Software Release Date: 09/06/2004
Updated Date: 04/22/2011
This release note documents the feature release of BIG-IP version 9.0. To review the features introduced in this release, see New features in this release.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
The Configuration utility (graphical user interface) supports the following browsers:
The following instructions explain how to install the BIG-IP version 9.0 software on existing platforms. Note that if you are configuring a new system, the software is pre-installed.
You can install the software using either a PXE server or a USB CD-ROM drive. The installation method you use is determined by the hardware platform on which you are installing the software:
|Platform Type||Installation Method|
|5100 (or 5110)||PXE server|
|1500||PXE server or USB CD-ROM drive|
|3400||PXE server or USB CD-ROM drive|
|6400||PXE server or USB CD-ROM drive|
Important: If you are upgrading an existing 1000, 2400, 5100, or 5110 platform, and you are currently running BIG-IP version 4.5.4 through version 4.5.10 software, be sure to review these two supplemental documents before you start the software installation: Upgrading from BIG-IP software versions 4.5 PTF-04 through 4.5.10 to BIG-IP software version 9.0.1, and Upgrading from BIG-IP software versions 4.5 PTF-04 through 4.5.10 to BIG-IP software version 9.0.1 using the remote upgrade procedure.
The BIG-IP version 9.0 release includes the following new features and fixes.
Note: For additional information about the local traffic management features available in this release, review the Configuration Guide for Local Traffic Management.
HTTP data compression
The BIG-IP ® Local Traffic Manager can perform the standard HTTP and HTTPS data compression tasks normally performed by web servers, thus making those servers more available to process other requests.
Granular rate shaping
With this feature, you can control bandwidth utilization to ensure that priority traffic is served first, through setting up sophisticated bandwidth limits, borrowing, and queuing relationships. You can classify, and thus control, traffic based on port, source IP address, or destination IP address, virtual server address, or any Layer 7 variable.
Through its OneConnectTM feature, the Local Traffic Manager provides intelligent TCP offloading, which significantly reduces server processing. The system accomplishes this by minimizing the number of server-side connections and the work required to set up and tear down connections. Specific components of the OneConnect feature include the ability to direct same-connection requests to separate servers, the ability to maintain server-side connection persistence, and the ability to consolidate open server-side connections for re-use by other clients.
Advanced client authentication
The BIG-IP 9.0 system supports Pluggable Authentication Module (PAM) technology, so you can choose from a number of different mechanisms for authenticating or authorizing your application traffic. The system provides PAM modules that work with LDAP, RADIUS, or TACACS+ servers, as well as OCSP responders, for your authentication mechanisms.
The BIG-IP 9.0 system provides increased security for encrypting client-side cookies, to prevent poisoning and tampering with critical application cookies.
Enhanced health and performance monitoring
The BIG-IP 9.0 system includes several enhancements to monitoring, including new Oracle, SIP, and SOAP monitors. Other key enhancements are the ability to associate a monitor with an entire pool rather than with individual pool members only, and the ability to associate multiple monitors with the same IP address.
Enhanced Secure Network Address Translations (SNATs)
This release introduces a new feature called SNAT pools, which further automates and customizes the process of mapping translation addresses to original IP addresses. With SNAT pools, the Local Traffic Manager can choose a translation address from an entire pool of virtual IP addresses. Furthermore, you can base the mapping of translation addresses on criteria other than the original client IP address, such as a server port or an HTTP cookie.
Enhanced Universal Inspection Engine
The full-proxy architecture of the BIG-IP 9.0 system provides a framework that represents the fastest, most modular inspection engine to date. This, in turn, provides the basis for current and future solutions that require in-line network operation, at near-wire speed.
We have significantly enhanced the iRulesTM feature to offer both an industry-standard command language (Tcl) and faster processing. The BIG-IP 9.0 system can now selectively trigger iRules based on specific events, such as an authentication failure. You can use iRules to manage many different types of connections, such as TCP, HTTP, and SSL connections.
Resource cloaking using iRules
The Local Traffic Manager provides a centralized point to remove sensitive server and application information that can be used by attackers to mount attacks on your site. You can now use the iRulesTM feature to define customer filtering that blocks server return-code errors and Cloak Server Header Information.
Profile-based product configuration
The Local Traffic Manager includes an extensive set of configuration profiles. Profiles are configuration tools that give you more granular control of features such as HTTP and SSL traffic management, session and connection persistence, and authentication. You can use the default profiles that the BIG-IP 9.0 system provides, or you can customize them to suit your particular traffic-management needs.
Note: For additional information about the network and system management features available in this release, review the online help.
F5 Networks' new Traffic Management Operating System represents the first system to offer unified and expandable application services, unparalleled intelligence and adapability, and a high-performance processing framework for improving application delivery.
New graphical user interface
The Configuration utility is an all-new, easy-to-use graphical user interface for configuring and managing the BIG-IP 9.0 system. This new interface includes a new integrated online help system.
This release includes support for IPv6 addressing. When configuring the BIG-IP 9.0 system, you can specify IPv4 addresses and IPv6 addresses. This provides the ability to create IPv4 to IPv6 gateways, or IPv6 to IPv4 gateways.
Basic firewall packet filtering engine
The BIG-IP 9.0 system offers improved network protection through robust packet filtering. Similar to basic network firewalls, this feature provides a control point to define and enforce Layer 4-based filtering rules. With this additional layer of network security and filtering, the BIG-IP 9.0 system ensures better perimeter security for the enterprise.
New high-performance iControl interfaces
We have enhanced the iControl® interfaces to support bulk-enabled method calls. Client applications can tune themselves to determine the optimal number of objects to query in a single request. This interface optimization yields significant run-time performance improvement, ultimately resulting in reduced network bandwidth. In addition, the iControl interfaces now support a true publish-and-subscribe model, to reduce network overhead and improve application performance.
For additional information on the iControl enhancements, refer to the iControl documentation on the AskF5 web site, http://tech.f5.com/.
[ Top ]
The following items are known issues in the current release.
Configuring address data groups (CR23058)
If you configure an address data group that contains both a network object, and also specific host addresses on that network, the system does not match the address data group correctly.
Configuration utility: Support for CIDR notation for IPv6 (CR31716)
You cannot use the CIDR notation for entering IPv6 addresses into the web-based Configuration utility.
The tcpdump utility and viewing MGMT interface traffic (CR33009)
The tcpdump utility does not accept the mgmt argument if you want to view the traffic on the MGMT interface. You can, however, specify eth0 to view the MGMT interface traffic, as follows:
tcpdump -i eth0
Half close on server-side SSL configuration causes full SSL shutdown (CR33388)
The server-side SSL configuration does not support the half-close connection state. We recommend that you do not use an server-side only SSL configuration.
Changing a VLAN tag on an existing VLAN (CR33535)
To change a VLAN tag on an existing VLAN, you must first delete the VLAN, and then re-add it with the new tag.
Selecting the normal boot option during the PXE boot process (CR33925)
When you use a PXE server to install the software, the PXE boot process permits access to the boot menu. If you access the boot menu, instead of letting the PXE boot process continue automatically, the PXE boot process restarts. You can access the boot menu by pressing m at the prompt Press m or Control-SPACE to view menu (10). If you attempt to use the Normal Boot option from the boot menu, the PXE boot process starts again. We recommend that you do not use this option.
Benign warnings and messages during RPM package installation (CR33930)
When you install the software, you may see warnings and error messages while the RPM packages are being installed. These warnings and error messages are benign, and do not affect the successful installation of the packages.
vi does not work on wide terminals (CR33974)
The vi text editor does not work with terminals wider than 160 characters.
Both units in a redundant system remain in active mode after initial configuration (CR34060)
When you configure a redundant system, both units remain in active mode after they are configured. The first unit should go into standby mode after you configure the second unit. Run the following command on the second unit to put the first unit into the standby state.
cache rule command not implemented (CR35409)
The CACHE iRule command is currently not implemented.
Command line display/delete of dynamic data (CR35496, CR39877, CR39719, CR37761)
Using the command line to display or delete dynamic data is unreliable when large amounts of data are accessed (thousands of connections). It is possible that these operations will fail, or be successful and return an erroneous "not found" error. The data affected includes ARP records, connection table, or persistence records.
Gratuitous ARPs are not forwarded with VLAN groups (CR36096)
VLAN groups do not forward gratuitous ARPs.
Configuration utility: Modifying a default route (CR36732)
In the Configuration utility, you cannot modify the properties of a default route. If you want to modify a default route, delete the route, and then add a new default route with any changes you want to make.
CPU performance graph displaying inaccurate data on unit with single processor (CR37236)
If you have a platform that has only one processor (CPU) in it, the CPU usage graph, on the Overview > Performance screen displays only the CPU usage of the Traffic Management operating system.
Address conflict log messages on the 2400 platform (D44) (CR37375)
On the 2400 platform (D44), when the system initializes self IP addresses on internal VLANs, you may see address conflict messages in the /var/log/tmm file. These errors are benign, and do not affect the system's functionality.
eth0 is always reported as up (CR38052)
The ifconfig utility always reports that eth0 (the MGMT interface) is up, even if it is not.
Possible packet collisions when using a pool in multiple virtual servers (CR38064)
In rare instances, under the following conditions, you may see packet collisions in benchmark testing:
If your configuration meets both conditions, and you experience this issue, then change the PVA Acceleration setting to Assisted.
Using ssldump to view network traffic (CR38204)
Using the ssldump utility to view network traffic works only when the utility reads the data from a file. To use the ssldump utility to read from a file, use the following command:
ssldump -r <dump_file>
Resetting route statistics using wrong parameter (CR38257)
When the system resets route statistics using the advanced routing modules, the system uses the route_update parameter instead of the reset_stats parameter.
Reactivating add-on modules (CR39101)
If you relicense a system so that is has reduced functionality, for example, you deactivate any add-on modules like Rate Shaping or IPv6, and then later try to relicense with full functionality, the Configuration utility generates errors and you cannot use it to configure the system. To avoid this issue, once you have relicensed the system with the reduced functionality, you must edit the bigip.conf file to remove the features that you effectively turned off. Next, type bigpipe load, and if the load is successful, the Configuration utility should once again be usable.
Running tcpdump on a port mirror switch interface restarts the switch hardware driver (CR39121)
Attempting to run the tcpdump utility on a switch interface that has a port mirror defined causes the switch hardware driver to hang and then restart.
Remote authentication and logging in root user with bad password (CR39131)
When all of the following conditions are met, you receive several login prompts before the system resets and you can log in from the command line:
Restarting system services from the command line (CR39194)
If you need to restart a system service from the command line, we recommend that you use the bigstart restart command, and do not specify the service name, for example, bigstart restart <service_name>.
Setting the system time to some point in the future restarts the switch hardware driver and the health monitors system service (CR39454)
When you set the system time to some time in the future, the following events occur:
Log messages on a pre-licensed system (CR39523)
You may see several warning log messages before a system is licensed. These messages are benign and can be ignored.
Connection mirroring issues (CR39548, CR39779, CR39892, CR39894, CR39895, CR39905)
Connection mirroring is not fully implemented in this release. We recommend that you do not configure connection mirroring at this time. 9/7/2004 UPDATE: Connection mirroring is fully implemented in the 9.0.1 release. We urge you to apply this upgrade.
Running configuration synchronization between units with different time settings (off by one day) (CR39562)
The configuration synchronization process report errors when trying to install a file with a date in the future. This is likely to happen if the system times on a redundant system are not synchronized, and you are synchronizing to the system with the slower time.
Error message when resetting iRules statistics in the Configuration utility (CR39580)
You may see the error message Statistics not implemented when you reset the iRules statistics from the Overview > Statistics : iRules page.
Unable to restart the hardware switch driver (bcm56xxd) on the 6400 platform after multiple stops/starts (CR39626)
If you stop and start the system daemons multiple times in a row (greater than 16) it is possible that the hardware switch driver may not start properly. If this happens, we recommend that you shut down and power down the system, then power the system back up to correct the problem.
License activation and system time (CR39659)
If the hardware clock's time is more than 24 hours different than the time on the F5 Licensing server, the system cannot successfully activate the license. Contact Technical Support for information regarding setting the hardware clock time.
Log timestamps and Daylight Savings Time (CR39674)
The timestamps that display for the system log entries are off by one hour when Daylight Savings Time is in effect.
ConfigSync user and remote authentication (CR39680)
If you use a remote authentication database for the system, only the admin user can run the ConfigSync operations.
Configuring port mirroring generates debug messages on the console (CR39711)
When you configure port mirroring for an interface using the Configuration utility, you may see debug messages on the console. These error messages are benign.
Adding and removing VLAN fail-safe settings (CR39721)
In the Configuration utility, if you enable, and then later disable, the VLAN fail-safe settings, the system does not update the bigip.conf file by removing the failover failsafe parameter from the VLAN configuration. However, VLAN fail-safe is disabled.
Activating add-on modules (CR39724)
If you purchase any add-on modules for a system that is already running version 9.0 software, you must run the following command to initiate the module's functionality:
Assigning the stream profile (CR39729)
In the Configuration utility, from the Virtual Servers section, you cannot assign a stream profile to the server side.
Activity LED flickers with no ports plugged in (D44 platform only)(CR39744)
It is possible that the activity LED will flicker even when the system is not passing traffic. In this situation, the LED flickers because the LED displays hard disk and/or PCI bus activity.
SNMP trap configuration (CR39782)
In the Configuration utility, on the SNMP > Traps > Configuration screen, changing the Device setting to disabled (unchecked) has no effect. The setting remains enabled.
VLAN mirroring not supported (CR39784)
This release does not support VLAN mirroring.
ConfigSync and statistics reporting errors (CR39785)
On a redundant system, after you issue a configsync command, you may receive inaccurate statistics (with a zero value) from both the command line and the Configuration utility. You can issue a bigstart restart command to correct this issue.
Using double quotation marks in strings for monitors (CR39787)
In the Configuration utility, typing double quotation marks around a string argument for a monitor (for example, "GET /server/index.html") causes a syntax error when the system tries to update the configuration. To avoid this known issue, do not enclose monitor arguments in quotation marks, when you use the Configuration utility.
OTCU: DNS forwarders list in named.conf not preserved (CR39790)
The One-Time Conversion utility (OTCU) does not preserve the DNS forwarders list in the named.conf file.
1000, 2400 and 5100 platforms and enabling LACP on trunks (CR39803)
When you are running the software on the 1000, 2400, or 5100 platforms, and LACP is enabled for a trunk, the trunk fluctuates between the up and down states. We recommend that you do not enable LACP for trunks on these platforms.
Configuring monitors for wildcard virtual servers (CR39808)
Monitors with a default port of *, when paired with a pool member with a destination port of *, are using the echo port, instead of the default port for the particular monitor/service type.
Changing the system time and the performance graphs (CR39822)
If you modify the time on the system by turning it backward, the system displays error messages. You can ignore these error messages.
Setting mode for active-active redundant system (CR39829)
Run bigstart restart on both units to get them into active mode.
OTCU: Node attributes not converted (CR39842)
The One Time Conversion Utility (OTCU) does not convert the node attributes; this is not explicitly indicated when you run the OTCU.
VLAN tags on redundant systems with connection mirroring (CR39852)
To use connection mirroring on redundant systems, the VLAN tags on the VLANs the system is using must be the same.
Changing failover peer IP address in the Configuration utility (CR39845)
In the Configuration utility, if you change the IP address for the failover peer (in a redundant system), the change does not take effect until you run the following command, from the command line:
SNMP and multi-word community strings (CR39871)
Creating access records with multi-word community strings corrupts the snmpd.conf file. To avoid this problem, limit community strings to a single word.
Port mirroring forwards packets tagged to mirrored destination (CR39873)
If you setup a port mirror of a port, untagged traffic on the source port ends up being output tagged on the mirrored port.
Clean installations on the D44 and D51 platforms may cause errors for the hardware switch driver (bcm56xxd) (CR39885)
When you perform a clean installation of the version 9.0 software on older IP Application Switch platforms (D44 and D51), the system may experience errors on the hardware switch driver (bcm56xxd). To clear the errors, shutdown the system and cycle the power for the unit by turning the power off and then back on.
Using the Server SSL profile and RSA keys larger than 2048 bits (CR39886)
If your configuration meets all of the following conditions, the system resets server-side connections during the handshake operation:
Nokia SNMP alarm log flush not working (CR39901)
If you use the snmpget command to flush the contents of the Nokia SNMP alarm log, the system does not flush the log contents.
Link down on standby functionality not implemented (CR39902)
The failover link down on standby functionality is not implemented in this release.
OTCU: Detecting gigabit fiber port media settings (CR39914)
The OTCU does not properly detect the media settings for gigabit fiber ports. Once you have run the OTCU, you can change the port settings in the Configuration utility.
iRules: Errors when setting renegotiation on SSL Client Certificate requirement (CR39918)
The SSL::cert mode command attempts to require a client certificate for only certain URLs, and not for others.
Setting the serial console baud rate and the host BIOS (CR39921)
When you set the baud rate for the serial console, in preparation for a PXE installation, the host BIOS retains the first setting that you configure, even if you later try to reset the baud rate. We recommend that you set the baud rate only to the default, which is 19200.
Running Config Sync or restoring a .ucs file resets node monitors (CR39923)
Occasionally, when you run the Config Sync operation, or restore a *.ucs file, the system resets all monitor instances for nodes, and the monitor state changes to CHECKING.
Errors in the bigip.conf file cause the pvad utility to generate a core file (CR39929)
When you edit the bigip.conf file by hand, and you introduce configuration errors, the pvad utility generates a core file when you try to load the configuration. To avoid this issue, we recommend that you use the Configuration utility to configure the system.
Truncated subscription ID in error messages and iControl applications (CR39987)
When the system generates an error message, the subscription ID is truncated. iControl applications that rely on this identifier do not function properly, as a result of this issue.
Creating VLANS with no interfaces generates error in Configuration utility (CR40035)
In the Configuration utility, if you create a VLAN and you do not associate any interfaces with it, the system generates a page error. To avoid this issue, either add at least one interface to the VLAN, or create the VLAN using the bigpipe console.
Reseting interface statistics (CR40059)
In the Configuration utility, if you reset the interface statistics, you may see the following error message:
An error has occurred while processing your request.
The error is benign, as the system does reset the statistics.
Deleting records from the dynamic ARP list in the Configuration utility (CR40073)
If you want to delete records from the dynamic ARP list, use the command line instead of the Configuration utility.
Manually adding a configuration item in the configuration file in front of an item that causes a syntax error (CR40206)
If you manually add a configuration object to the bigip.conf file in front of an object in the configuration that cannot load, you can destabilize the configuration. If this happens, restart the daemons with the following command.
Changes in US and Canada Daylight Saving Time (CR58315)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes are not reflected in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.
The following section describes workarounds for the corresponding known issue listed in the previous section.
This workaround describes how to configure the system so that you do not experience the problem described in the known issue, CR39886. This workaround offers three solutions:
|Phone (U.S. and Canada)
||401 Elliott Avenue West
Seattle, WA 98119