, in the Configuration utility, the following message: ASM is not ready. The system informs you when the process is completed by indicating in the log (/var/log/asm) the following message: ASM started successfully.

Setting the Application Security Manager resource provisioning level to Nominal from the command line

You can set the Application Security Manager resource provisioning level to Nominal from the command line.
  1. Open the command-line interface utility.
  2. Type the command: tmsh modify sys provision asm level nominal
  3. Type the command: tmsh save sys config.
The screen refreshes, and the resource provisioning level of the Application Security Manager is set to Nominal.

Setting the Application Security Manager resource provisioning level to Nominal using the Configuration utility

You can set the Application Security Manager resource provisioning level to Nominal using the Configuration utility.
  1. On the Main tab, click System > Resource Provisioning . The Resource Provisioning screen opens.
  2. Set the Application Security (ASM) option to Nominal.
  3. Click Submit.
The screen refreshes, and the resource provisioning level of the Application Security Manager is set to Nominal.

To prevent traffic from bypassing the Application Security Manager

Please read Solution 8018 (SOL8018) and Solution 12268 (SOL12268) on the AskF5 web site. These solutions contain important configuration information needed to prevent traffic from bypassing the Application Security Manager.

About working with device groups

Note: This section is relevant only if you are working with device groups.

When Application Security Manager (ASM) is provisioned, the datasync-global-dg device-group is automatically created (even if there are no device-groups on the unit) in any of the following scenarios:

  • First provisioning of ASM on a device that has version 11.6.0, or later, installed.
  • Adding a device (with version 11.6.0 or later) to a trust-domain that has another device which already has the datasync-global-dg device-group.
  • Upgrading to version 11.6.0, or later, when ASM is already provisioned.
  • Upgrading to version 11.6.0, or later, when the device is joined in a trust-domain that has another device which already has the datasync-global-dg device-group.

This device group is used to synchronize client-side scripts and cryptographic keys across all of the devices in the trust-domain.

Note the following:

  • The synchronization is performed across the entire trust-domain, regardless of the configured device groups.
  • The datasync-global-dg device group must not be removed; it is essential for consistency of client-side scripts and keys across the devices.
  • This device group is created upon provisioning, even if the BIG-IP system is working as a standalone.
  • All of the devices in the trust-domain are automatically added to this device group.
  • This device group is manually synchronized. Therefore, when working with device groups (multiple devices in a trust-domain), customers must choose which device will hold the master scripts and keys. The rest of the devices receive these scripts and keys from the chosen device.
  • This device group is also created on units that do not have ASM provisioned, but are in a trust-domain with other units which do have ASM provisioned.

Synchronizing the device group

When adding a device to the trust-domain, or upgrading from a release prior to version 11.6.0, you must manually synchronize this device group.
  1. In the Configuration utility, navigate to Device Management > Overview .
  2. In the Device Groups area, click datasync-global-dg.
  3. In the Devices area, click the device which is chosen to have the master scripts and keys. These scripts and keys will be sent to the rest of the devices.
  4. Under Sync Options, select Sync Device to Group.
  5. Check Overwrite Configuration.
  6. Click Sync.
  7. When the warning message appears, click OK.
The device that you selected continues to work seamlessly. The rest of the devices go OFFLINE, and will not receive traffic for approximately 3 minutes. During this time, the new client-side scripts and keys are synchronized and prepared. After about 3 minutes, all units should return to the ONLINE (Active) state, and the units should be in sync.

Supported ICAP servers

For BIG-IP version 11.6.0, F5 Networks tested the anti-virus feature on the following ICAP servers: McAfee®, Trend Micro™, Symantec™, and Kaspersky. The following table displays which version of each anti-virus vendor was tested, and the value of the virus_header_name variable that needs to be adjusted in ASM for each tool. (You can set the virus_header_name variable: Security > Options > Application Security > Advanced Configuration > System Variables .)

Anti-Virus Vendor Anti-Virus Version Value of virus_header_name
McAfee® VirusScan Enterprise 7.0 X-Infection-Found, X-Virus-Name
Trend Micro™ InterScan™ Web Security 5.0.1013 X-Virus-ID
Symantec™ Protection Engine 7.0.2.4 X-Violations-Found
Kaspersky Anti-Virus 5.5 X-Virus-ID

Copyright © 2017, F5 Networks, Inc. All rights reserved.

For a current list of F5 trademarks and service marks, see https://f5.com/about-us/policies/trademarks. All other product and company names herein may be trademarks of their respective owners.

Contacting F5 Networks

Phone - North America: 1-888-882-7535 or (206) 272-6500
Phone - Outside North America, Universal Toll-Free: +800 11 ASK 4 F5 or (800 11275 435)
Fax: See Regional Support for your area.
Web: https://support.f5.com/csp/home
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 Publication Preference Center

To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.

  • TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Timely security updates and ASM attack signature updates from F5.

Legal notices

Copyright © 2018, F5 Networks, Inc. All rights reserved.

For a current list of F5 trademarks and service marks, see https://f5.com/about-us/policies/trademarks. All other product and company names herein may be trademarks of their respective owners.

Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information