Applies To:

Show Versions Show Versions

Release Note: BIG-IP LTM and TMOS version 9.3.1
Release Note

Updated Date: 12/11/2013


This release note documents the version 9.3.1 release of BIG-IP® Local Traffic Manager and TMOS®. To review what is new and fixed in this release, refer to New in version 9.3.1 and Fixed in version 9.3.1. For existing customers, you can apply the software upgrade to systems running BIG-IP version 4.x, and to systems running version 9.0.5 through 9.2.5. (Note that you cannot apply this upgrade to systems running BIG-IP version 9.0 through 9.0.4 software. You must first upgrade to version 9.0.5 through 9.2.5.). For information about installing the software, refer to Installing the software.

Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 Networks software lifecycle policy, which is available in the AskF5SM Knowledge Base,


- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
     - Performing a Microsoft Windows hosted installation
     - Performing a USB mass storage device installation
     - Performing a local installation
     - Performing a PXE server installation
     - Performing a remote installation
     - Verifying the MD5 checksum of the installation file
     - Re-activating the license on the BIG-IP system
- New in version 9.3.1
- Fixed in version 9.3.1
- New in version 9.3
- Fixed in version 9.3
- Optional configuration changes
     - Using SNMP read/write OIDs
     - New SNMP OIDs
     - Using the switchboot utility
- Known issues
     - Controlling fallback with an iRule (CR61942)
     - Rewriting the location header when Application Security Module is enabled (CR64136)
     - Enabling port translation and address translation (CR65341, CR66193)
     - Using an iRule to manage fallback redirection after receiving a reset packet (CR66570)
     - Rewriting the redirect address when using a non-standard port (CR67505)
     - Changing the configurations of pools (CR73786)
     - Preventing console access for remote users (CR77422)
- Contacting F5 Networks

User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database on the Ask F5 Knowledge Base web site.

[ Top ]

Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • 512 MB RAM (if running only Local Traffic Manager or only Global Traffic Manager)
  • 768 MB RAM (if running a combination of BIG-IP products, such as Local Traffic Manager and Global Traffic Manager, or running Link Controller)
  • 512 MB CompactFlash® media drive

Note: The 520/540 platform must meet certain requirements in order to support this version of the BIG-IP software. For more information, including memory requirements, see 520/540 Platform: Installing BIG-IP version 9.3.1.

The supported browsers for the BIG-IP Configuration utility are:

  • Microsoft® Internet Explorer®, version 6.x
  • Mozilla® Firefox®, version 1.5x and version 2.0x

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins might affect the usability of the Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 520 and 540 (D35), for more information, see 520/540 Platform: Installing BIG-IP version 9.3.1.
  • BIG-IP 1000 (D39)
  • BIG-IP 1500 (C36)
  • BIG-IP 2400 (D44)
  • BIG-IP 3400 (C62)
  • BIG-IP 5100 and 5110 (D51)
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 8400 (D84)

Warning: If you plan to upgrade a system licensed for Link Controller, Global Traffic Manager, or a combination Local Traffic Manager and Global Traffic Manager system, the BIG-IP unit you intend to upgrade must have a minimum of 768 MB of RAM. Originally, the BIG-IP 1000 (D39) and BIG-IP 2400 (D44) platforms were shipped with 512 MB of memory only.

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

[ Top ]

Installing the software

There are several installation options to consider before you begin the version 9.3.x software installation. Before you begin the installation process, you need to determine which installation option is appropriate: Microsoft® Windows® hosted, USB mass storage device, local, PXE server, or remote.

Important: A valid service contract is required to complete this upgrade.

Important: You must reactivate an expired license on the BIG-IP system you intend to upgrade before you begin the installation.

Important: You cannot upgrade to version 9.3.x from versions 9.0 through 9.0.4. You must first upgrade to 9.0.5, or a later 9.x release.

Important: You must turn off mirroring before you attempt to upgrade. Mirroring between units with differing versions of the BIG-IP software is not supported.

Warning: Once you reactivate the license, make sure to save your configuration. The system does not roll forward unsaved portions of configurations. You can save your configuration by running the command b config save /config.ucs.

Warning: Once you save your configuration, copy the config.ucs file to a secure, remote location. The installation process overwrites the locally maintained UCS file, so you should maintain the UCS file remotely as a recovery strategy in case the upgrade does not perform as you expect. For more information, see SOL2250: Overview of UCS archives.

Important: You are prompted to install the software on multiple boot images if the unit supports the multiple boot option. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 6400 (D63), BIG-IP 6800 (D68), and BIG-IP 8400 (D84) platforms support this functionality.

Important: You must perform the installation from the management interface (Management) on the BIG-IP system.

Important: You should perform the installation on the standby system in a redundant system. If you are satisfied with the results, initiate failover and apply the upgrade to the other unit in the redundant system.

Important: We recommend that you run the MD5 checksum on any ISO image or IM upgrade file you download. For information about MD5 checksums, see Verifying the MD5 checksum of the installation file.

[ Top ]

Performing a Microsoft Windows hosted installation

Before performing Microsoft® Windows® hosted installation, read the following information.

Performing a USB mass storage device installation

Before performing a USB mass storage installation, read the following information.

  • Version 9.3.1 USB mass storage device installation
    The USB mass storage device based upgrade provides the ability to install the BIG-IP software from a USB mass storage device onto a BIG-IP system. For details about this installation method, see Installing BIG-IP version 9.3.1 from a USB Mass Storage Device.

Performing a local installation

Before performing a local installation, read the following information.

Performing a PXE server installation

The procedure for performing a PXE installation depends on the version of the BIG-IP system you are currently running, and whether you have the 520/540 platform.

Performing a remote installation

The procedure for performing a remote installation depends on the version of the BIG-IP system you are currently running. The remote upgrade provides the ability to run the upgrade from a management workstation that is not directly connected to the system you intend to upgrade.

[ Top ]

Verifying the MD5 checksum of the installation file

After you download the installation file and its associated MD5 checksum file, and before you perform the installation, we recommend you test the integrity of the install file. This verifies that you have downloaded a good copy of the file. To run the test, type the following commands, where local-install-9.3.x.<build_number>.im is the name of the file you downloaded, and local-install-9.3.x.<build_number>.im.md5 is the name of its associated MD5 checksum file.

md5sum local-install-9.3.x.<build_number>.im
cat local-install-9.3.x.<build_number>.im.md5

If the output from both commands does not exactly match, download the file again. Repeat the download process until the MD5 checksum of the downloaded file exactly matches the text string in the associated .md5 file.

[ Top ]

Re-activating the license on the BIG-IP system

You need to re-activate the license on the BIG-IP system to use some of the new features added in this release.

To re-activate the license on the system

  1. On the Main tab, expand System and click License.
    The License screen opens.
  2. Click the Re-activate button and follow the onscreen instructions to re-activate the license.
    For details about each screen, click the Help tab.

Note: If you create a stand-alone Global Traffic Manager installation or a Local Traffic Manager/Global Traffic Manager installation, after licensing the Global Traffic Manager, the system requests that you perform a software reboot. This statement is intended to indicate that you should restart the system (such as through the command bigstart restart before moving the system into a production environment.

[ Top ]

New in version 9.3.1

  • SCCP update
    We have updated the Switch Card Control Processor (SCCP) that provides the hardware with control over the whole unit to the latest version,
  • EUD updated
    We have updated the End User Diagnostic (EUD) utility to the latest version,
  • SOAP infrastructure improvements
    The iControlPortal.cgi and eventd programs are significantly more memory-efficient. Eventd more gracefully handles signals received during normal processing.
  • TCP half_open monitor and UDP monitor improvements
    The tcp_half_open and udp monitors are now implemented as internal monitors, reducing overhead on the system load and providing more reliable performance with large numbers of monitors. In addition, the tcp_half_open now checks the service state of a node, and no longer marks a node up without taking into account the service for that node.
  • New partition layout option
    In previous versions of the BIG-IP Local Traffic Manager, only one partition scheme was available. With version 9.3.1 and later (for 9.3.x) and version 9.4.2 and later (for 9.4.x), when you upgrade a system, you may have the option to install the upgrade using either the legacy partition scheme or the new standard partition scheme. For more information, see SOL7608: Change in Behavior: Choosing a partition scheme while upgrading.
[ Top ]

Fixed in version 9.3.1

Note: This release also contains all fixes from versions 9.2 through 9.2.5. For a list of Local Traffic Manager and TMOS fixes, see BIG-IP Local Traffic Manager version 9.2.5 and TMOS. For a list of Global Traffic Manager and Link Controller fixes, see BIG-IP Global Traffic Manager and Link Controller version 9.2.5.

Hardware compression reset (CR47138, CR77431)
The system now monitors the health of the hardware compression card and correctly resets the card when it is not responding.

LB_FAILED and the use of HTTP::redirect (CR50764)
The HTTP::redirect iRule command is now compatible with the LB_FAILED iRule event. Previously a state machine error was written to /var/log/ltm, a reset (RST) was sent to the client, and in some cases the response was not delivered to the client.

RAM Cache and 304 responses for requests without IMS headers (CR62309)
The RAM Cache feature with compression no longer sends an HTTP 304 not modified response if the request does not have an Information Management System (IMS) header.

RAM Cache and efficient use of xfrags (CR68549)
The RAM Cache feature now makes more efficient use of xfrags and no longer uses excessive amounts of actual memory.

Errors when probing non-FIPS systems (CR70469)
The system no longer generates errors about improper device probing on a system without a Federal Information Processing Standard (FIPS) card. Previously, module named vnic already exists errors and similar errors were incorrectly logged. Enterprise Manager (EM) probing caused even more incorrect error logging.

Run time driver failure with initialization error (CR72837)
Encryption cards are now recognized more reliably and accurately. The driver no longer resets based on harmless iniitialization errors.

OpenSSL identifying SSLv2 ciphers and TMM (CR72968)
In previous versions, the OpenSSL library did not identify SSLv2 ciphers, and could result in a Traffic Management Microkernel (TMM) process restart. Now, TMM correctly identifies SSLv2 ciphers.

eventd and interrupted system calls (CR74084)
With this release, the eventd process more gracefully handles EiINTR signals (interrupted system calls) received during normal processing.

EUD version (CR75810)
You can now determine the running version of the End User Diagnostics (EUD) without rebooting the system by typing eud_info on the command line.

LB_FAILED reselect to node with cookie persist (CR76991)
The Traffic Microkernel Module (TMM) no longer halts when a load balancing selection fails. For example, when all pool members are down, and the virtual server attempts to pick a node using LB::reselect in a defined iRule.

Compression with RAM Cache and TMM process restart (CR77092)
The Traffic Management Microkernel (TMM) process no longer restarts when enabling or disabling compression when RAM Cache is enabled.

iRule with HTTP::host and TMM halt (CR77137)
The Traffic Management Microkernel (TMM) process no longer restarts when a user runs the iControl HTTP::Host command on a connection that has received an empty Host header.

mysql optimized option and using a redundant pair (CR77307)
We have removed the mysql optimized option since it is no longer needed, and can cause a deadlock or freeze condition.

TMM failure with LDAP authentication using FIPS (CR77402)
The Traffic Management Microkernel (TMM) is now stable with LDAP client authentication in a client SSL profile using Federal Information Processing Standard (FIPS).

HTTPS Monitor with Client Auth to support FIPS (CR77846)
Federal Information Processing Standard (FIPS) key pairs can now be used by monitors.

PHP vulnerabilities (CR77989)
PHP has been upgraded to version 4.4.7 with an additional patch to fix several security issues.

Least connections load balancing and TMM process restart (CR78002)
Changing the load-balancing method to least connections (member) on a pool using priority group activation is now handled more gracefully, and no longer causes a Traffic Management Microkernel (TMM) process restart.

TCP half open monitor (CR78452)
We have changed the tcp_half_open monitor to an internal monitor, so that it runs under bigd. This reduces overhead on the system load and provides more reliable performance with large numbers of monitors.

UDP monitor (CR78453)
We have changed the udp monitor to an internal monitor, so that it runs under bigd. This reduces overhead on the system load and provides more reliable performance with large numbers of monitors.

Nexthop cache memory leak (CR78681)
We have fixed a memory leak that caused the nexthop cache to grow.

RAM Cache and HTTP 304 responses (CR78821)
RAM Cache now allows compressed content to be served properly from the cache with HTTP 304 Not Modified responses.

PVA and demoted pool members with least connections (CR78857)
PVA now correctly demotes pool members in a pool using the least connections load balancing method to Assist mode in Packet Velocity® ASIC (PVA).

Staged configuration failures and error reporting (CR79061)
Staged changesets can now be deployed from Enterprise Manager to a BIG-IP 9.3 system if the changeset has been successfully verified.

Native serverssl connections and TMM process restart (CR79098)
Resumed native software serverssl connections no longer cause the Traffic Microkernel Module (TMM) process to restart.

bigdb database variable not found message (CR79328)
In previous releases, you might have received an error indicating that the bigdb database variable platform.diskmonitor.freelast.dev_shm was not found. This issue has been fixed.

Stream filter resilience (CR79374)
The stream filter functionality in iRules® no longer causes Traffic Microkernel Module (TMM) process to restart if no expression is present.

HTTP with RAM Cache enabled (CR79501)
In previous versions, if you disabled HTTP on the first request with RAM Cache enabled, connections stalled. Now, connections with RAM Cache enabled on an iRule disabling HTTP proceed correctly.

SSL ID persistence filter and TMM failure (CR79515)
Enabling SSL session ID persistence no longer causes the Traffic Microkernel Module (TMM) process to restart at handshake completion.

Non-native serverssl and TMM process restart (CR79616)
Non-native serverssl ciphers no longer cause Traffic Microkernel Module (TMM) process to restart.

Native serverssl support for no certificate when cert requested (CR79708)
We have significantly improved serverssl negotiation in cases where SSL servers require the client to send an empty certificate list. Now the system returns an empty certificate list, and does not reset the connection.

AES::decrypt and b64decoded data (CR79907)
The AES::decrypt iRule command now handles the output of the b64decode command.

XConfig ::get_instance_dependency error for monitor-based pools (CR80046)
Enterprise Manager can now query Local Traffic Management systems with numerous pools referencing the same monitor.

FTP through gateway pool and source address (CR80111)
Outbound FTP connections from the BIG-IP system through a gateway pool member now use the correct IP address instead of IP address

Mirrored fastl4 virtual server and memory leak (CR80120)
A system using an iRule with a mirrored, fastL4 virtual server no longer leaks memory.

Compression of incomplete HTTP transfers (CR80178)
We have improved the deflate compression filter to correctly detect and handle incomplete HTTP transfers.

f5passwd and user password update (CR80412)
The f5passwd utility now correctly interpolates variable arguments.

Fiber interfaces and re-enable after disable (CR81105)
You can now enable and disable small form-factor pluggable (SFP) interfaces without having to run the bigstart restart command afterward.

FTP traffic memory leak (CR81113)
FTP traffic no longer triggers a memory leak in the Traffic Microkernel Module (TMM), and correctly releases connflow and listener resources.

Invalid SSL record types and SSL records (CR81463)
The system now validates SSL record types prior to off-loading the SSL record to hardware. This update keeps the security-processing hardware from receiving and trying to process inappropriate data.

Upgrade failure and duplicate packages (CR81623)
In cases where multiple versions of the SCCP firmware exist on a system, the upgrade installation script no longer fails.

eventd and subscriber event list when subscriber disabled (CR81826)
The eventd process now clears the subscriber event list when a subscriber is disabled.

30-second interval before network failover (CR81981)
In previous versions, during failover on systems configured for network failover, the standby unit might not become active for 30 seconds. Now, failover occurs more quickly.

Window scaling when calculating TCP window size (CR82105)
In previous versions, when the TCP profile receive window was greater than 64 KB, and a connection was made that did not successfully negotiate window scaling, the advertised TCP window incorrectly wrapped. Now, in the same circumstances, window scaling works correctly.

Load verify command resets previous change (CR82211)
The bigpipe command b verify [base] load no longer causes disabled interfaces to be re-enabled.

SSL filter and SSL record version validation (CR82219)
The system now correctly validates the SSL record version prior to off-loading the record to hardware.

Configsync.LocalConfigTime after Qkview (CR82268)
In this releases, running the qkview utility no longer modifies the db key Configsync.LocalConfigTime. In previous releases, the modified key could incorrectly report that the system should be synchronized.

SSL::handshake (CR82672)
The Secure Socket Layer (SSL3.0)/Transport Layer Security (TLS1.0) feature now supports the ability of the SSL::handshake iRule command to hold or resume a TCP handshake.

Node status using LB::Status in rule (CR82835)
The LB::Status node iRule command now returns the correct node status for a node that went up and down.

Least connections load balancing method and OneConnect (CR82851)
Load balancing requests using Least Connections load balancing and OneConnect have been improved, and now work correctly together.

Multiple APPDATA records with non-native SSL re-encryption and TMM process restart (CR83261)
A virtual server configured for non-native ciphers with client-side and server-side SSL traffic (which causes the client or server to deliver multiple APPDATA records in a single packet) no longer causes the Traffic Microkernel Module (TMM) process to restart.

BIND vulnerability (CR83397)
Previous versions included a flaw in the way the Internet Systems Consortium, Inc. (ISC) Berkeley Internet Name Domain (BIND) software versions 9.0 through 9.5.0a5 generated outbound DNS query IDs. This vulnerability affected only BIND servers. This version corrects the flaw. The Common Vulnerabilities and Exposures (CVE) project assigned the ID CVE-2007-2926 to the problem. For more information about the vulnerability, see CVE-2007-2926.

Literal carriage return in monitor parameter strings (CR84971)
In the version 9.2.2 release, the system interpreted monitor strings containing literal carriage returns, that is, returns that you created by pressing the Enter key in a monitor string field. In this release, you can use the escaped return ( \r ) and line end ( \n ) characters, or a combination ( \n\r ) to effect multi-line monitor strings. For example, the following is a multi-line monitor string from a previous release:


To achieve the same string, you can use any one of the following constructions:

VLAN fail-safe and ARP request when VLAN is in a VLAN group (CR83401)
In previous versions, the VLAN fail-safe did not send Address Resolution Protocol (ARP) requests if the VLAN was in a VLAN group. VLAN fail-safe now works correctly in bridging mode with VLAN groups.

Remote vulnerability in mod_jk2 (CR83564)
We have corrected a remote vulnerability in an older version of the mod_jk2 library.

Mirrored fastl4 client-side ICMP packets and crash on standby unit (CR83689)
ICMP Path MTU messages destined for a fastL4 virtual server no longer cause the Traffic Microkernel Module (TMM) system to become unavailable on the standby unit.

Packet cache leak in random service proxy (CR83777)
Systems no longer leak memory if the db key Configsync.Autodetect is enabled for a redundant system.

TMM SIGSEGV and LB::reselect after HTTP::Response in LB_FAILED event (CR84102)
The Traffic Management Microkernel (TMM) process no longer restarts if the LB::reselect iRule statement is called from a LB_FAILED event.

Escaped double quote and slash characters (CR84373)
The system now correctly parses escaped double quote characters or slash characters.

New Zealand DST changes (CR84864)
We have updated the tzdata and java time zone files to accommodate the New Zealand Daylight Saving Time (DST) requirements.

iRules active_members return value (CR85057)
The active_members iRule logic now returns 0, the returns the correct response for an unavailable pool, instead of returning 1 even for unavailable pool members.

iControl and memory consumption (CR85134)
The iControlPortal.cgi and eventd programs are significantly more memory-efficient.

LB_reselect snf next available member (CR85186)
In the case of two members in a pool, the LB_reselect command now correctly selects the next pool member if the first pool member is unavailable, which prevents an infinite loop condition.

Incorrectly marked down ARP entry in a VLAN group (CR85463)
Within a VLAN group configuration, the system no longer marks down an Address Resolution Protocol (ARP) entry if the ARP cache has expired. Instead, it now correctly sends the ARP request immediately.

tmctl utility crash on large configurations (CR85638)
The BIG-IP system tmctl utility no longer crashes on very large configurations.

Partition-size calculation validation (CR85788)
We have corrected a problem with the installer that caused the partitioning table to become corrupted.

XConfig and FIPS keys (CR86517)
Enterprise Manager now fully supports Federal Information Processing Standard (FIPS) keys, and no longer marks as impaired FIPS-equipped BIG-IP units. The keys now appear with a slightly different text representation in the device Configuration Viewer, along with regular keys.

Enterprise Manager can now include FIPS keys in Changesets and push them to other FIPS-equipped BIG-IP units, provided that FIPS devices on BIG-IP units are paired with the source device.

CVE-2007-5135: OpenSSL off-by-one error in SSL_get_shared_ciphers (CR87335)
Vulnerability CVE-2007-5135, OpenSSL off-by-one error in SSL_get_shared_ciphers, has been fixed by an update to the OpenSSL and TurboSSL libraries. For more information about the vulnerability, see CVE-2007-2926.

Partition layout (CR87387)
In previous versions of the BIG-IP Local Traffic Management system, only one partition scheme was available. Beginning with BIG-IP versions 9.3.1 and later for the 9.3 software branch, and BIG-IP versions 9.4.2 and later for the 9.4 software branch, when you upgrade a system you have the option to choose to install the upgrade using either the legacy partition scheme or the new standard partition scheme. For more information, see SOL7608: Change in Behavior: Choosing a partition scheme while upgrading.

[ Top ]

New in version 9.3

  • Hotfix uninstall and versioning
    Beginning with this release, you can uninstall hotfixes that are applied to this version of the software. Each new hotfix release has a corresponding hotfix uninstall release. Also in this release, if the version contains a hotfix number, the SNMP query reports it in the version reply. The uninstall operation has the following characteristics:
    • Specific to one release.
    • Intended to return a system to its original release level.
    • Can be applied only to the specified hotfix revision, or any preceding hotfix release.
  • New profiles for optimization
    This release contains new system profiles in the profile_base.conf file. The tcp-lan-optimized and tcp-wan-optimized profiles are TCP-type profiles. These profiles are effectively custom TCP profiles that the BIG-IP system has already created for you, derived from the default tcp profile. By implementing the tcp-lan-optimized and tcp-wan-optimized profiles, you can optimize the performance of your local-area or wide-area TCP traffic in certain ways, without having to create custom profiles to do so. You can use these new profiles as a base to create your own customized profiles. You can have other profiles inherit from those customized profiles, as well. In addition, these profiles are protected from edit, so you cannot inadvertently modify the profile from the settings provided in this release.
  • Timestamps in the command line interface history file
    In this release, the system adds a timestamp to the history file created for the command line interface. Now, each action in the command line history file contains an associated timestamp that indicates when the operation occurred.
  • OSPF support on redundant systems
    The BIG-IP system now supports Open Shortest Path First (OSPF) protocol in an active/standby redundant pair configuration. Previous 9.x releases supported OSPF in a stand-alone configuration only. With this version, when BIG-IP fails over from active to standby, the system sends out the proper link-state advertisements (LSAs), causing OSPF peers to always point to the active box as the next hop gateway. It is recommended practice to configure OSPF priority on a redundant pair to 0, for this feature to work properly.
  • System reset to factory defaults
    For systems with multiple hotfixes installed, returning the system to factory-default settings can be easier than reinstalling the software or uninstalling multiple hotfix releases. This release provides support for removing all hotfix installations in a single operation. Note should backup their files before using this command as all the non system files will be wiped out. Customer needs to be in single user mode in order for this to work.
[ Top ]

Fixed in version 9.3

Newly added certificate and restart requirement (CR40677, CR65392)
In prior releases, certificates added to an already-existing Certificate Authority (CA) file were not picked up by subsequent load operations without restarting the system. In this release, bigpipe always updates SSL certificates and key files.

FTP data channel with Layer 7 FTP connections and non-equal MTUs (CR44165)
Non-equal maximum transmission units (MTUs) no longer cause Layer 7 FTP connections to stall. Now, connections remain correctly established.

Long VLAN name conversion for tcpdump utility (CR48680)
Although you can list long VLAN names on the tcpdump screen of the Configuration utility, the actual tcpdump utility does not support VLAN names longer than fifteen characters. In previous releases, there was no resolution for this problem. In this release, the system internally converts long VLAN names to the format vlan<tag>, where tag is the tag of the VLAN. For example, when you use the tcpdump screen in the Configuration utility and it shows the VLAN name my_external_vlan, and the VLAN's tag number is 4094, the system converts the name to vlan4094.

RADIUS log on without password, then with password (CR52340, CR71293)
Previously, using RADIUS authentication to validate a logging-on user who first did not specify a password, then did, resulted in multiple logon attempts and slow system response. Now, the system correctly handles logon attempts.

Self-signed certificates and the NULL parameter in signature data (CR52590, CR70072, CR70074)
In this release, the self-signed certificates generated on the system are encoded with an RFC-specified NULL parameter value.

Status of fiber interfaces (CR53045, CR68133)
In this release, the Configuration utility reports the correct status for fiber interfaces. In previous releases, the Configuration utility did not report status correctly.

Timeout values for SNAT pool members (CR53064)
When adding a member to a SNAT pool, the system no longer removes the timeout values that are currently set for the other members of the SNAT pool. Now, the system leaves the timeout values as you set them for the pool members.

LACP diagnostics in TMM statistics (CR53755)
Traffic Management Microkernel (TMM) statistics now include diagnostic information for Link Aggregation Control Protocol (LACP).

LACP diagnostics in BCM56XXD statistics (CR53756)
Statistics for the switch hardware driver BCM56XXD, available in the browser-based Configuration utility on the System Fail-safe screen, now include diagnostic information for Link Aggregation Control Protocol (LACP). The bcm56xxd daemon is one of several daemons that supply a heartbeat that enables high availability.

RTSP support (CR53957)
This release provides collect and release iRule commands, such as RTSP::release, for Real Time Streaming Protocol (RTSP) filters. For complete and detailed information on iRules syntax, see the F5 Networks DevCentral web site. For information on standard Tcl syntax, see the Tcl Reference Manual.

Connection limit for priority activation groups (CR54291)
When a priority group within a pool reaches its connection limit, the next connection now moves to the next-highest priority activation group. This ensures continuity of connections.

Partial match size limit enforcement (CR55382, CR70146)
In previous releases, certain matches caused the stream filter to accumulate too much data, resulting in a system halt. In this release, the stream filter correctly halts connections that accumulate too much data.

Manual restart of dynamic routing protocols (CR55546)
The gateway address of the most recently entered nondefault management route is no longer erroneously entered as GATEWAY into the /etc/sysconfig/network file. This prevents interference between management nondefault routes and default routes learned though dynamic routing protocols. Note that the default management route still prevents dynamic protocols from learning any default routes. This is associated with the ZebOS® dynamic routing capability.

Large class redefinition and the extremedb process (CR56743)
In this version, if you create a data group with many members, and then later redefine the contents of the data group, you no longer receive an invalid cursor error. Instead, the redefinition process completes successfully.

Link transmission status for media types (CR57564, CR70960, CR70963)
A disabled 10 Gigabit Ethernet interface on the 8400 platform now correctly indicates link up to its partner switch, which results in the link down on failover feature now working properly.

Hotfix installation messages (CR57633)
When you install a hotfix release, the system no longer erroneously displays Failed dependencies error messages.

Multiple VLANs with the same interface assignment (CR57705)
When an interface is assigned to multiple VLANs, and you then delete all but one of the VLANs, the remaining VLAN now passes traffic successfully.

Special character use in the browser-based Configuration utility (CR58177)
The system now accepts special characters prepended with a backslash in X509 input fields such as Bind DN.

FIPS driver initialization (CR58421)
The performance of Federal Information Processing Standard (FIPS) card driver initialization has been improved.

Padded cookie rewrite (CR58565)
The system now correctly always rewrites the server's padded cookies when the system is in rewrite mode.

IP multicast packets and VLAN groups (CR58571)
When IP multicast packets are received on a VLAN that is a member of a VLAN group, local processes relying on protocols that use IP multicast packets can now communicate successfully.

Assisted pvad mode and client-side throughput statistics (CR58721)
On a system where the Packet Velocity® ASIC (PVA) mode in a Fast L4 profile is set to Assisted, the system now reports correct statistics for client-side throughput.

Propagation of dynamic routes to routing tables (CR58743)
The system has increased reliability when propagating learned, dynamic routes from ZebOS® to the Linux and TMM routing tables.

Forwarding virtual servers and SNATs (CR58850)
When the Protocol setting of a Forwarding (Layer 2) or Forwarding (IP) type of virtual server is set to * All Protocols, and the VLAN of the forwarding virtual server is a member of a VLAN group, the system can now successfully perform SNAT translation on User Datagram Protocol (UDP) or Internet Control Message Protocol (ICMP) traffic.

BSAFE SSL-C and large POST payloads (CR58885)
SSL clients using the BSAFE® SSL-C implementation no longer stall on large POST operations. Large POST operations complete successfully.

OpenSSL and trailing client-side packets (CR58941)
For client-side SSL traffic, if the trailing packet in a multi-packet record contains less than five bytes of data, the system still processes traffic successfully.

User names and remote LDAP server authentication (CR58973)
When prompted by a browser to type a user name during Lightweight Directory Access Protocol (LDAP) authentication, if users mistype their user names on the first authentication attempt, they can now be authenticated successfully by typing the correct user name on the second or third attempt.

SNAT error message logged to console (CR58983)
If you create a Secure Network Address Translation (SNAT) that uses the same address as a pool member, the system generates an error message. The system now logs this error message not only to the /var/log/ltm file but also to the console.

HTTPS monitor path specification for SSL certificates (CR59090)
You can now specify an absolute path for client certificates used by HTTPS monitors. Previously, you could not.

tmrouted memory (CR59136)
The TMM routing daemon tmrouted process that watches for dynamic routes no longer leaks messages read from the Master Control Program daemon (mcpd) process.

cssd memory (CR59137)
The configsync state daemon (cssd) process no longer leaks messages read from the mcpd process.

ARP table after timeout (CR59157)
The Address Resolution Protocol (ARP) timer no longer times out when the expiration is set to a value larger than the default Arp.Timeout of 300 seconds. Because the timeout no longer occurs, the incomplete ARP table no longer results, so no erroneous ARP entries exist.

TMM control of path MTU enforcement (CR59206, CR62044)
You can now disable the use of route metrics maximum transmission units (MTUs) by configuring the Route.Metrics.Mtu bigdb configuration key. Using this key, you can cause the system to ignore the MTU value in route metrics, thus preventing unnecessary Fragmentation Needed messages. This is useful for sites with routers that implement SNATs and have routes with various MTU sizes. The key is enabled by default. To set the key, use the following command:
b db Route.Metrics.Mtu enable | disable

HTTP Class matching in iRules (CR59261, CR71824)
This release disables HTTP Class matching for the current request, if you configure iRules to redirect or respond to the request. This allows HTTP Classes and Application Security Module more straightforward use of HTTP::redirect and HTTP::respond commands.

snmp_dca_base monitor setting of node weight to 100 (CR59288)
This release fixes a condition in which the dynamic ratio calculation was incorrectly calculated when the snmp_dca_base monitor returns a 0 for CPU usage.

hotfix-provided changes to profile_base.conf not applied (CR59389)
When you apply a hotfix, /usr/share/defaults/profile_base.conf is now updated.

Traffic handling between VLAN group members (CR59488)
The SNAT feature now works correctly for traffic traveling between two VLAN group members.

Certificate serial numbers called from an iRule (CR59505)
You can now use the X509::serial_number call from an iRule.

Empty application data record processing (CR59630)
Empty SSL application data records no longer stall connections, so connections continue appropriately.

SSL acceleration (CR59805)
Where appropriate, the system resolves errors from the SSL offload card with a soft reset instead of a TMM panic.

Hotfix installation from CompactFlash media (CR59856)
You can now use a CompactFlash® media drive to install a hotfix.

Platform ID determination (CR59891)
When using SNMP to manage the system, you can now use OID <> to obtain the platform ID.

HTTP header processing of multiple return characters (CR59893)
The system now correctly processes multiple \r return characters in an HTTP header. Previously, when the system encountered one or more extra \r, characters either in the middle of a block or before the terminating \r\n, the system sent through truncated header blocks, which could effectively halt the connection until idle timeout occurred.

Accumulate command in iRules (CR59977)
In this release, you cannot use the accumulate function in iRules. It is not a valid iRule function. For information about the known issue, see Accumulate command in an iRule.

SSL certificate monitoring (CR60046)
You can now configure the system to monitor SSL certificates and warn you when a certificate is about to expire. This warning gives you time to update the certificate, thus preventing a load failure due to an expired certificate.

Virtual server response (CR60136)
Standby systems running BIG-IP version 4.x no longer respond to iQuery requests for virtual servers owned by the active box. When a version 9.x Global Traffic Manager monitors a version 4.x system, the big3d process returns a virtual IP address that is not owned by the unit (that is, one that is owned by standby system, or by a redundant system configured as active-active that does not own the virtual IP address). This causes the system to mark the virtual IP address down every time the standby unit returns a response, and then mark the virtual IP address up each time the active unit returns a response. In this release, if the virtual IP address is on a standby unit, or if the system does not own the virtual IP address, the big3d process drops the response, which is correct behavior.

Imported SSL certificates containing special characters (CR60152, CR60884)
In previous releases, when importing an SSL Certificate containing special characters, such as the accented e or the apostrophe character, the system presented the following error: ! General database error retrieving information in webui.log Now, the system correctly imports certificates containing special characters, and displays the name properly.

Dump command results with expiration time of 0 (CR60325)
This release addresses the issue of having the results of running the b profile http myhttp ramcache dump command always show an expiration time of 0. Now, running the command returns the expiration time you set.

Requests on a persistent connection (CR60424)
The system now correctly processes additional requests on a persistent connection, even on a slow or lossy network.

VLAN group properties from Self IP screen (CR60593)
On the Self IP screen, when you click a VLAN group link in the VLAN column, the system now correctly presents the properties of a VLAN group.

Alert system use (CR60829)
The alert system that controls the Alarm LED and triggers SNMP traps is supported in this release,

VLAN fail-safe feature and ARP for non-local nodes (CR60924)
The VLAN fail-safe operation now correctly performs an ARP only for local nodes, and no longer performs an ARP for non-local.

SSL monitor connection shutdown (CR61056)
HTTPS monitors now attempt to do a clean shutdown of the SSL connection instead of an immediate close. This corrects the condition of SSL monitors sending inappropriate resets.

Hardware build determination (CR61087)
You can now obtain the hardware build number using the bigpipe platform command.

System halt with load-balancing database-busy messages (CR61244)
In previous releases, the system halted, posting messages to the /var/log/ltm logs: Pva2AsicFactory.cpp:726 - Dropping stat msg. LDBD was busy. This is a message from the Packet Velocity application-specific integrated circuit (ASIC) daemon, that indicates a busy status for the load-balancing database. The resulting dropped packets caused a switchboard failure condition. In this release, the system detects the condition, and resets the system after receiving more than five contiguous messages of this type.

3400 platform halt after power loss when using LCD to boot up (CR61356)
If you power-up the BIG-IP 3400 using the LCD, and then experience a loss of power, the system no longer halts at the LCD, waiting for user interaction. Now, the power-up process completes as expected, even after a loss of power.

HTTP-based authentication connection timeout (CR61385)
When using HTTP-based authentication with a remote authentication server, an HTTP connection times out after 300 seconds (the default authentication session timeout value) only in the case where the system is awaiting an authentication response. Therefore, if the system is not awaiting an authentication response, an expired timeout value does not cause a connection to end.

Deprecated interface media none handling (CR61454)
When you upgrade a system that contains an interface that is set to media none, the upgrade program now correctly replaces the parameter media none with disabled.

TMM halt in certain edge conditions with corrupt SACK options (CR61680)
This release addresses the issue of a ConfigSync operation that could occasionally result in a system halt due to TCP retransmission of segments outside the send queue and a corrupt SACK scoreboard. Now, the system performs additional checks and prevents corrupt SACK blocks from entering the scoreboard.

Virtual servers and database memory (CR61689)
With large configurations, such as configurations with many virtual servers and pool members, querying a virtual server through the Configuration utility no longer fails due to a lack of memory.

User configuration of idle timeout value (CR61703)
You can now apply a user-configurable idle timeout value to the data channel. In prior releases, this timeout value was not configurable, and the system always used the default timeout value for the control channel, 300 seconds.

RADIUS monitor and user passwords longer than 20 characters (CR61765)
When configuring a RADIUS monitor, you can now specify a password of up to 128 characters in length.

Virtual address and ARP disable-enable (CR61790)
When you enable ARP on a virtual address and then synchronize the configuration to the peer unit, the ARP setting is now enabled properly in the running configuration on the peer unit. This, in turn, keeps the peer unit from sending erroneous service unavailable messages.

Base configuration loading when management interface status is DOWN (CR61825)
When the management interface status changes from UP to DOWN, the system can now load the running base configuration successfully. In previous releases, changing the status resulted in an entry in the running base configuration that could not be loaded.
   interface mgmt {
      media none

System deletion of DNS server variables (CR61834)
This release corrects the prior condition in which, if you used the browser-based Configuration utility to remove all domain name system (DNS) name servers, you could not add them from the command line. Now you can.

Traffic on transparent ICMP monitors and virtual servers whose destination addresses match (CR61838)
In previous releases, an ICMP monitor configured as transparent does not send monitor traffic if the virtual server's destination address matches the destination of the transparent monitor. Now it does.

Source address for packets passed between VLAN groups (CR61899)
When packets come into one VLAN group and exit through another VLAN group, the packets exiting the second VLAN group now show the correct source address in its packets. The correct source address shown is the MAC address of the self IP address of the first VLAN group, that is, the VLAN group that initially received the packets.

TCP and UDP port iRule commands on Performance (Layer 4) virtual servers (CR61947)
On virtual servers configured with as Performance (Layer 4) types, running the TCP::local_port command on the client side now correctly gives you the destination port of the inbound packet, and on the server side, running the same command gives you the source port of the outbound packet. TCP::local_port is no longer constrained to virtual servers configured as Performance (HTTP) and Standard type.

ICMP monitor use of ICMP IDs for multiple requests (CR61990)
When associated with a node address, the Internet Control Message Protocol (ICMP) health monitor now uses a unique ID for each echo request. This ensures that ICMP monitor requests succeed in the event that a next-hop router is unavailable.

ZebOS.conf inclusion in ConfigSync operations (CR62069)
With respect to redundant systems that include the advanced routing modules, by default the system no longer includes the ZebOS.conf file in configuration synchronization, to preserve unique dynamic routing information such as router IDs. Note that a .ucs file that has been rolled forward, correctly includes the ZebOS.conf file. Because the ZebOS.conf file often contains unit-specific information, such as host name and router IDs, you might prefer not to synchronize the information from this file. You can exclude this file from the .ucs archive, which prevents the file from being included in a ConfigSync operation. For more information, see SOL4422: Viewing and modifying the files that are configured for inclusion in a UCS archive.

VLAN group and traffic forwarding (CR62075)
The system is now VLAN-aware when detecting a port collision. Previously, lack of VLAN awareness led to false positives on flow collisions, resulting in connections being refused. This has been corrected.

Listener table synchronization for network virtual servers (CR62141)
A system running PVA now remains available when synchronizing the listener table for a network virtual server.

Server-side SSL and 2048-bit RSA keys (CR62376)
Virtual servers configured for server-side SSL using 2048-bit RSA keys now successfully complete the SSL handshake.

Status codes for the HTTP::respond iRule command (CR62432)
Responses from the iRule command HTTP::respond are no longer limited to status codes 500 and 501. For example, the following iRule returns status code 404:
      if { [HTTP::status] contains "404" } {
         HTTP::respond 200 content [lindex $::string_http_class 0]

TMM start time with network failover (CR62536)
For redundant systems that use network failover, you can now configure the bigdb configuration key Failover.TmmStartDelay. You can use this key to adjust the time that the switch-over daemon (sod) waits after the Traffic Management Microkernel (TMM) has started, before determining whether to initiate failover. The default value of the Failover.TmmStartDelay key is 30 seconds. To set the key, type the following command: b db TmmStartDelay 30

User-configurable active and standby scripts (CR62547)
The system now includes two user-modifiable scripts, /config/failover/active and /config/failover/standby that are called just before the unit becomes active or standby. For example, you can edit the active script to read the ARP table on the newly-active unit and remove an erroneous entry that might appear as a result of failover.

Streaming HTTP data and compression (CR62558)
The system now includes a new iRule command COMPRESS::nodelay, which causes the system to flush data immediately from the compression device. This is used only for hardware-based compression. When in this mode, the system also sends data to the compression device immediately upon receipt, without buffering the data. This prevents the HTTP data from getting stuck in the precompression buffer without being dispatched to the compression device.

Alert message for expired SSL certificates (CR62650)
When an SSL certificate is required, the Unclean Shutdown feature is disabled, and the SSL certificate being presented is expired, the system now generates the correct type of alert message. The message specifically indicates that the certificate has expired. In previous releases, the alert message did not specifically indicate the problem.

Alert message for revoked SSL certificates (CR62651)
The system now generates an alert message that specifically indicates that a certificate has been revoked, when an SSL certificate is required, the Unclean Shutdown feature is disabled, and the SSL certificate being presented has been revoked. In previous releases, the alert message did not specifically indicate the problem.

mcpd stability when querying HTTP statistics (CR62704)
The system no longer experiences instability or failover events when querying HTTP statistics over an extended period of time. Now, the system handles the condition of querying HTTP statistics over an extended period of time without error.

Message during system upgrade (CR62726)
In this version, when you update the system you no longer receive the error message, socket error reading from the LCD = 104 when restoring a UCS file from version 9.2. Now, the process completes successfully.

Hotfix installation on CompactFlash media drive partition (CR62727)
In this release, the system verifies that there is reasonably adequate working space in the CompactFlash® drive root partition before installing, so installation can complete successfully.

HTTP redirect_rewrite and long destination addresses (CR62828)
Now, when the system is configured to redirect HTTPS connections, and a server sends a long destination URI (a URI approaching 1500 bytes), the system successfully redirects the connection.

PVA2 system traffic (CR62889)
On a Packet Velocity ASIC 2 (PVA2) system, traffic now flows well and the pvad process no longer restarts repeatedly. Previously, the flow-control mechanism designed to alleviate back pressure in the PVA2 under load could cause a PVA2 lockup condition under certain circumstances.

Configuration file import (CR62934)
You can now quickly import a configuration file (*.ucs) that contains a small number of log entries.

Chassis fan status (CR63196)
In previous releases, the BIG-IP system sometimes incorrectly reported that the chassis fan had failed, and logged an error message similar to the following example in the /var/log/ltm log file: system_check: 010d0005:3: Chassis fan 10x: status (0) is bad. This behavior was due to a system's management bus (SMBus) timing issue, in which the system_check script communicated with various monitored hardware components in order to obtain information. This release corrects the timing issue. In addition, there is now an informational-type log message for limited Inter-Integrated Circuit (I2C) bus read/write retries.

Pool member state display in Configuration utility (CR63353)
After you disable pool member using the command line utility, the system reflects that state in the Configuration utility, reporting that the pool member state is set to Disabled (Only persistent or active connections allowed). Previously, you had to restart the system for the Configuration utility to update the status of a pool member that was changed using the command line.

HTTP requests with large SSL application data records (CR63473)
Large HTTP requests resulting in an SSL application data record size of 16400 bytes now process successfully.

PVA system configuration (CR63576)
In previous releases, configuring more than 16 VLANs or more than 32 virtual servers caused PVA to no longer perform full acceleration, and report the messages Constraining entire tree/Done constraining entire tree. These messages now occur only at startup, which is permissible behavior.

SSL traffic processing (CR63673)
When you configure a virtual server with a ClientSSL profile, now, the system processes SSL application traffic even when the first complete application data record arrives in the same packet as the Finished record on a resumed block-cipher SSL3 session.

Removal of IPv6 routes to directly connected networks (CR63681)
Now, the system correctly removes routes to directly connected IPv6 networks after the last self-IP in that network is removed.

Traffic on a Fast HTTP virtual server with unavailable pool members (CR63715)
When you configure a Fast HTTP virtual server, the system processes the traffic correctly even when a pool contains servers that are down or the pool does not have a monitor.

Support for Cache-Control: no-cache (CR63732)
The system now supports the Cache-Control: no-cache as well as the Pragma: no-cache client header command.

LACP-enabled trunk on the 2.x links on BIG-IP 5100, 2400, and 1000 and aggregation (CR63734)
In version 9.2.2, LACP-enabled trunks on the 2.x links on BIG-IP 5100, 2400, and 1000 failed to aggregate. Now they aggregate. This is applicable only to 2.x interfaces, which are fiber ports.

Stale SSL handle in SSL monitor (CR63815)
In previous releases, when the bigd process ran out of memory, an SSL monitor's SSL* structure could become stale or corrupt, and the system could no longer perform SSL-based health monitoring. Now, the system recovers from this condition, and the system can successfully perform SSL-based health monitoring.

recvdrain option description for monitors (CR63889)
The recvdrain option is not a valid parameter for the bigpipe monitor command; therefore, mention of this parameter has been removed.

SSL session ID of all zeros (CR63909)
In previous releases, when the system received a version SSLv2 Client Hello message, the system did not store the initial SSL session ID. Running SSL::modssl_sessionid_headers initial on such a connection returned an SSL session ID of all zeros. In this release, the system stores the initial SSL session ID when a v2 Client Hello is received, and sets the SSL session ID appropriately.

Use of iRule command SSL::modssl_sessionid_headers (CR63910)
When used to process HTTP requests, an iRule that contains the command SSL::modssl_sessionid_headers no longer causes performance degradation.

Packet loss decreased on PVA systems (CR64014)
On a Packet Velocity ASIC (PVA) system in previous releases, the system had a high percentage (5%) of packet loss on internal links. In this release, that has been corrected.

BIG-IP 8400 platform system upgrades and SCCP firmware (CR64063)
When you upgrade a BIG-IP 8400 system, the SCCP firmware version is now included and recognized by the system.

RTSP client requests to UDP ports in use by another session (CR64140)
The system now correctly processes RTSP client requests an in-use UDP ports. In previous releases, SNAT problems occurred with such requests.

Pool member iRule command with member down (CR64173)
If a monitor has marked a specific pool member down, and that member is specified with a port number in a pool member iRule command, then the connection is directed to another node. If no port number is specified, then the connection is not directed to that node, and the system reports an LB_FAILED event. Therefore, when you use a pool member iRule command, you must include a port number; otherwise, when a monitor marks the pool member down, load balancing may fail.

RAM cache processing on congested client connection (CR64253)
When the system caches a response, even if the client connection is congested, the system now processes the traffic successfully.

Mirroring undetected and unhandled virtual servers and TMM restart (CR64295)
In previous releases, Traffic Management Microkernel (TMM) restarted when mirroring Layer 4 and Layer 7 connections that were not detected or handled by the UDP-based virtual server. In this release, the system prevents Layer 4 mirroring to Layer 7 connections on the standby system from Layer 4 connections on the active system, so TMM no longer restarts.

Mirrored Layer 4 connection expiration (CR64672)
This release corrects a problem with mirrored Layer 4 connections, which previously expired on the standby system if you set the service-down action to reject. In this release, connections are mirrored correctly.

SSL records of exactly 33 fragments (CR64844)
When you configure a system where an SSL record is received by the SSL filter in exactly 33 fragments, even though it exceeds the 32 buffer limit, the request succeeds and the connection remains open.

HTTP::retry command in iRules (CR64920)
You can now use the HTTP::retry iRule command. This iRule does not cache responses, so the ramcache process does not halt unexpectedly.

IPv6 nodes behind gateway command routing (CR64976)
The Traffic Management Microkernel (TMM) now correctly routes commands for IPv6 nodes behind gateways, so that communication is maintained.

User accounts added on command line and modified in browser (CR65041)
You can now use the browser-based Configuration utility to modify user accounts added using the adduser command (or equivalent) in the command line utility.

System response to ICMP echo requests after 20 days (CR65177)
Previously, the system occasionally did not respond to ICMP echo requests when more than 20 days had passed between ping operations to the system's self IP addresses. The system now responds correctly, even when more than 20 days passes between ping operations.

TMM back end and server connection halt (CR65229)
In this release, all chunked requests and responses have an HTTP body, regardless of the document size, so that the TMM back end does not halt the connection with the server when the system has not received all data. In previous releases, if the system had not received all data, the TMM back end terminated the connection with the server.

Memory partitioning with license-type change (CR65334)
In this release, the system correctly partitions memory for each license type. Previously, the system could run out of memory when Local Traffic Manager was not licensed.

Timer increase change (CR65362)
In this releases, there is a change to the timer increase method, so the event library is immune from Network Time Protocol (NTP) changes.

Profile count limitation (CR65462, CR68188)
In previous releases, the system was limited to a profile count of 16. In this release, a virtual server can have any number of profiles.

Virtual server IP address combinations and pvad (CR65528, CR68191)
In previous releases, certain sets of network virtual server IP address combinations could cause the Packet Velocity® ASIC daemon (pvad) to crash. In this release, the system correctly processes and sorts sets of network virtual server IP address combinations.

Chinese language support in iRules (CR65543)
In this release, iRules support Chinese characters.

MCP validation error for pools (CR65648)
When you add a member to a pool that is referenced by a network virtual server, the system no longer displays an error message stating that the pool is not directly connected.

PVA acceleration of UDP traffic (CR65659)
For PVA10 systems, the system can now accelerate UDP traffic when the Fast L4 PVA Acceleration setting is set to Full and the number of concurrent connections exceeds approximately 120K.

NAS-IP-Addr attribute for RADIUS health monitor (CR65703)
The RADIUS health monitor now contains a new attribute for the RFC-compliant NAS-IP address. In previous releases, there was no support for this attribute. Now, both the RADIUS and RADIUSACCT monitors send the NAS-ID if they can obtain the host name. The monitors also send the NAS-IP address if they can obtain an IP address for the host name.

Unexpected system reboot and uninitialized connections (CR65810)
In previous releases, unexpected system reboots occurred when the proxy received packets for a connection that was not initialized. Now, the system continues to function correctly and does not reboot.

Cipher lists in SSL cipher string (CR65841)
In this release, the system no longer moves to the end of the list existing ciphers matching unadorned cipher lists in an SSL cipher string. SSL now enables and moves only disabled suites when performing the cipher suite add operation. The operation does not move cipher suites that were previously enabled.

Hotfix upgrades onto systems with older installations (CR65844)
When applying hotfixes, the process now accommodates systems with packages that are newer than those in the hotfix. For all packages, the system always applies the highest revision level.

Load balancing to servers that are down and LBDB exception error (CR65861)
The system now includes a new bigdb configuration key to disable errors resulting from PVA sending traffic to unavailable pool members. The new bigdb key, Pva.Lbd.Errors, is set to Disable by default. This causes the system to log pool member status to the file var/log/ltm, instead of generating an exception error.

VLAN fail-safe timer key (CR66174)
The system now includes a new bigdb configuration key VlanFailsafe.ResetTimerOnAnyFrame. When enabled, this key resets the VLAN fail-safe timer on any frame that it receives. By default, this key is disabled. To enable or disable the key, type the following command:
b db VlanFailsafe.ResetTimerOnAnyFrame true | false

Fast HTTP profile and SYN packets with ECN and CWR TCP flags set (CR66194)
Connections filtered through a Fast HTTP profile no longer drop the synchronize (SYN) segments that have both the Explicit Congestion Notification-Echo (ECE) and Congestion Window Reduced (CWR) TCP flags set.

HTTP::redirect and HTTP::respond iRule commands (CR66199)
When you write an iRule and specify the LB_SELECTED event, the system prevents you from specifying the command HTTP::redirect or HTTP::respond in an iRule. Prior to this release, iRules containing this command caused the TMM system to become unavailable.

Packet corruption and BGE BCM5704 devices (CR66208)
Broadcom BCM5704 devices no longer cause the packet corruption described in Broadcom errata E12_5704CA2.

Active FTP data connections (CR66210)
When active FTP mode is used for data transfer and you have an FTP control client-side flow with a persistence record, the TMM now remains available.

OneConnect transformations and 4xx server responses (CR66220)
Previously, when the OneConnect Transformations setting was enabled in the HTTP profile and the server sent an HTTP 4xx response, the system did not transform the connection header in an HTTP request to a Keep-Alive header. Now the system does perform the transformation.

SNMP agent and application context query without name (CR66454)
SNMP now allows you to query for all application context statistics, and you are not required to specify a key for the query.

SNAT origin IP address modification (CR66573)
For an existing SNAT on which you have explicitly enabled one or more VLANs, you can now successfully modify the origin IP address.

Database monitor connection behavior (CR63645, CR66673, CR66675, CR66676, CR67517)
You can now select the connection behavior of a database monitor. Previously, you could not select the connection behavior for database monitors.

jar_cache files in /var directory (CR66759)
In this release, the system now correctly deletes the system-created jar_cache files that accumulate in the /var/cache/tomcat4/temp/ directory.

Active pool members count accuracy (CR66808)
The system now determines pool member status and count correctly when a pool member is added.

Timeout getting disk information (CR66856)
When the system uses a monitor to get disk information on a Windows® 2003 server, the system now returns disk information correctly, without timing out.

Active-active configuration and b config save (CR66857)
Previously, running a b config save command could cause an active-active failover configuration when the heartbeat traffic was lost in high CPU usage. Now, the system correctly processes the command even under high CPU usage conditions.

Management IP for ConfigSync and state-mirroring (CR67009)
You can now configure the primary failover address to use the same address as one on the management network. When you do so, the system generates the following message in /var/log/ltm:
WARNING: use of the management port for state mirroring may severely impact state-mirror functionality: statemirror.peeripaddr, should not be on same network as the management port.

Monitor changes after adding and deleting different types (CR67063)
The system now properly displays service member changes in cases where you specify one type of health monitor, delete it and assign another, receive an error message, and then restore the original type of health monitor. You can check for the correct type using the b list show command.

ARP on NAT enable after disable (CR67095)
A NAT that was successfully responding to an Address Resolution Protocol (ARP) request now successfully responds after you disable and then re-enable ARP settings. In previous releases, the NAT did not respond after you disabled and re-enabled the ARP settings.

Existing connection-pool flow and new client event masks (CR67171)
If the client-side iRule event handler disables the event handlers when the server-side connection pool selects the existing flow, the reused server-side flow now correctly inherits the client-side event mask.

tcp_half_open monitor messages (CR67309)
The tcp_half_open messages in log files no longer occur.

Autonegotiation on the management port (CR67331)
In this release, you can set the autonegotiation speed on the management port even if the port has already reached the same value.

SNAT timeout value reset (CR67575)
Previously, once you set the timeout value for a SNAT address, resetting the value to Indefinite or Immediate had no effect. Now, the system correctly responds to reset timeout values.

SSL shutdown deferrals and BIGD SIGABRT (CR67705)
In this release, when SSL shutdown fails, the system closes the connection immediately, and performs improved processing of deferred close operations, preventing the BIGD service SIGABRT condition.

Authentication module and LDAP referral (CR67721)
This version of the software does not result in system restart when a client authentication process encounters LDAP referral. Note that the BIG-IP LDAP client authentication module does not support LDAP servers that do not perform BIND referral when authenticating the referred account. Therefore, if you plan to use LDAP or Active Directory as your authentication source, and you want to use account referral, make sure your LDAP servers perform BIND referral.

TMM memory use determination (CR67850, CR69158)
In previous releases, Traffic Management Microkernel (TMM) could use the incorrect amount of memory. In this release, the TMM startup script correctly determines how much extra memory it needs, based on its licensing scheme.

MSS size of zero (CR67867, CR69126)
In previous releases, a specific combination of maximum segment size (MSS) and specific path maximum transmission unit (MTU) could result in a connection flow object with an MSS of zero. In this release, no combination results in an MSS of zero.

PVA10 initialize failure due to timeout values (CR67956)
Infrequently in previous releases, the Packet Velocity® ASIC (PVA) daemon could fail to initialize the PVA10 due to one timeout issues. Now, the PVA daemon reinitializes or resends frames as appropriate.

System propagation of enabled VLANs to deleted/recreated listeners (CR68132, CR70506)
In previous releases, if you added a SNAT with VLANs enabled, and then modified the origin address, the update did not propagate the enabled VLANs to the deleted/recreated listeners. In this release, the system propagates the enabled VLANs to the deleted/recreated listeners.

LDAP authentication configuration with empty search base DN (CR68180)
You can no longer complete an LDAP authentication configuration without specifying at least one server, preventing the empty-search-base-DN error.

HTTP 404 response and Content-Length requirement (CR68238)
The system now correctly passes a server's HTTP response to a HEAD request if the response is HTTP 404 and indicates no Content-Length. The system now correctly forwards the server response on to the client.

Host ARP for TMM-controlled IP and TMM halt (CR68243)
In earlier releases, when something on the host sent an ARP response to a TMM-controlled IP address while the virtual servers were in transition as part of failover, TMM could eventually halt. In this release, the system correctly waits for the failover transition to complete, so TMM does not halt.

SSL queue and limited record queue depth (CR68284)
In previous releases, a condition existed where POST operations through the SSL virtual server could fail. In this release, the SSL record queue depth is sufficient to handle the number of records, even when using very small record sizes.

Invalid key in iRule (CR68290, CR68291)
In previous releases, an invalid key in an iRule caused a system halt. In this release, the system presents an error message for an invalid key, and the system proceeds without a system halt.

Connection on redundant system requiring client certificate (CR68368, CR68371)
In previous releases, setting the Client Certificate setting to require on a redundant system could cause a system time out, resulting in connection failure. In this release, the SSL processing queue is large enough to handle the condition of establishing a connection when client certificates are required.

Pool use with load balancing criteria change (CR68374)
In this release, the load balancing mechanism does not limit operations to only one pool when load balancing criteria change. The system now performs load balancing to all appropriate pools.

Malformed TCP stream and data delivery after shutdown (CR68402)
This release corrects the condition in which a malformed TCP stream could cause the system to deliver data after shutdown.

LACP warning when timeouts are short (CR68424)
In Link Aggregation Control Protocol (LACP) short mode on external trunks, warning messages correctly appear only after the expected timeout period. In previous releases, the warning messages incorrectly appeared at half the timeout interval.

New cookie after receiving malformed cookie (CR68429)
The system now can locate a cookie regardless of whether a different, malformed cookie has been received, so the system correctly locates the server that is handling the client request.

HTTP connection stall when request/response headers smaller than 16K (CR68528)
In previous releases, there was a switchboard failure and the system failed over during load test when request and response headers were smaller than 16K. In this release, the system detects the condition, and resets the system correctly.

LB_FAILED event when using Fast L4 profiles (CR68583)
In previous releases, during the LB_FAILED event, the system did not return any information from the LB::server call when using Fast L4 profiles. Now it does.

US and Canada Daylight Saving Time changes (CR68781, CR69807)
The Energy Policy Act of 2005, which was passed by the US Congress in August 2005, changed both the start and end dates for Daylight Saving Time in the United States, effective March 2007. Canada is also adopting this change. The resulting changes have been addressed in this version of the product software. To find out more about this issue, refer to SOL6551: F5 Networks software compliance with the Energy Policy Act of 2005.

STP in pass-through mode on BIG-IP models 1000, 2400, and 5100 (CR68803)
In previous releases, using spanning tree protocol (STP) in pass-through mode on a BIG-IP model 1000, 2400, or 5100 could cause a bridging loop. This no longer occurs.

HTTP requests with leading return or line-feed characters (CR68832, CR69642)
In this release, the HTTP filter correctly ignores return or line-feed characters preceding a new request, as specified in the HTTP RFC.

TCP proxy and HTTP class pool select (CR68835)
In this release, the system detaches the server-side before forwarding the response to prevent loss of the HTTP-class-selected pool due to reentrancy.

Support for all license keys (CR68837)
You can now see all the license keys currently on the machine by running the /usr/bin/find_keys command. You can add the -h option to display help for the command. In the simplest case, you can run find_keys without any arguments.

Application Security Module and Local Traffic Manager multiple pool member license conflict (CR68910)
In this release, when licensing both the Application Security Module and the Local Traffic Manger, when there are conflicting integral values for allowing multiple pool members, the system uses the higher number.

Floating point support in iRules (CR68915, CR69858)
Use of floating point equations in iRules in previous releases did not return expected results. This release supports floating point operations in iRules.

Overnight upgrade failures (CR68918)
This release corrects the condition of an upgrade operation failing at 98% complete, so that the upgrade operation completes successfully.

Fast HTTP profile and packet sequence numbers (CR68969)
In this release, when the client issues an acknowledgement (ACK) for a packet sequence number that is greater than the sequence number of the finished and acknowledgment (FIN-ACK) packet, the system resets the connection as expected.

Virtual server statistics after adding HTTP class profiles (CR69041)
In earlier releases, the system stopped tracking virtual server statistics if an HTTP class profile was added and then deleted. Now, the system correctly continues tracking virtual server statistics.

Hotfix release number in returned SNMP version query (CR69068)
In this release, if the version contains a hotfix number, the SNMP query reports it in the version reply. In previous releases, there was no query that reported the hotfix version.

System restart and fpdd restart (CR69173)
Previously, when the system restarted, the front panel display daemon (fpdd) process failed. When the process lost connection with the switch card control processor (SCCP), the system restarted. This no longer occurs, and startup completes successfully.

Responses with loss of former client's request and acknowledgement (CR69272, CR69459)
In previous releases, lost packets from client requests directed to a virtual server configured with a Fast HTTP profile resulted in responses being passed to the incorrect client. In this release, responses go to the correct client, regardless of packet loss.

snmpd process and stop and restart of subagents (CR69298)
Previously, when you ran a bigstart start snmpd or bigstart stop snmpd command, the system did not start of stop the associated subagents. Now, it does.

ConfigSync status on out of sync pair (CR69389)
In previous versions, the two units in a redundant system could get out of sync due to a timing issue, which affected the status of ConfigSync. Now, the failover process correctly handles configuration synchronization between systems.

Client certificate signature issue (CR69440)
A client certificate signature issue in OpenSSL has been fixed in this release.

Additional audit event (CR69479)
Auditing now logs auditing-disabled events as well as auditing-enabled events.

Pipelined HTTP request with congested client and shut-down server (CR69568, CR69723)
Previously, the system sent a request after the client shut down, resulting in a system halt. Now, the system transitions from the shut-down state, so that after sending all packets from the client, the system sends a delayed shut-down request, and the connection halts correctly.

Chassis power supply message (CR69611)
In this release, on systems with dual power supplies that are not turned on or plugged in, the system reports a descriptive and accurate message Chassis power supply %d: status %d - (Chassis power supply is not supplying power: make sure it is plugged in.). In previous releases, the message the system presented was Chassis power supply %d: status (%d) is bad.

Configuration load when configuration contains VLAN named failover (CR69663)
You can no longer create a VLAN named failover, so there is no longer an associated load-configuration error. The system now treats the name failover as a reserved word for a VLAN.

Note: You can find more information about reserved words in SOL3653: Reserved words that should not be used in BIG-IP system configurations.

Mirrored passive FTP connections (CR69705, CR69738)
In previous releases, the system failed to mirror PASV (passive) and EPSV (extended passive) FTP (File Transfer Protocol) connections. Now, the system correctly mirrors these to the standby unit.

VLAN removed from STP instance zero (CR69726)
When you set up Multiple Spanning Tree protocol (MSTP), by default all VLANs exist in instance 0. If you remove a VLAN from the instance and then issue a b base load command, the removed VLAN returns. This is by design, so that users do not have to explicitly add all their VLANs and interfaces when they turn on STP. In this release, there is a new database variable that you can use to remove the VLAN from an STP instance. Now, you want to delete a VLAN from an STP instance, you can set the Vlan.StpAssignment=user. When you set this variable, the next load operation does not add back the previously deleted VLAN to the STP instance 0.

HTTP filter and headers containing leading tabs (CR69767, CR69924)
Now, the system correctly handles a tab character following the colon that separates the header name and value, per RFC 2616. In addition, the system correctly trims the trailing whitespace in header names. In a prior release, the system did not forward the POST body in POST communications whose Content-Length header value was preceded by the Tab character, nor did the system correctly trim the trailing white space of header names.

PVA and timeout values (CR69775, CR70547)
In previous releases, the FastL4 profile did not restrict a maximum timeout value; however, the Packet Velocity® ASIC (PVA) daemon could not handle timeout values over certain amounts. (The exact timeout value depends on the PVA version.) When the PVA timeout value was exceeded, idle connections could close prematurely. With this release, if the maximum timeout is exceeded, the system demotes the PVA to Assisted mode, which allows the system to control the timeout value.

Edmonton and Vancouver, Canada time zone changes for 2007 (CR69967)
Starting in 2007, Daylight Saving Time in North America starts three weeks earlier and ends one week later than it did in 2006. Although this version of the software supports the change in the Toronto and Montreal time zones, it has not been updated to support the change in the Edmonton and Vancouver time zones.

Persist information and Tcl string object leak (CR70058, CR70119)
This release corrects a Tcl string object leak condition when persistence is specified in an iRule (UIE persistence, for instance), so that the leak no longer occurs.

ICMP unreachable not matching existing flow (CR70084)
This release corrects a condition where the ICMP was unreachable. Now, if a forwarding virtual server exists, the system correctly forwards ICMP error packets not matching an existing flow.

iRule returning partial hash values (CR70114)
In previous releases, certain types of data cause the iRule sha1 command to return only 18 or 19 bytes of the correct 20-byte value. In this release, the command returns the correct 20-byte value.

9.1.x hotfixes and 9.2.x hotfixes that Global Traffic Manager installed (CR70143)
In previous releases, a hotfix installed on a 9.1.x Local Traffic Manager-licensed BIG-IP system could overwrite a 9.2.x hotfix that was installed by a Global Traffic Manager-licensed BIG-IP. This resulted in the Global Traffic Manager marking the Local Traffic Manager down after it lost its iQuery connection. A workaround was to rerun big3d_install on the Global Traffic Manager unit after the upgrade. This issue should no longer occur.

System restart and loss of connection to MCP (CR70229)
This release corrects the infrequent occurrence of the BIGD health monitor service losing its connection to the Master Control Program (MCP) and restarting itself to re-establish the connection.

ARP requests from for named requests (CR70245)
In this release, the system handles named requests correctly, so that Linux sends ARP entries with the correct address.

Blank user and certificate search base DN (CR70299)
In this release, you can use blank values for user and certificate map search base DN values when you configure the SSL Client Certificate LDAP type of Authentication Configuration profile. In previous releases, you could not leave these fields blank.

HTTP requests spanning multiple TCP frames (CR70394, CR70631)
In previous releases, the system occasionally failed to transmit the initial segment of an HTTP request on a server-side flow that spanned multiple TCP frames. Now, the system always correctly transmits when data is present.

Large UCS file loading (CR70403)
This release corrects the issue of the system timing out when loading large or long UCS files.

Performance with SSL session pool priming (CR70479)
In this release, SSL session pool priming has been removed.

Apache 2.0.58 upgrade (CR70491)
This version of the software has been upgraded to use Apache 2.0.58.

Inoperative SNAT VLAN disable (CR70520)
In this release, SNAT disable and enable commands work as expected.

HTTP cookie removal (CR70528, CR70682)
In previous releases, if an HTTP cookie was at the end of the list of cookies, the iRule command, HTTP::cookie remove, removed all the cookies. Now, only the correct HTTP cookie is removed with this command.

ZebOS and other routing protocol (CR70609)
In previous releases, the ZebOS® Network Services Module (NSM) daemon could halt unexpectedly while trying to delete a route from its internal database. This problem occurred in configurations that were running Open Shortest Path First (OSPF) together with other routing protocols, for example, Routing Information Protocol (RIP) or Border Gateway Protocol (BGP). In this release, OSPF works when combined with other routing protocols.

iRule processing of multiple events of the same kind (CR70630)
In this release, iRules process multiple equivalent events as long as they have different priority.

IP and MAC addresses with extra characters (CR70635, CR70685)
This release corrects an issue in which the xbuf_scanf process could add extra characters and append them to an IP address or MAC address.

Persist cookie insert behavior change (CR70660)
In previous releases, specifying an expiration of 0d 00:00:00 used the default persistence timeout of 180 seconds. In this release, specifying 0d 00:00:00 results in the system correctly using session cookies for cookie persistence.

Request without host header (CR70688)
In previous releases, failure to find a host header did not result in denying access for a particular HTTP class. Now the system correctly denies access when the request contains no host header.

Excessive 401s and NTLM traffic acceleration (CR70690)
In this release, reworked iRule event priorities allow user-defined rule events to run before or after all other rule event commands to allow iRules to perform load balancing selection on-demand.

VeriSign intermediate cert to ca-bundle.crt (CR70747)
The certificate authority (CA) certificate bundle (ca-bundle.crt) in this release contains support for the VeriSign® intermediate certificate signing.

Empty chunked HTTP response with headers (CR70807)
In previous releases, receiving a zero-length chunked HTTP response in the same packet as the response headers, a single empty xbuf is leaked. Over time, this could result in memory exhaustion in the TMM. Now, the system does not leak an empty xbuf.

Small MSS size and SSL processing queues (CR70819, CR70862)
Previously, if an incoming record had more than 32 records, it could fail to clear the SSL filter, causing the SSL processing queue to stall. With this release, the SSL filter is cleared appropriately, and the queue does not fail.

Failover delay (CR70892)
This release addresses the condition where failover could be delayed when the sod process did not correctly call for failover. Now, the standby unit is promoted to active in approximately two seconds.

Heartbeat failure modification and rebooting (CR70927)
Previously, rebooting the system removed a heartbeat-failure setting you might have modified using the browser-based interface. Now, rebooting leaves the setting as modified.

Fast HTTP and out-of-sequence packet segments (CR70928, CR71147)
Previously, out-of-sequence acknowledgements could result in monitors reporting incomplete requests. Now, the Fast HTTP profile operates correctly even if packets are acknowledged out of sequence.

Core files after failover (CR71129)
Previously, a failover event could cause processes on the two 8400 units in a redundant system to leave core files on the Switch Card Control Processor (SCCP). The failover process now removes these files correctly.

Base 64 encoding (CR71221)
This release properly handles certificate encoding so that binary characters do not get converted to UTF-8 before being encoded using Base 64 encoding.

Failover action for bcm56xxd set on command line (CR71297)
In this release, the system correctly presents an error when you used the command line to set the failover action of switchboard fail-safe (the bcm56xxd daemon.)

Available host memory on systems with only 512 MB of RAM (CR71323)
In this release, the system correctly handles insufficient-memory problems that occurred on systems that had 512 MB of RAM.

Using related connections when no server-side connection exists (CR71326)
If you attempt to set up a related connection without already having a server-side connection in place, the system restarts. This occurs when you use the following commands: cmd_relate, flow_relate_clientside, and flow_relate_serverside. To work around this issue, make sure that the server-side connection exists before setting up a related connection.

IP forwarding and TCP checksum of 0xffff on the BIG-IP 1500 (CR71330)
Previously on the BIG-IP 1500, IP forwarding of packets whose checksum was 0x0000 changed the checksum to 0xffff, which some stacks did not accept. This release adds a bigdb variable TM.TcpForwardChecksumAdjust. When this variable is true, the system calculates in software the TCP checksum for forwarded packets to be calculated in, so processing does not incorrectly change the value.

HTTP class list reload (CR71586)
This release preserves the correct ordering of HTTP classes during modification of a single HTTP class. In previous releases, the system did not preserve the ordering of HTTP classes during modification of a single HTTP class.

Retransmission of packets by Fast HTTP profiles (CR71762)
In this release, the system preserves MSS and sequence numbers on retransmitted synchronization and acknowledgment (SYN-ACK) segments in Fast HTTP profiles.

b load command and second copy of iRule on virtual IP (CR71807)
In this release, running the b load command on the command line does not attach a second copy of an iRule to a virtual IP address after you use the browser-based Configuration utility to attach the iRule.

System driver and TMM interoperation (CR71826, CR71827)
This release resolves an issue in which a system driver was out of sync with the TMM, resulting in the system reading invalid data. Now, the system driver now remains synchronized and reads data correctly.

Route redefinition when assigning a MAC masquerade address for a VLAN (CR71897)
In previous releases, when you assigned a MAC masquerade address to an existing VLAN, Linux automatically dropped any existing static routes pertaining to the interfaces associated with that VLAN. In this release, the system correctly associates those routes.

Install license call error (CR71959)
This release addresses an error returned when calling Management::LicenseAdministration::install_license so that the call completes correctly.

Persistent HTTP connections and TMM (CR71998)
Now, the system correctly handles persistent HTTP connections on a OneConnect virtual server using secure network address translation (SNAT).

HTTP request split across multiple packets and Fast HTTP profiles (CR72101)
Fast HTTP profiles now correctly handle partial matches of header names and values.

Memory leak in sod and statsd (CR70134, CR72149)
This release repairs the memory leak in sod and statsd processes.

Subscriber message consumption and mcpd growth (CR72136)
In earlier releases, the slow consumption of subscriber messages could cause unbounded mcpd process growth. In this release, the system constrains the growth of the process, so unbounded growth no longer occurs.

Fast L4 profile with the iRule reject command (CR72171)
In previous releases, when an iRule contained the reject command, using the Fast L4 profile did not issue a reset (RST) to the client. Now it does.

Multiple-segment HTTP request and authorization (CR72220)
The system now correctly handles multiple-segment requests that contain no authorization header. Previously, such a condition could cause the connection to hang.

Connection reset and multiple-packet requests (CR72283)
The system no longer resets the connection when receiving requests spanning multiple segment.

Daylight Saving Time for Western Australia (CR72396)
This release supports Daylight Saving Time for Western Australia.

UPN in x509v3 extensions SubjectAltName (CR72445)
In this release, parsing the Microsoft Universal Principal Name (UPN) from certificates returns a more user-friendly UPN name than in previous versions.

System restart after BIGD failure (CR72447)
In previous releases, the system restarted in response to BIGD failures that occurred as a result of watchdog timeouts. This no longer occurs.

Fast HTTP SYN-ACK packets with new sequence numbers (CR72575)
Previously, if the connection's entry in the synchronization (SYN) cookie cache was deleted due to overflow or timeout, the retransmitted synchronization and acknowledgment (SYN-ACK) packets carried a new sequence number. Now, all retransmitted SYN-ACK packets have the same sequence number as the first one.

Content Switching and Content Pooling clarification in documentation (CR72577)
Earlier releases of the Configuration Guide for BIG-IP® Local Traffic Manager did not make clear the interaction between the Content Switching and Connection Pooling features and the OneConnect profile. The guide now clarifies the connection with the following statement: The OneConnect feature is disabled by default, but can easily be enabled by configuring a OneConnect profile.

Master Control Program process growth in memory (CR72660)
In previous releases, certain conditions could cause Master Control Program (MCP) process to grow in size, and the memory consumed was not reclaimed. Now, the system reclaims that memory correctly.

Language/character set support (CR72666)
This release includes the charsets.jar file, which supports the Japanese language character set, so the MSSQL monitor works successfully in the Japanese language.

Excessive memory growth in eventd process (CR72794)
In previous releases, the eventd process could grow over time, depending on the amount of activity, especially if eventd had trouble contacting the subscriber. This sort of growth could contribute directly to memory pressure, which could lead to failover. In this release, the process consumes less memory, which prevents this condition.

Client access with no trusted certificate authorities (CR72799)
This release addresses the issue in which clients were denied access when SSL was configured to request client certificates, but there were no trusted certificate authorities (CAs) specified. Now, the system correctly allows self-signed certificates, and other unverifiable certificates, when using this configuration.

OSPF does not work in active/standby out of the box (CR72891)
Previously, using the Open Shortest Path First (OSPF) protocol as a redundant system required special configuration. This release provides better support for using the OSPF protocol in active/standby configurations.

VLAN group proxy exclusion lists and bp load (CR72900)
In previous releases, the bp load operation erroneously attempted to add the exclusion list into SNAT pool member. Now, the system ensures that VLAN group exclusion lists are not added into SNAT pool members.

Disabling management interface (CR72937)
In this release, running a b interface mgmt disable command disconnects the SSH session, and correctly prevents HTTPS connections to be established through the management IP address.

Memory handling with certain memory-intensive processes (CR72946)
Previously, Linux memory was limited to 224 MB, but certain processes could consume 1 GB of memory. This release provides improved memory handling in this area.

Packet routing with small MTU size (CR72962)
In this release, packets larger than the small MTU specified on the server are correctly forwarded to the router.

SSLv2 ciphers and iRules (CR72968)
The SSL filter determines which cipher suite is selected by checking for a cipher ID. Because SSLv2 does not support cipher IDs, an iRule attempting to get the SSLv2 cipher name could return random garbage, which could eventually cause TMM to restart. Now, the system correctly identifies SSLv2 ciphers from cipher information provided by OpenSSL at handshake completion.

Time zone and upgrading from version 9.1.1 (CR72987)
Previously, upgrading from version 9.1.1 resulted in the system setting the time zone to Pacific Standard Time. Now, the system preserves the time zone setting.

Multiple logons with different passwords (CR72994)
This release provides support for one-time-password users to log on multiple times using different passwords, which increases support for authentication systems such as RSA SecurID®, which use one-time-passwords. Previous releases did not provide this support.

Result of iControl call Management::LicenseAdministration::get_system_dossier (CR73156)
In this release, the license server successfully completes when using the dossier returned from the iControl call Management::LicenseAdministration::get_system_dossier.

Unrecognized HTTP methods without content-length or chunking header stall (CR73219)
In previous releases, unrecognized HTTP methods that contained no body, and that had no content-length or chunking header stalled in the HTTP filter. Now, the system passes any request in which the client has indicated the presence of body content by sending Content-Length or Transfer-Encoding headers, regardless of the method type.

MCP messages and heartbeat failure (CR73247)
The system now correctly terminates Master Control Program (MCP) result messages, which avoids the infinite message-splitting loop condition.

Connection handling with no active priority group members (CR73405)
The Traffic Management Microkernel (TMM) now moves connections to the next-in-order priority group instead of resetting connection when there is no active member in the group.

Health checks performed over the management port (CR73624)
The bigd process no longer performs health checks over the management interface, and now correctly logs nodes configured for route-checking over the management interface.

Log file exceeding maximum size (CR73710, CR73864)
In previous releases, log files could exceed the maximum size, causing the bigd process to halt. Now, the system correctly rotates logs so this condition does not occur.

Clear reselect flag in flow switch pool member (CR73714)
In this release, specifying the reselect action for the pool member, and having an iRule subsequently use a node command when the pool member goes down no longer causes TMM to restart unexpectedly. Now, the system handles that condition.

Pool option description in documentation (CR73793)
This version of the Configuration Guide for BIG-IP® Local Traffic Manager makes it clear that when setting the Action on Service Down pool option to Reject, the sending of RSTs applies to TCP traffic only. Previous versions of the guide did not make that clear.

Node status update (CR73808)
Previously, once the system reached the connection limit for the node, its status changed to Unavailable, and never returned to Available even though all remaining connection ended. Now, the system correctly returns the node to the Available state.

ConfigSync failure with space in password (CR73854)
In this release, the ConfigSync operation completes successfully on systems where there is a space character in the administrator password. That means you can now use a space character in the administrator password.

Priority groups and connection limit interaction (CR73861)
Previous releases had several issues with priority groups and connection limits, including moving connections to a lower priority group when appropriate, correctly handling the disabling of pool members, clearing virtual IP addresses that remained after enabling and disabling pool members, and disabled nodes incorrectly passing traffic. In this release, the system handles these conditions correctly.

Server-side SSL cache settings (CR73863)
This release supports server-side session, so we have updated the documentation to remove the note indicating that the settings were for client SSL only.

SCCP kernel driver 497-day timer wrap issue (CR73960)
Read errors no longer occur when the the SCCP kernel driver wraps after 497 days. Now, the system appropriately handles the 497-day interval.

SSL peer certificate mode request with X509 errors (CR73968)
The system no longer denies client access when the peer certificate mode request contains X509 errors. Now, the system handles requests containing X509 errors described in the x509_txt.c file on the OpenSSL site.

b load with external IP class files (CR73983)
Configurations with external IP class files no longer cause the system to reload the configuration file with each b load command if the file has not changed. Now, the system only reloads the configuration file when the file has changed.

Pool member traffic handling with disabled parent node (CR74063)
If a pool member fails and later passes a health check, the system correctly refrains from sending traffic to the pool member if its parent node is disabled.

Corrupted SIP message handling (CR74142)
The system now continues operating correctly when the Session Initiation Protocol (SIP) parser receives a corrupt message. Previously, when the system received a SIP message without the \r\n (carriage-return/line-feed) terminator, the system would halt.

Gratuitous ARP and VLAN group members (CR74220)
Gratuitous ARP packets now correctly propagate to VLAN group members., Formerly, they did not.

MCP restart due to corrupt indexes (CR74262)
In previous releases, a problem could result from compaction removing all involved transaction objects from their respective indexes. The problem resulted in corrupt indexes, which eventually led to an MCP restart. This no longer occurs.

Enterprise Manager token module changes (CR74432)
This version supports external administrators in the Enterprise Manager software. Previous versions did not.

iRule use of LB::server weight (CR74534)
Using the LB::server weight statement in an iRule now works correctly. Previously, the statement could cause TMM to fail when the statement encountered a divide-by-zero error.

RULE_INIT event addition to existing iRules (CR74553)
The system no longer attaches RULE_INIT events to the virtual server, so no configuration problems occur when using this event in iRules.

Memory growth with repeated initialization calls (CR74557, CR74629)
In previous releases, memory growth could occur as a result of repeated initialization calls. Now, the system handles memory correctly during repeated initialization calls.

Outbound monitor packets and VLAN fail-safe (CR74652)
Outbound monitor packets no longer reset the VLAN timer, which prevented failover. Failover now occurs correctly.

Disabled virtual address status (CR74816)
Virtual address status is now correctly represented when it is disabled as well as when it is enabled. Previously, the system presented the correct status only when the Virtual address was enabled.

Client ACK response to server reply to POST request and Fast HTTP (CR74825)
The system now accurately tracks the client-side sequence numbers when dealing with a PUT/POST body. Formerly, out-of-sequence sequence numbers could cause the client to not respond to subsequent client packets, resulting eventually, in a connection reset.

FIPS error messages on system boot (CR74892)
The system no longer presents on the screen Library Initialization or card re-initialization request error messages when booting systems using Federal Information Processing Standard (FIPS) cards. The startup process now correctly waits for initialization of the driver that sent the message.

MCP processing of and heartbeat failure (CR74916)
Systems with large persistence tables no longer experience heartbeat failure as a result of translation of persist information responses.

Processing server data held by TCP::collect (CR74924)
The system now processes server data held by TCP::collect when the system receives a finished (FIN) packet. Formerly, the system halted processing in that case.

HTTP chunk headers with line-ending split across packets (CR74928)
The system no longer closes connections in response to an HTTP chunking header that has a \r\n (carriage-return/line-feed) split across packets. Now, the system processes the packets as expected.

Gratuitous ARP replies across VLAN groups (CR75146)
Gratuitous ARP replies are now sent by proxy to all child VLANs within the VLAN group. In previous releases, the system did not forward gratuitous ARP replies across VLAN groups.

New ARP entry creation when 2048 unexpired entries exist (CR75222)
The system responds appropriately when creating a new ARP entry when 2048 unexpired ARP entries already exist. Formerly, trying to create a new ARP entry when there were 2048 unexpired entries resulted in the message tmm SIGSEGV EIP=0xd36ed0 in arp_alloc.

Virtual server create in iRule when no virtual server exists (CR75361)
Previously, the system could restart if an iRule created a virtual server iRule before the virtual server existed. Now, you can configure an iRule to create a virtual server before the virtual server exists.

Leading asterisk in monitor recv string (CR75546)
This release corrects the condition of prior releases in which a leading asterisk in a monitor recv string caused the monitor to stop responding.

SSL initial handshake parser and heartbeat failure (CR75649)
The system now correctly handles receipt of a garbage record containing specific data patterns.

Network failover operation with long timeout (CR76122)
In earlier releases, if a long timeout was specified (20 seconds) and the peer system was not communicating, unit 2 could alternate between active and standby, holding each state for less than a minute. In this release, the system does not clear the network failover timeout count unless a valid response is received from the peer system.

HTTP redirect persistence and TCL persistence keys (CR76145)
HTTP redirect calls in iRules no longer leak TCL persistence keys. In previous releases, the leak occurred with any form of HTTP request that was not actually sent by proxy to the server, including redirect, respond, ramcache, and drop/reject.

Subdomain module issue (CR76174)
Using LDAP authentication over SSL now provides appropriate access to subdomain modules. Previously, the lack of appropriate access to subdomain modules could cause failure in LDAP-over-SSL authentication operations.

Standby operation with long timeout (CR76191)
In earlier releases, if a long timeout is specified (20 seconds) and the peer system is not communicating, the active unit could briefly become the standby unit before returning to active. In this release, the active unit remains active without toggling when its peer is stopped, or physically removed from the network.

TMM reset and TCP headers (CR76276)
In previous releases, the system could reach a state in which it attempted to delete the TCP header from the packet when the header was not present. This caused TMM to reset. This no longer occurs.

Header matching failures in HTTP class header list (CR76397)
In earlier releases, a line-ending caused the system to fail to match some pattern string entries in the HTTP class header list. This release corrects that issue.

End-of pipeline detection with two different request of the same size (CR76498)
This release correctly detects the end-of-pipeline condition in cases where a current request and a pipelined request are of the same size, thus preventing problems caused by the request reentering RAM cache and proxy.

SNAT listener and virtual listener combination (CR76502)
Client and server connection flows that match both a SNAT listener and a virtual listener now correctly take and release references to the SNAT listener. Previously, connections of this type took references but did not release them.

System log times after DST change (CR76567)
System logs now correctly reflect time zone and timestamp after the Daylight Saving Time (DST) change.

Empty xbuf with server-side HTTP::respond/redirect call (CR76613)
In previous releases, a server-side HTTP::respond/redirect call could leak an empty xbuf. Over time, this could result in memory exhaustion in the TMM. Now, the system does not leak an empty xbuf.

RTSP leaking flow entry (CR77437)
The real-time streaming protocol (RTSP) profile no longer leaks memory in the connection flow cache.

10 Gb XFP port operation after cable removed and replaced (CR77947)
In previous releases, when you unplugged a cable or module from a 10 Gb XFP port on a BIG-IP 8400 platform and plugged it back in, the 10 Gb port lost its link speed setting, and was unable to pass any traffic. In this release, the unit and port now recover correctly after you unplug a cable or module and plug it back in.

Note: This release also contains all fixes from 9.2 - 9.2.5 releases. For a list of Local Traffic Manager and TMOS fixes, see BIG-IP Local Traffic Manager version 9.2.5 and TMOS. For a list of Global Traffic Manager and Link Controller fixes, see BIG-IP Global Traffic Manager and Link Controller version 9.2.5.

[ Top ]

Optional configuration changes

Once you have installed the software, you can use any of the following configuration options to update your configuration.

Note that these new configuration options are the result of one or more of the fixes or enhancements listed above.

Using SNMP read/write OIDs

You can use the following SNMP OIDs in read/write mode. However, SNMP is not intended to be used as a general API for configuring the BIG-IP system. These SNMP OIDs are shown in this table.

OID Name OID Value
ltmVirtualServEnabled Enable/disable virtual server
ltmVirtualAddrEnabled Enable/disable virtual address
ltmNodeAddrNewSessionEnable Enable/disable node address
ltmNodeAddrMonitorState Force up/down node address
ltmPoolMemberNewSessionEnable Enable/disable pool member
ltmPoolMemberMonitorState Force up/down pool member
[ Top ]


The version 9.x releases often include SNMP OID updates related to new functionality. See the document, New SNMP Objects for a complete list.

[ Top ]

Using the switchboot utility

Beginning with the version 9.0.2 release, functionality was added to install multiple versions of the BIG-IP software on different boot images on one unit. A boot image is a portion of a drive with adequate space required for an installation. If the hardware supports multiple boot images, you are prompted to install the software on multiple boot images during the installation. The BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 6400 (D63), BIG-IP 6800 (D68), and BIG-IP 8400 (D84) platforms support this functionality.

The switchboot utility is available to manage installations on different boot images. You can use the switchboot utility from the command line to select which installed image boots. To run the switchboot utility, type the following command:

A list of boot images and their descriptions displays. Type the number of the boot image you want to boot at startup. When you reboot the system, it starts from the slot you specify.

If there is only one boot image available, the switchboot utility displays a message similar to this one and exits.
There is only one boot image to choose from: title BIG-IP 9.3 Build 178.1 - drive hda.1

Note: Any change you make using the switchboot utility is saved in the boot configuration file, grub.conf.

To use switchboot in non-interactive mode

If you know which boot image you want to boot, you can type the following command and specify the boot image number for <bootimage_number>:
switchboot -s <bootimage_number>

To use switchboot to list available boot images and the currently active boot images.

If you want to list the available boot images without specifying a new boot image from which to boot, type the following command:
switchboot -l

To list options for switchboot

To list the options for the switchboot utility, type the following command:
switchboot -h

To view the contents of the boot configuration file

You can view the complete contents of the boot configuration file (grub.conf) with the following command:
grub_default -d

This command is slightly different from switchboot -l in that switchboot -l only lists the boot image header lines, while grub_default -d displays the complete file.

[ Top ]

Known issues

ISIS dynamic routing
In software version 9.4.4, F5 added dynamic routing support for the Intermediate System-to-Intermediate System (ISIS) protocol. ISIS dynamic routing is only available in software released after February 1, 2008. The ISIS dynamic routing module is activated when a customer has the full routing module license and is running software that includes ISIS. Current customers who reactivate their license of the previously purchased all-protocol routing module, or an enterprise license that includes all the routing modules, will see the ISIS license listed on their system. However, to use ISIS, customers must be running a software version released after February 1st 2008, which includes version 9.4.4. For more information, see SOL8400: IS-IS Dynamic Routing Support and Licensing in the Ask F5 Knowledge Base.

1500, 3400, and 6400 platforms SSH session (CR40503)
When you establish an secure shell (SSH) session between two units on the 1500, 3400, or 6400 platforms, and you reboot the unit to which you established the SSH session, the SSH session remains open until it reaches its timeout.

Trunks on a BIG-IP 2400 (D44) IP Application Switch (CR40507)
On a BIG-IP 2400 platform, if you connect multiple ports to one switch, you might form a bridging loop, which causes Traffic Management Microkernel (TMM) to restart repeatedly. The best solution is to configure the network so no bridging loops exist. If this cannot be accomplished in your configuration, you can resolve the problem by enabling spanning tree protocol (STP) if you connect multiple ports to one switch.

SIP persistence and persist iRule commands (CR40579)
In this release, the persist iRule commands do not support session initiation protocol (SIP) persistence.

Default route specification for IPv6 (CR40808)
Because the default configuration settings for Network Routes is for Internet Protocol version 4 (IPv4), you must specify both a destination and netmask value to specify a default route for Internet Protocol version 6 (IPv6). To specify an IPv6 default route, you must first choose a type of route instead of default gateway. Then specify the destination as :: and the netmask as :: to set the appropriate IPv6 default route.

OTCU and monitors saved at pool level (CR40977)
After you run the One Time Conversion Utility (OTCU) to convert your 4.x configuration to a 9.x configuration, you cannot view the monitors on pool members until after you run the bigpipe load command twice, from the command line. Alternately, you can restart the system.

Setup Utility and VLAN configuration (CR42790)
When you rerun the Setup Utility and use the Basic Configuration Wizard (which sets up the default internal and external VLANs), the configuration must meet certain guidelines. If the configuration violates one of these conditions, the system presents error messages, and does not complete the configuration. This is by design. The configuration must meet the following guidelines:

  • No more than one non-floating IP is associated with VLANs named external or internal.
  • No more than one floating IP is associated with VLANs named external or internal.
  • The self IP addresses associated with the VLANs internal and external must use one of the following port settings: Allow Default, Allow 443, Allow None.
  • The bigdb variable Statemirror.IPAddr must match the internal self IP.
  • A VLAN group cannot be named external or internal.
  • A trunk cannot be configured on VLAN external or internal.
  • The default route must be of type Gateway.

Failover and virtual servers with a OneConnect profile, an HTTP profile, and connection mirroring enabled (CR43517)
In a redundant system, if the active unit fails over, and the configuration contains virtual servers with a OneConnect profile, an HTTP profile, and connection mirroring enabled, the failover process does not properly mirror the server-side OneConnect connections to the failover unit.

Link activity lights on the BIG-IP 3400 (C62) platform (CR43570)
On the BIG-IP 3400 platform, if you have trunks configured, the link activity lights on the front panel might not properly indicate link activity (turn green).

Configuration utility: Refresh interval and statistics screens not viewed yet (CR43613)
In the Configuration utility, on the System > Preferences screen, if you change the Default Statistics Refresh interval, view some statistics screens, and then change the Default Statistics Refresh interval again, the system applies the second update only to those statistics screens that you have not viewed yet.

bigpipe command immediately following bigstart restart command (CR44091)
After you run the bigstart restart command, the BIG-IP system takes a minute to initialize. If you run this command, you should wait at least a minute for the system to re-initialize before running additional bigpipe commands.

System caching of unreachable IPv6 destinations (CR44109)
A problem might occur where the BIG-IP system caches an unreachable IPv6 destination. This problem might occur if you add the wrong default route, delete it, and change to the correct route, only to find traffic fails to reach the destination.

Fast L4 profile: Reset on timeout disable and the idle timeout value (CR44261)
Changing the Reset value on the timeout option to disable appears to change the idle timeout value. However, this affects only the value displayed by the system, not the system setting and the functionality of the system.

Simultaneous delete of floating IP addresses and non-floating IP addresses (CR44297)
In the Configuration utility, we recommend that you delete floating IP addresses before you delete non-floating IP addresses to avoid the error 01070393:3: Cannot delete IP because it would leave a floating IP with no non-floating IP on this network.

IPv6 and Transparent monitors (CR44388, CR44407, CR44408)
The current IPv6 implementation does not support transparent monitors.

Supported MTU for BIG-IP systems and IPv6 (CR44733)
The minimum supported MTU for a BIG-IP system using IPv6 is 1280.

RADIUS server key swapped during re-load, after swapping the server IP addresses (CR44769)
You might see an error when you attempt to swap RADIUS server keys during a configuration reload. You can work around this problem by un-configuring one of the servers before redefining the other.

Brackets in commented sections of rule syntax (CR44839)
Brackets in commented sections of rule syntax are counted in the bracket count. We recommend that you balance the brackets in the comments.

NAT and ICMP (CR44849)
Currently, Network Address Translation (NAT) tables do not forward Internet Control Message Protocol (ICMP) packets.

Configuration utility: Load Balancer Limited and the Fast L4 profile (CR44866)
The BIG-IP Load Balancer Limited product does not provide the ability to create or edit a Fast L4 profile.

Configuration restoration and overwriting SSH keys (CR45173)
user configuration set (UCS) files backup and restore host and root SSH keys, but there are many situations where these keys are stale, and break communications with the switch card control processor (SCCP) host subsystem. For more information about UCS files, see Solution ID: SOL4423 Overview of UCS archives.

Route validation (CR45212)
Currently the system does not fully validate route configurations, and it is possible to add a route to the configuration for which the gateway router is on the destination network.

SNAT translation addresses and idle timeout values (CR45352)
If you create a SNAT that is not associated with a virtual server, and the idle timeout of the translation address is indefinite, the system uses the default timeout defined in the Fast L4 profile (300 seconds). Also, creating a default SNAT with an idle timeout value lower than the Fast L4 timeout value can cause problems.

Automatic licensing and Configuration utility errors (CR45369)
In the Configuration utility, when you select Automatic option for licensing, if the system cannot communicate with the F5 Licensing Server, the system generates a major application error. To work around this issue, close the current browser session, open a new session, and select the Manual option instead. Note that this happens only in rare instances.

Configuration utility and bigpipe for SSL profile setting display discrepancies (CR45537)
On the SSL Profile screen, select the Renegotiate Period option and leave it at the default setting, Indefinite. When you view the same setting in the bigip.conf file, you see this number, 138635524 (which equates to 4.396 years), instead of indefinite.

Application Accelerator: Logging options display for unavailable features (CR45546)
In the Configuration utility, on the System > Logs > Options screen, you see logging options for the Packet Velocity® ASIC. This feature is not available on the Application Accelerator product.

Acceptable characters in SSL certificate names and common names (CR45721,CR45722)
If you create a certificate name or common name that uses invalid characters (for example asterisk, comma, question mark, exclamation, forward slash, ampersand), the system generates an error message that is incorrect. The error message states that these characters are valid, however the only acceptable characters are alphanumeric characters, hyphen, and underscore.

SSL certificate and key generation and Configuration utility errors (CR45725)
If you try to generate an archive file for SSL certificates and keys, and you do not type a name for the file, the system generates an error. If you then add a name and click the Generate and Download button, the system saves the file but the Configuration utility remains in the error state. Simply click Cancel after you have saved the file, which returns you to the SSL Certificate list screen.

iRules parsing syntax requirement (CR45767, CR59340)
The system cannot load an iRule when there is no space between a set of braces ( {} ). To work around this issue, add a space between the braces, as follows: { }. Note that the space is required.

Non-FIPS key import into FIPS system (CR45853)
If you import non-Federal Information Processing Standard (FIPS) keys to a FIPS system, and then convert the non-FIPS keys to FIPS keys, the system continues to use the non-FIPS keys until you restart the Traffic Management Microkernel (TMM) process. You can perform this task from the command line, by running the command b load.

VLAN groups and active/standby redundant systems (CR45867)
If you have an active/standby redundant system that uses VLAN groups for Layer 2 (L2) bridging, when the active unit goes to standby, it might continue to forward L2 packets.

radvd utility and restarting or rebooting the system (CR45882)
In rare circumstances, the radvd utility might start too early when you restart or reboot the system. As a result, the utility does not properly advertise routes. If you experience this issue, simply restart the radvd utility, on the System > Services screen in the Configuration utility.

IM upgrades and modprobe dependencies error messages (CR45885)
When you upgrade the system using the IM upgrade process, you might see the following error message when the system starts the automatic reboot, after the installation completes:
modprobe: Can't open dependencies file
You can ignore this error; it is benign.

IM upgrades and kernel journaling error messages (CR45970)
When you use the IM upgrade process, you might see kernel journaling error messages on the console after the installation completes. These error messages are benign and can be ignored.

VLAN names containing period (CR46028)
Using the sysctl -a command prints the /proc/sys file system. This command displays the information about each file under the tree as if it were a variable separated by period (.). It also translates the forward slash (/) into a period. When you create a VLAN with a period in the name, sysctl translates that into a forward slash (/), but then cannot read the file name it just created. To work around this situation, do not use the period character in a VLAN name.

White space in imported certificates (CR46150)
Currently, white space in imported certificates is not handled correctly. Certificates with extra whitespace after the begin certificate or before the end certificate statements are rejected. To work around this condition, you can remove white space in imported certificates.

No Nodes Available trap and log message (CR46596)
The No Nodes Available trap and No Nodes Available log message do not exist in BIG-IP version 9.x. Currently, when all nodes in a virtual server are marked down, a message is logged for each pool member of the virtual server. For example, you might see a message like this for each member of a pool on the virtual server:
Mar 24 09:01:00 bip6400 mcpd[864]: 01070638:3: Pool member monitor status down.

BIG-IP system behavior when the product license expires (CR46636)
Currently, when the product license expires on the BIG-IP system, it does not fail over to a peer system with an active valid license.

Wildcard virtual server without the virtual address entry (CR46657)
If you create a wildcard virtual server without a virtual address entry ( with Address Resolution Protocol (ARP) disabled, ARP is set to enabled when the configuration is saved. After you create the wildcard virtual server, you can change the ARP setting back to disabled.

Existing pool to gateway fail-safe pool (CR46870)
To change an existing pool into a gateway fail-safe pool, you must first delete the existing pool and recreate it as a gateway pool type.

Configuration utility preferences and system upgrades (CR46872)
If you have made any changes to the system settings of the Configuration utility, you must re-implement those settings when you upgrade the system, as these settings are not carried through during the upgrade process.

Compression processes after compression disable (CR47329)
If you use a compression-enabled HTTP profile, the compression processes continue even after you disable the profile. For more information, see Solution ID: SOL6775 Known Issue: BIG-IP system performance graphs report the CPU 0 usage at 100 percent if the BIG-IP system is licensed for hardware compression.

bigtop utility and failover (CR47361)
If you are running the bigtop utility on an active unit, and then the system fails over, you need to restart bigtop to refresh the bigtop statistics.

Serial console messages during bootstrap (CR47395)
When starting up certain BIG-IP systems, you might see some corrupted messages on the serial console. This issue occurs rarely, and does not affect system usability or performance. You can ignore these messages.

SSL certificates: native serverssl stack and client-side certificates (CR47702)
When using Server SSL (SSL re-encryption) and the node requests a client certificate, the BIG-IP system does not send a client-side certificate. To work around this issue, specify ALL as the cipher in the server SSL profile.

SSL session ID persistence and re-handshake (CR48114)
Session ID persistence is unaware of mid-connection renegotiations. This might cause new persistence entries not to be added for a new session ID if there are any negotiated in the middle of a connection.

Trailing white space on Tcl if statement and line continuation of else (CR48213)
Any trailing white space in a Tcl statement breaks the line continuation of the rule statement. To avoid this problem, remove any white space at the end of each line of the Tcl statement.

FIPS card and TMM traffic (CR48321)
If the Federal Information Processing Standard (FIPS) card is not logged in, the Traffic Management Microkernel (TMM) service does not pass traffic. To work around this issue, restart the system. This runs the /etc/rc.d/init.d/ cavium script, which logs in the FIPS card.

Multi-port mirror configuration and deleting select ports (CR48376)
You cannot delete select ports from a multi-port mirror configuration. You must delete the entire multi-port mirror configuration and reconfigure it with a new port list.

LCD and command line status report (CR48409)
The LCD can report three types of system status: Active, Standby, or Standalone. If the system is in a different state, the command line might report the status, but the LCD might report a different status.

White space in RADIUS client IDs (CR48453)
Blank spaces in RADIUS client IDs are not supported by the system. Any part of the ID that appears after the blank space does not display correctly.

Multiple RADIUS server objects with the same server IP address and port (CR48464)
You cannot configure multiple RADIUS server objects that share the same server IP address and port. This might happen if you create a traffic authentication profile with a RADIUS server, and then set up system authentication, which uses its own RADIUS server object. In this case, the two collide and create an error condition. To work around this situation, set up system authentication first, and then use the system_auth_radius1 server in the traffic authentication profile configuration.

System unavailability due to low memory (CR48465)
In certain low-memory situations related to Packet Velocity® ASIC (PVA), the system can become unavailable.

Large external class file load (CR48489)
Loading an external class file with more than 100,000 kilobytes of data might cause the system to become unstable.

TCP::collect implicitly holds the accepted event (CR48592)
The TCP::collect command is not appropriate for some protocols where the server sends data first, such as banner protocols.

System unavailability due to memory depletion (CR48594)
When processing an extremely high number of connections per second (approximately 30,000), with very large window sizes for compression, the system can run out of memory, causing a system failure. Occurrence of this event is highly unlikely.

Support for link down time on failover (CR48728)
For BIG-IP 520/540 (D35) systems that make use of VLAN groups, the Link Down Time on Failover feature is unsupported

BIG-IP system using UTC time for hardware (CR48737)
After upgrading the system from BIG-IP version 9.1, you might receive timestamp errors when you install a saved BIG-IP version 9.1 user configuration set (UCS) file. These errors are benign. The system clock corrects itself.

Fast HTTP profile and service-side connection priming (CR49182)
Once you configure the system to use the base Fast HTTP profile, the profile continues to prime server-side connections, even if there are no virtual servers currently configured to use the Fast HTTP profile. We recommend that you create a custom Fast HTTP profile instead of using the default Fast HTTP profile.

iRule misconfiguration and TMM restart (CR49375)
If an iRule is not configured to use the variable name form (that is, including the $) of the matchclass or findclass commands to access the class or data group, Traffic Management Microkernel (TMM) restarts. To work around this issue, always use the variable name form of the matchclass or findclass commands in iRules .

Implement chunked responses for persist_info (CR49412)
The BIG-IP system cannot fully display extremely large persistence tables using chunked responses.

Product version checking when licensing features (CR49435)
When you request licensing for additional modules, the license server does not check that you are running a product version that supports those modules.

drop and reject commands for UDP traffic (CR49445)
When processing UDP traffic, the system does not always handle the iRule commands drop and reject properly.

ssldump utility on BIG-IP 1000 platforms (CR49446)
On BIG-IP system 1000 platforms only, the Traffic Management Microkernel (TMM) service can become unavailable due to a problem with the ssldump utility.

Fast HTTP profile Header Insert option (CR49530)
The Fast HTTP profile Header Insert option does not perform a variable expansion in its configured header insert. For example, [IP:: client_addr] is inserted literally. Although this is inconsistent with the HTTP profile, this was done to increase HTTP performance. To configure the Fast HTTP profile to insert the original client IP address as a standard XForwarded-For header value, modify the Fast HTTP profile and enable the XForwarded-For header option. Additionally, Fast HTTP supports the HTTP_REQUEST iRule event as well as the HTTP::header insert iRule command, which you can use to insert arbitrary HTTP headers.

Configuration load message about VLANs (CR50019)
Loading a new configuration over an existing one can generate a message when the two configurations include a VLAN with the same name but different interfaces assigned to them.

FTP monitor in default mode does not query resources (CR50237)
The default mode for the FTP monitor is passive. This mode instructs the monitor to only determine if the resource attempts to communicate with the BIG-IP system, which is not an effective FTP test. We recommend you change the mode of the FTP monitor to a setting other than passive.

Mirroring data between units in a redundant pair (CR50330)
If the configurations for both units in a redundant system do not match, it can cause state mirroring to fail and result in general system instability.

Invalid configuration can result in inoperative system (CR50389)
If you create an invalid configuration (typically through the command-line interface), you can render the system inoperative. We recommend you back up your configuration prior to making changes, and then after changing the configuration, run the b load command to ensure the configuration is valid.

Deleting system authorization iRules (CR50407)
You cannot delete system authorization iRules. If you attempt to use the delete checkbox next to a system authorization iRule in the iRule List, you receive an error.

VLANs with dashes ( - ) in the name (CR50441)
The Linux router advertisement daemon (radvd) cannot process an interface name containing a dash ( - ). To avoid errors, verify that the VLAN name, on which radvd is enabled, does not contain dashes.

Exporting SSL Keys on a BIG-IP 6400 FIPS system (CR50553)
If you attempt to export a non-Federal Information Processing Standard (FIPS) SSL Key on a BIG-IP 6400 FIPS system, BIG-IP system returns a Cannot export FIPS keys error. You can work around this if you have SSH or command line access to the system. For example, you can copy the keys from the /config/ ssl/ssl.key/ directory using the scp command.

Installing BIG-IP version 9.2.3 on a system with an unformatted boot drive (CR50733, 77828)
When you install BIG-IP version 9.2.3 on a system that contains a boot drive that has not been formatted, or was formatted by an installation of BIG-IP version 4.x, the BIG-IP system returns the following error: 4.x upg : sfdisk: ERROR: sector 32164 does not have an msdos signature. This message is benign and has no affect on the installation.

Settings for tcp_timestamps (CR50852)
If you have previously turned off tcp_timestamps, you might have to re-disable tcp_timestamps by adding the following line to /etc/sysctl.conf:
net.ipv4.tcp_timestamps = 0

Configuration load of eliminated network object (CR50872)
If you try to load a new configuration that eliminates a network object referenced by another network object in the previous (currently loaded) configuration, the BIG-IP system returns an error. To work around this issue, remove from the previous configuration the reference to the object that is eliminated in the new configuration, and then load the new configuration. For example, if in the previous configuration a VLAN is referenced by a VLAN group, and that VLAN does not exist in the new configuration, you must remove from the VLAN group the reference to the eliminated VLAN, before you load the new configuration.

ICMP flows (CR51133)
The VLAN fail-safe process generates multiple ICMP flows in a 300-second period. These ICMP flows are benign.

Interrupted TCP connections (CR51197)
If an Address Resolution Protocol (ARP) or Neighbor Discovery Protocol (NDP) entry times out or the peer is not responding, the connection is interrupted. These connections should only end when the system is unable to establish a connection.

Reuse of HTTP client connections (CR51406)
Allowing infinite reuse of HTTP client connections can cause problems. To prevent this, verify that you have specified a value for the Maximum Requests setting in the HTTP profiles.

System licensing when upgrading from BIG-IP system version 4.6.2 (CR51472)
After you upgrade the BIG-IP system from version 4.6.2 to 9.2.3 and open the Configuration utility to license the new system, the License screen fails to automatically display the 9.2.3 registration key. If this occurs, populate the registration key field manually.

Gratuitous ARP messages on disabled virtual servers (CR51833)
The system sends a gratuitous Address Resolution Protocol (ARP) message during failover, when the virtual server is disabled.

Trunk statistics (CR51893)
Statistics for trunks do not display properly.

Preferred active status and long-lived mirrored connections (CR52003)
If you reboot a BIG-IP unit that has preferred active status enabled ( Failover.ForceActive=enabled), the peer unit does not continue to mirror the existing long-lived mirrored connections while the preferred active unit is inactive. This results in dropped long-lived mirrored connections.

b global stats reset command (CR52004)
The b global stats reset command does not reset the following statistics: Packet Velocity® ASIC (PVA) assisted connections, HTTP requests, OneConnect , and Stream replacements.

Remote RADIUS authentication (CR52073)
When you configure the system to use remote RADIUS authentication, the system also authenticates local users. This is by design.

Total SSL TPS displayed by Configuration utility (CR52164)
The Configuration utility does not currently report the total amount of SSL transactions per second (TPS) for which the BIG-IP system is licensed. To determine this value, you can view the file bigip.license directly.

Setup utility and selecting all ports (CR52161)
If you decide to implement the port lockdown feature available through the Setup utility, you cannot initially set the Port Lockdown option to allow for all ports. After you finish using the Setup utility, you can access the self IP address in the Configuration utility and change the Port Lockdown setting to Allow All.

Destination address modification for custom transparent monitor (CR52255)
After creating a custom monitor with Transparent mode set to Yes, you cannot modify the Alias Address and Alias Service Port properties.

License message when re-licensing a BIG-IP 6400 (CR52277)
When re-licensing a 6400 system, the following message can appear: Warning: loading /lib/modules/2.4.21- vkd.o will taint the kernel: no license. See for information about tainted modules. This message does not indicate a license issue and does not affect performance.

LDAP authentication configuration object (CR52300)
When you create an LDAP authentication configuration object, the User Template and Bind Password setting should be mutually exclusive. You should define one setting or the other, but not both.

Progress messages during product installation (CR52337)
If you start the Installer application using a local-install IM package, some of the progress messages might incorrectly refer to a remote installation process, that is, one that requires an installation server. For example, the output of the boot loader application might temporarily list the entry remote-install -<x>. Although incorrect, these references to a remote installation are harmless.

TX/RX pause link negotiation (CR52459)
TX/RX pause negotiation of links is not available on 520/540 (D35) platforms.

HTTP connection closure (CR52482)
With a one-armed configuration, server-side HTTP connections sometimes close prematurely.

Externally stored classes and loading configuration data (CR52507)
If you are running the One-Time Conversion Utility (OTCU), and a user configuration set (UCS) file includes an externally stored class with a line containing an invalid netmask (such as, the bigpipe utility reports an error. In this case, you must find the external file, manually correct the error, and reload and save the configuration data.

Neighbor Discovery and global addresses (CR52573)
The timeout on global Neighbor Discovery (ND) v6 entries can block ND solicitation for received traffic.

Slow Ramp Time setting for pools (CR52670)
When creating a load balancing pool, the Slow Ramp Time setting is required. Failing to specify a value causes automatic use of an incorrect value.

Forced interface speeds (CR52846)
Setting a forced interface speed on an SFP Fiber interface can falsely cause a link up condition.

Trunk destabilization when loading configuration data (CR53181)
Reloading configuration data can temporarily destabilize any existing trunks, causing random trunk messages to appear. The trunks eventually return to normal.

SSL profile options display (CR53196)
When using the Configuration utility to display an SSL profile, some settings do not appear when the certificate name has a .pem file name extension instead of a .crt extension.

trunk command on the BIG-IP 6800 platform (CR53254)
On a 6800 (D68) platform only, when using the bigpipe trunk command to create a trunk, the trunk can fail to pass traffic after you add the first interface to the trunk. To fix the problem, type the following command: bigstart restart bcm56xxd

Non-existent configuration file load (CR53396)
When you type the command bigpipe load <filename>, the system reloads the full configuration if the specified file does not exist, and does not generate an error message.

SSL certificate and key names (CR53446)
SSL certificate and key file names that include square brackets ( [ ] ) remain in the configuration data even when excluded from an archive. You must use the command line interface, and not the Configuration utility, to remove these certificates and keys from the configuration.

SNMP service start or restart and traps sent (CR53741)
When SNMP service starts or restarts, it does not send the traps bigipAgentStart and bigipAgentRestart. Instead, the service only sends those traps on service shutdown.

Certificate revocation lists and Client SSL profiles (CR53837)
The Traffic Management Microkernel (TMM) service becomes unavailable whenever a virtual server references a client SSL profile that specifies a certificate revocation list (CRL). This behavior might indicate that the referenced CRL file does not exist.

Encrypted .ucs file installation when config.encryption flag set to off (CR54052)
If you disable encryption, you cannot install an encrypted .ucs file into the system. This issue is resolved by activating the encryption option, and then installing the file.

System cache and empty URI excludes list (CR54077)
If you have an empty URI excludes list, the system caches everything possible. You can work around this by creating an iRule that defines what items should be cached.

Log rotation and Tomcat service (CR54081)
In the event that the destination for the Tomcat service log files becomes full, the system automatically rotates log files to ensure that the most recent data is captured. However, the Tomcat service requires a restart each time it rotates a log file. This issue is resolved by ensuring there is adequate hard disk space for the Tomcat service, or by archiving log files on a scheduled basis.

UCS files containing special characters (CR54141)
When creating a .ucs file, the command-line interface allows you to include special characters. However, these characters are not supported in by the Configuration utility, resulting in the Configuration utility being unable to install the .ucs file. This issue is resolved by avoiding special characters when creating .ucs files.

Handling of delayed ACKs (CR54345)
Enabling Slow Start appears to withhold an acknowledgement for 100 milliseconds. To work around this issue, you can configure a setting in the TCP profile, ack-on-push, to immediately send an acknowledgement upon receiving a PUSH from the client/server. This setting is disabled by default. To enable this variable, type the following command at the command line:
b profile tcp <tcp_profile_name> ack on push enable

User role for accounts on remote authentication servers (CR54412)
When you change the default user role for accounts that are authenticated remotely, the user role for user accounts labeled as Other External Users does not change accordingly.

ZebOS and MD5 interoperability (CR54440)
On systems running both the ZebOS module and MD5, a race condition can occur when using the MD5 signature settings within a TCP profile. We recommend that you refrain from using the MD5 signature settings within a TCP profile.

Modprobe message on non-Cavium systems (CR54443)
During a local installation, the system erroneously inserts the error message modprobe: modprobe - Can't locate module char-major-240 in the var/log/daemon.log file. This occurs on non-Cavium systems only.

ConfigSync encryption enabling or disabling (CR54446)
If you previously enabled encryption of configuration synchronization data and want to disable it using the Configuration utility, make sure that you first disable encryption using the Encryption setting on the ConfigSync screen. Then use the Preferences screen to set the Archive Encryption setting to Off. Doing these steps in this order prevents the occurrence of unexpected encryption behavior.

iControl and configuration synchronization (CR54587)
iControl does not indicate an exception if configuration synchronization does not succeed.

10 GB interface option for interfaces (CR54832)
In the Configuration utility, certain interfaces contain the option to select 10 GB. However, this version does not support this setting.

Media type on the 8400 platform (CR54835)
On the 8400 platform, setting the media type on SFP fiber ports causes a brief loss of link. This can cause the upstream switch to flush its Address Resolution Protocol (ARP) entry for the BIG-IP system.

System response on 302 responses into http/compress profile (CR54923)
The system occasionally responds incorrectly when a 302 error is received into an http/compress profile. The exact behavior depends on system configuration. To resolve this issue, add an iRule that avoids compression when a 302 error is received.

PVA: virtual servers with unmatched MTUs (CR55240)
If you have VLANs with different maximum transmission unit (MTU) sizes, you should manually demote virtual servers or set the db variable Pva.Acceleration to none. An alternative is to set acceleration on a per-virtual server basis using a Fast L4 profile.

tcpdump utility on Packet Velocity ASIC 10 systems (CR55498)
When using the Linux tcpdump utility to see TCP packets on a VLAN, the utility does not produce expected results on BIG-IP systems that include the Packet Velocity® ASIC (PVA) 10 feature. Note that the tcpdump utility works on interfaces or external trunks on PVA10 systems.

Cipher List setting in HTTPS monitor (CR55875)
When users other than admin use the Configuration utility to display an HTTPS type of monitor, the value of the Cipher List setting is truncated.

L7 mirrored connections after restart and failover (CR55926)
If the active unit in a redundant system reboots, the standby unit goes active and handles any established connections that were mirrored. However, when the previously active box comes back up, it does not re-synchronize the state for the mirrored connections. This means that the mirrored connections are lost in a subsequent failure or a forced fail-back. This does not affect connections that end before the second restart and failover. Also, this does not apply to Fast L4 profiles.

Image selection after discard (CR55997)
On a 6400 platform, when you boot an image and then select that image to be discarded, the system does not require you to select another image. To work around this issue, you can use the switchboot utility to specify the default image to which you want the system to boot during startup.

Loss of links on SFP modules (CR56019, CR74013)
For D62/C62 systems, the system sometimes does not detect the loss of a link on SFP modules that are set for auto negotiation. You can work around this in software by removing the ports from the linkscan and manually enabling and disabling them.

Partial ACKs and TMM issues (CR56110)
When a mirrored connection receives a partial acknowledgement (ACK) and the data being acknowledged has not passed through TCP4 yet, the Traffic Management Microkernel (TMM) service might generate warnings, as there might be insufficient data in send queue to drop. There is no workaround for this issue.

Receiver side SACK report and stale information (CR56169)
During normal operations, the receiver side SACK report can contain stale information. There is no workaround for this issue.

Non-existent last hop pool and virtual server (CR56234)
You should not be able to assign a pool of last hop routers to a virtual sever when that pool does not exist but currently the system allows it.

HTTP::disable command and server responses (CR56257, CR66569)
The HTTP::disable command logic assumes that the HTTP::disable command is always called with a client-side connection flow. This is incorrect, and can cause problems that lead to the system not passing the server response back to the client after the HTTP::disable command has been called on a connection. To work around this issue, when you are calling from the server side, use the client-side { HTTP::disable } command.

ConfigSync User passwords (CR56405)
When you use the command line interface to change the ConfigSync User password on a unit of a redundant system, the BIG-IP system should display a reminder to change the password on the peer unit. However, it currently does not. For configuration synchronization to succeed, the passwords on the two units must match.

Rule setting for authentication profiles (CR56510)
When the system displays the New Authentication Profile screen for a specific type of profile and you change the Type setting to a different profile type, the value of the Rule setting does not change accordingly. You must explicitly change the value of the Rule setting to match the newly selected profile type.

Syslog-ng data in .ucs files (CR56679)
When you create a .ucs file, the saved configuration data does not include the Syslog-ng configuration file, /etc/ syslog-ng/syslog-ng.conf. Consequently, restoring the saved configuration does not restore any Syslog-ng configuration changes that you made prior to saving the data.

Stats profiles and the bigpipe utility (CR56708)
When using the bigpipe virtual command to assign a Stats profile to a virtual server, the system does not automatically assign the necessary TCP profile. To work around this, either use the Configuration utility to create the virtual server and assign the Stats profile, or specify a TCP profile name for the bigpipe virtual command when you run it from the command line.

Time zone specification after configuration synchronization (CR56739)
When you perform a configuration synchronization from one unit of a redundant system to another, the BIG-IP system assumes that the target unit is in the same time zone as its peer. The system therefore overwrites the time zone of the target unit with the time zone of the peer unit.

SSL connection on BIG-IP version 9.0.5-to-9.1.1 systems (CR56742)
For pre-9.1.0 systems that have been upgraded to version 9.1.1 and include a Federal Information Processing Standard (FIPS) card and a Client SSL profile assigned to a virtual server, the system inadvertently terminates client SSL connections. You must reinitialize the FIPS cards after upgrading.

Prefer Fixed setting on copper and fiber cables (CR56810)
When both a copper and SFP fiber connection are used between two similar combo ports of two BIG-IP 8400 platforms, and the Prefer Fixed copper medium is selected as preferred on both ends, the SFP fiber becomes and remains active following system initialization.

Virtual servers and SSL profiles (CR56817)
If you assign an SSL profile to a virtual server a message about an FTP profile might appear. This message is benign.

Performance and mirrored connections (CR56874)
On certain BIG-IP system platforms, a heavy traffic load (such as 100 megabytes of HTTP traffic) could adversely affect performance when the connections are being mirrored to the peer unit.

Media setting for management interface (CR56897)
If you set the media setting of the management interface to something other than auto (the default setting), and then save the configuration, remove the interface configuration data from the bigip_base.conf file, and reload the configuration data, the media setting for the interface does not reflect the default setting. The interface retains its previous media setting.

Traffic on newly active system (CR56902)
After you configure the BIG-IP system, save the configuration, and restart the system using the bigstart restart command, the system indicates that it is active. However, you might experience a slight delay, from a few seconds to a minute, before the system begins to pass traffic.

Link status on peer system (CR56905)
When you disable a combo port, the link light turns off on the BIG-IP system. However, the link is not down on the peer system.

Time zone display in log messages (CR57033, CR58170)
When you use the Configuration utility to change the time zone on the BIG-IP system, the time zone does not get synchronized throughout the system until you issue a restart. That means that log messages resulting from creating a pool or an archive, and from other activities, show the previously defined time zone. You can synchronize the new time zone and the subsequent log messages by using the bigstart restart command.

Configuration synchronization and remaining files (CR57245)
When configuration synchronization does not succeed, several files remain on the system in the /var/tmp directory instead of being automatically deleted.

TMM memory allocation restrictions and iRules (CR57252)
If an iRule attempts to buffer more than four megabytes of data into a Tcl variable, the Traffic Management Microkernel (TMM) service could become unavailable. This is due to a four-megabyte TMM restriction on contiguous memory allocation.

Node status on removal of ICMP monitor (CR57256)
When you remove the ICMP monitor from a node, the node status should show that the node is not being checked.

OTCU and password change (CR57259)
When running the One-Time Configuration Utility (OTCU), if you change the password, you are asked to type the new password twice. However, the OTCU does not check to make sure these two password entries match. The passwords are displayed on the screen. We recommend you verify that the passwords are correct before completing the password change. In the event that you mistype the password the second time, the first password is accepted.

bcm56xxd startup message (CR57293)
When the bcm56xxd utility starts, you can get a false error message: bs_if_initialize_all: can't init < ifname>. This error occurs unnecessarily and does not affect product performance.

Source and Target settings in Stream profiles (CR57307)
In a Stream profile, you cannot use the slash (/) character when specifying values for the Source and Target settings.

Active/inactive status difference in 9.x and 4.x (CR57309, CR66317)
In version 4.x, the output from the b pool show command showed the active or inactive status of a pool member based on priority and minimum active members, among other things. On version 9.x, even if a pool member is inactive due to its priority, the b pool show command displays it as active, which is not what version 4.x does. This is incorrect behavior. A node should be shown as active if all of the following conditions are met:

  • The node is enabled.
  • Monitoring shows that the node is healthy.
  • Traffic on the node is below its connection limit.
  • The node has high enough priority based on its number of active members.

Newer and older version upgrades and the -force argument (CR57354)
When using the im script to upgrade a local BIG-IP system installation from a newer version to an older version, you must specify the -force argument.

EUD and external connections (CR57360, CR57362)
When the EUD runs, it assumes that there is no external traffic in or out of the BIG-IP system, but external peers can still detect link connectivity and send traffic to the BIG-IP system. This can cause the EUD internal packet path test to fail.

SSL profile option in command line utility and Configuration utility (CR57421)
You can configure the following Client SSL or Server SSL profile options using the command line, but not the Configuration utility: MICROSOFT_SESS_ID_BUG, NETSCAPE_CHALLENGE_BUG, PASSIVE_CLOSE, and SSLREF2_REUSE_CERT_TYPE_BUG. If you modify the profile in the Configuration utility, you disable these options. We recommend that, if you need to use these options, you do not use the Configuration utility to configure them.

Fast L4 profile reset on timeout (CR57425)
When you disable the Reset on Timeout setting on a Fast L4 profile and specify an Idle Timeout value, the BIG-IP system still sends a reset (RST) packet and deletes the connection after the specified idle timeout value has expired.

domain command in iRules (CR57448)
The iRule domain command inadvertently truncates the domain name.

Dropped packet count behavior (CR57456)
The drop count behavior for unicast packets with matching source and destination MAC addresses not associated with the receiving BIG-IP system differs between the BIG-IP 1000 (D39), BIG-IP 2400 (D44), BIG-IP 5100 platforms and 5110 (D51) and the BIG-IP 1500 (C36), BIG-IP 3400 (C62), BIG-IP 6400 (D63), BIG-IP 6800 (D68), BIG-IP 8400 (D84) platforms due to switch hardware counter differences.

IPv6 last hop pool node and connection.autolasthop (CR57466)
When using IPv6, disabling the bigdb key connection.autolasthop sends the connection to the existing default route instead of a last hop pool node.

Interface statistics and trunks (CR57478)
When you remove an interface from a VLAN and assign the interface to a trunk, the trunk inherits the statistics of the interface in the VLAN. The trunk should show new statistics rather than inheriting them from the interface.

Load sharing by 10 Gb interfaces in a trunk (CR57479)
After you add a 10 Gb interface to a working trunk that has another 10 Gb interface, the load is not shared between both interfaces. Restart the lacpd service to fix the problem.

MCP validation and incomplete base authentication profiles (CR57482)
Master Control Program (MCP) validation improperly allows a virtual server to reference an incomplete base authentication profile. Such profiles (for example, a stock ssl_ocsp profile without the config attribute set) should not be referenced by a virtual server.

IP fragment forwarding (CR57638)
When the Fast L4 profile setting Reassemble IP Fragments is set to the default value of disable and the size of the first fragment is less than 246 bytes, the system does not always forward egress fragments. To prevent this problem, make sure that the first fragment is greater than 246 bytes.

Syslog-ng: uninitialized interfaces after syslog-ng fails to start or if it has been manually configured (CR57698)
If syslog-ng does not start or if you have manually configured the syslog- ng daemon, the system interfaces might not initialize properly after you upgrade the system. For more information, see SOL5872: BIG-IP does not pass traffic and non-management interfaces are non-responsive after upgrading BIG-IP to version 9.1.1 or 9.2.2 and SOL5879: BIG-IP does not pass traffic and non-management interfaces are non-responsive if syslog-ng fails to start.

RIP version 1 on Local Traffic Manager version 9.0 or later (CR57708)
Certain advanced routing protocols (such as RIP v1) that depend on the BIG-IP system receiving directed IP broadcasts do not work on BIG-IP system version 9.x. This might affect the dynamic updating of the BIG-IP system's routing table.

bigpipe base list command output (CR57784)
When you type the command bigpipe base list, the output erroneously shows the default port lockdown value for the udp/520 protocol name as udp efs instead of the correct protocol name, router.

EXPORT ciphers and performance (CR57798)
The greater the number of EXPORT ciphers implemented in a configuration, the greater the chance of slower performance from the Local Traffic Manager. If the Local Traffic Manager is performing slower than expected, we recommend looking at the number of EXPORT ciphers in place and seeing if any of them can be removed or refactored.

Invalid user-modified variables (CR58128)
The BIG-IP system should not accept invalid values of user-modified variables that contain all zeroes. We therefore recommend that you do not use values containing all zeroes.

Management route deletion (CR58209)
Deleting the management route deletes the route from Traffic Management Microkernel (TMM) but fails to delete the route from the Linux routing table. Issuing a route command from the command line will show that the route still exists.

Data compression using deflatexxx and x- gzip (CR58225)
If the BIG-IP system receives an HTTP response with a Accept-Encoding header value that contains the string gzip or deflate, the data is erroneously compressed using the corresponding gzip or deflate compression algorithm. For example, if the header value is deflatexxx, the system compresses the data using the deflate algorithm. This is incorrect. The system should only use the gzip or deflate algorithm when the header value matches the algorithm name exactly (that is, when the header value is gzip or deflate).

bigip.conf file and Windows-style line termination (CR58243)
Using Microsoft Windows-style line termination (carriage return/line feed) in the /config/bigip.conf file results in load failure. To work around this issue, use Linux-style line termination.

Configuration synchronization password message (CR58256)
When you use the Allow Console Access check box on the Users screen to enable or disable console access, the system displays an unrelated message about the ConfigSync password. You can ignore this message.

PVA1/PVA2 VLAN limit for hardware acceleration (CR58266)
The Packet Velocity® ASIC (PVA) PVA1/PVA2 system supports a maximum of 16 MAC addresses for VLANs for hardware assist acceleration. If more than 16 VLANs are configured on the system and the vlan.macassignment bigpipe db variable is set to first-member, the BIG-IP should place all virtual servers into software-only mode. As a result, the pvad daemon places some virtual servers into wired mode when they should be in assist mode, or in assist mode when they should be in wired mode.

User names in the ConfigSync User list (CR58267)
In the Configuration utility, for the ConfigSync User setting, user names for administrative users other than admin do not appear in the list of user names.

Command line support for Administrator-role users with remote accounts (CR58292)
If the user account has the Administrator role assigned to it and is stored on a remote authentication server, you do not have command line interface access to other remote user accounts. However, you can access remote user accounts through the Configuration utility.

Connection mirroring for redundant systems (CR58331)
If the network connection between the two units of an active/standby redundant system goes down while connection mirroring is enabled, and the connection is subsequently re-established, the system does not mirror any Fast L4 flows that occurred while the network connection was down. However, the system does successfully mirror new flows that occur after the connection is re-established.

Invalid IP address error message (CR58431)
When you assign an invalid IP address to a pool member, the system displays the follow error message, which is not indicative of the actual problem:

BIGpipe: pool member creation error:
01070636:3: IP V6 not licensed (pool member 18d7:4308::)

Password expiration prompt (CR58444)
When an account password is due to expire and the system prompts you to enter a new password, the New Password box is mistakenly populated with the old password. If you simply click Update, the system accepts the old password instead of requiring a new one.

User account removal (CR58498)
When you delete a user account from the BIG-IP system, the user entry in the file /etc/security/opasswd is not automatically deleted.

Secure password enforcement for root account (CR58544)
When a password expiration warning is displayed for the root account, the system erroneously applies the secure password enforcement settings to the new password. These settings should only be applied to non-Administrator user accounts.

ConfigSync status in Configuration utility (CR58820)
After you perform a configuration synchronization from an active unit to a standby unit, the ConfigSync Status in the Configuration utility continues to recommend synchronizing the configuration. You can ignore this recommendation.

Warning message for password expiration (CR58828)
When a user password is due to expire in less than 24 hours, the warning message states that the password will expire soon. If you see this warning message, change the password as soon as possible.

bigstart utility and Perl script error (CR58877)
Running the bigstart utility repeatedly on the BIG-IP system can trigger a Perl script error, causing the system to become inoperative and requiring you to reboot the system.

iControl and memory values (CR58958)
On a 4 GB system, the memory value numbers that iControl returns are unintuitive and negative. There is no workaround for this issue.

RAM cache maximum size (CR59037)
Using a zero value for the size of the RAM cache (0) erroneously disables the RAM Cache feature altogether. In previous versions, the system treated a zero value as an unlimited RAM cache size. This is no longer the case for BIG-IP version 9.2 systems.

iControl: Mismatched tag in RouteTable::set_static_route_gateway (CR59096)
There is a mismatched tag in the RouteTable:: set_static_route_gateway method which generates an exception. There is no workaround for this issue in this release.

Named and snmpd restart after running commands (CR59131)
After running the b config sync, b config save <savename>, or b config install <installname> commands, you might see erroneous-looking named and snmpd restart messages. The named restart message appears similar to the following:

Feb 1 09:42:52 d84unit1 zrd: 01150c10:3: Error 'No such file or directory' from stat of '/var/named/ config/named.conf'

These messages are benign, and you can safely ignore them.

Tilde character in URL for OCSP responder configuration (CR59277)
You cannot use a tilde character (~) in the URL box on the New OCSP Responder screen of the Configuration utility. To work around this problem, you can use the %7E escape character.

Profile configurations in the bigip.conf file (CR59279)
Changes that you manually make to profile configurations in the bigip.conf file do not take effect until you issue a bigstart restart command.

Configuration utility options for Application Accelerator product (CR59307)
When you are using the Application Accelerator product, the Configuration utility displays certain profile and virtual-server types that are not valid for that product. If you select any of those types, the system displays an error message.

Manual edit of bigip.conf and file save (CR59365)
If you manually edit the virtual address or node commands in the bigip.conf file, you must run the command bigstart restart to propagate configuration changes in the system. We do not recommend manually editing this configuration file.

Output of bigpipe trunk command (CR59393)
If you have a trunk between two BIG-IP systems, and you stop the lacpd service on one system and disable link aggregation on the other system but retain the link, and then restart the lacpd service on the first system, when you type a b trunk show all command, the system erroneously reports that the links are still aggregated.

Inactive destination and active source listeners (CR59729)
Inactive destination listeners interfere with active source listeners. There are two workarounds:

  • On the internal server, create a static route for the virtual address using an internal floating self IP address assigned to the same unit as a gateway.
  • On the internal side, create virtual servers on the same unit that handles the outbound SNAT, allowing the internal server to access resources that are otherwise reachable (from the outside) from the other unit.

Rate of alert messages (CR59902)
When a stress-related Packet Velocity® ASIC (PVA) failure occurs, the system sends alert messages at a rate of over 200 entries per second. In this context, a stress-related failure might consist of a BIG-IP 6800 with 16 virtual servers configured with FastL4 profiles, each with HTTP-monitored pools of 6 nodes, processing 80 kb connections per second.

OSPF packets to host are subject to SNAT (CR60096)
If you configure and enable global Secure Network Address Translation (SNAT) on a VLAN on which you also configure Open Shortest Path First (OSPF), OSPF fails to establish adjacency to neighbor routers. This is because incoming OSPF Helo packets have their source addresses translated by the SNAT. As a result, OSPF cannot learn and advertise routes. You can work around this issue by removing the global SNAT and configuring an equivalent SNAT on a per-virtual-server basis using the snat automap or snatpool <pool_name> statements. If you require pure SNAT forwarding, you must create an IP forwarding virtual server with a corresponding SNAT configured. Once you complete this configuration, you must restart Traffic Management Microkernel (TMM) by running the bigstart restart tmm command or rebooting the system.

Halted HTTPS connection (CR60300)
The system uses the alert timeout to end the communications on the HTTP link, even if the system is still encrypting and sending data on the HTTPS link. To work around this issue, on the SSL profile, change the Alert Shutdown value to Unlimited. In addition, early documentation for this attribute incorrectly described it as timeout of the SSL session cache. In fact, this attribute specifies the duration in time that the system waits while trying to close an SSL connection before the system resets the connection.

Route metrics and ROUTE::rtt (CR60606)
Route metrics are not per-VLAN, which can cause problems for ROUTE:: rtt. There is no workaround for this issue.

Connection pool after RST from client (CR60610)
When a session is enabled and then disabled, the system still uses the old port for responding. There is no workaround for this issue.

VLAN group configuration (CR60929)
The system use a wrong MAC address in the ICMPv6 neighbor-discovery packet when using the vlan group config command.

Time zone information in mail headers (CR60976)
Even when the time zone is changed, the system keeps using an old copy of the time zone information for putting headers on mail.

Stale virtual address when changing virtual server address (CR61110)
When you change an existing network virtual address from a specific one to the general (for example, changing to any:any or, the process does not remove the previously configured address. The problem with network virtual addresses is that they respond to Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP) requests, so having stale network virtual addresses could cause problems, or at least result in unexpected behavior. To work around this problem, remove the out-of-date virtual address by navigating to the Virtual Address List tab from the Virtual Servers screen under Local Traffic, or remove the stale address from the bigip.conf file, and type b load at the command line.

HTTP fallback host use with available nodes (CR61942)
The HTTP profile uses the specified fallback host even when nodes are available, if Reselect is specified for the Action On Service Down setting for the pool. This can occur if persistence or node priority is configured and the target node stops responding, but the state change has not yet been detected by the monitor, or when there is no monitor. For an iRule you can use to work around this situation, see the workaround Controlling fallback with an iRule.

OneConnect profile properties maximum size label (CR62267, CR62381)
In the properties of the OneConnect profile, the Maximum Size setting is displayed with the unit bytes, instead of connections. The actual value is in connections. This is a field-labeling error only; the data is actually reported in bytes.

SNAT mirroring when connections handled by another virtual server (CR62394)
In a way, SNATs are actually wildcard forwarding virtual servers that are active only for traffic sourced from certain addresses. However, the forwarding part of SNAT has very low priority, so as soon as there is any other virtual server matching the flow, SNATs turn into pure address manipulation, and all flows are created and managed by the virtual server matched based on destination (or VLAN). Since the forwarding virtual server might not have mirroring turned on, no flows are mirrored. To work around this situation, you must create a SNAT specifically for traffic that you want mirrored (using the origin and mask). You must then create a forwarding virtual server whose traffic does not match the SNAT (using destination address, or enabled on VLAN setting, or iRule), and turn on mirroring there.

Reboot cycle using minimum active member as fail-safe action (CR63132)
Setting a minimum number of pool members that must be available as fail-safe action can result in a reboot cycle. When you configure a gateway fail-safe action that uses the Threshold setting of a minimum number of available pool members, the system might initiate the action right after startup, before the monitors have had a chance to engage all the nodes. Because the system detects an insufficient number of members, this results in immediate fail-safe action. If the Action you configure is Reboot, this can put the box into an endless reboot cycle. To avoid this situation, do not configure these two settings together.

Pool member status changes and the /var/log/ltm if mcpd log = debug (CR63829)
When the MCPD log is set to debug, the system does not write monitor status changes messages to the /var/log/ltm file. To remedy this situation, turn off debug logging for MCPD. Also turn off debug logging because it can fill up the disk. To change the setting, run the following command at the command line:
b db Log.Mcpd.Level notice

ConfigSync and null responses (CR63860)
Sometimes, when the system attempts a ConfigSync operation, the system receives a null response after issuing the command. This can happen for various reasons: for example, trying to start a ConfigSync operation to an IP address with no physical device attached. Although the operation fails, the system does not present an error message at the command line. In the browser-based interface, the system presents the message: Error executing shell command. However, because subsequent operations expect content on the screen instead of a message, the error condition causes the ConfigSync operation to fail. This condition occurs very intermittently; there is no reliable set of steps that reproduce the problem. You can work around this issue by running the ConfigSync command from the command line.

Redirect rewrite of host (CR64136)
Although Application Security Module never changes a server response, the BIG-IP system should, but does not rewrite the location header when Application Security Module is enabled. You can use an iRule to work around this condition. Before using the iRule, make sure you disable rewrite redirect in the HTTP profile by selecting None in the Redirect Rewrite list. You can rewrite the location header for an HTTP_RESPONSE event with an iRule. For an example of an iRule you can use, see the workaround Rewriting the location header when ASM Application Security Module is enabled

Fifth add-on key and license (CR64176)
In order to activate a fifth registration key, you must remove one of the existing add-on registration keys and then add the key you want. Then, you can add back the key that you previously removed, and all add-on registration keys will be enabled.

Empty image slots and upgrade or installation (CR64693)
If the installer detects an unclean filesystem during an installation or upgrade operation, the installation process is not interrupted. However, the installer does not find the installed products, and the Boot Image Configuration screen reports all drives with the designation Empty. When this occurs, cancel the installation operation and start it again. When the process begins again, the Boot Image Configuration screen reports the installed products correctly. For information on how to proceed if you have already continued the operation, see SOL6440: Current image slots appear empty during upgrade or installation due to unclean filesystem.

Application security with wildcard virtual servers and pools (CR65341, CR66193)
If you configure a wildcard virtual server (* All Ports) or a wildcard pool (* All Services), and you are using an application security class on the virtual server, you must enable the port translation and address translation settings on the virtual server. If you do not enable these settings, the system does not properly route traffic through the Application Security Module. To enable port translation and address translation for a virtual server, see the workaround, Enabling port translation and address translation.

Note: For more information about wildcard virtual servers and wildcard pools, refer to the Configuration Guide for BIG-IP® Local Traffic Management, which is available on the Ask F5 Knowledge Base web site.

b config save <filename> command and load conditions (CR66502)
Running the b config save <filename> command can cause the failover heartbeat to fail if the system is simultaneously experiencing high load conditions. The heartbeats are missed while the save is occurring. To work around this, you can change the timeout and retry settings.

Fallback redirect after RST packet from server (CR66570)
If you configure a fallback host in the HTTP profile, and the BIG-IP system receives an RST packet from the server after the server-side connection is established, but before the BIG-IP system receives a complete response header, the BIG-IP system sends the client a fallback redirect. The BIG-IP system does not issue an LB_FAILED event prior to this, unlike other fallback redirects. In contrast, if the BIG-IP system receives a FIN packet from the server during that same window, the BIG-IP system passes it through, and closes the client-side connection without sending any redirect. Correct behavior after receiving an RST packet from the server in this window is to similarly pass the RST packet through to the client, rather than sending a redirect. You can use an iRule to work around this issue. For an example of an iRule you can use, see the workaround Using an iRule to manage fallback redirection after receiving a reset packet.

Empty VLAN tagged as 1 (CR66688)
To create a VLAN using a tag of 1, you must add at least one interface or trunk member to that VLAN. Otherwise on a Packet Velocity® ASIC 10 (PVA10) system (such as the BIG-IP 8400), PVA10 is not configured properly, and experiences connection problems.

System report of pool member or node status when using multiple monitors (CR66918)
When multiple monitors are used, the system posts a misleading change status/log message for a pool member. When the first instance is set to up and the monitor rule is evaluated, the pool member is still considered down because the message for the second monitor instance has not yet marked it up. As a result, the system issues a log message that indicates that the pool member or node is down. You can ignore this message. As soon as the second monitor instance message arrives, the pool member is marked up.

Support for pool name gateway (CR67312)
You can create a pool named gateway. You can then use the newly created pool to specify a route. However, running the b load command on the command line then fails. If the system is configured as a redundant system, the ConfigSync operation also fails with syntax errors. To work around this issue, do not create a pool named gateway.

Redirect rewrite with non-standard port (CR67505)
When you set an HTTP profile Redirect Rewrite setting to All, if the HTTPS virtual server is running on a non-standard port, that port is not inserted into the rewritten location URL. The node sends an HTTP redirect whose URL uses the node's IP address. On the client side, the redirect URL is translated to HTTPS protocol and the virtual server's IP address, but no port is present. You can use an iRule to work around this. For an example of an iRule you can use to work around this situation, see the workaround Rewriting the redirect address when using a non-standard port.

bp load command on disabled interface (CR67811)
If you run a bigpipe load command while an interface is disabled, the disabled interface goes down. The problem is that the process sets the media type incorrectly. You can issue the command b interface xxx media auto to fix the interface, or you can issue a bigstart restart command to re-enable the interface.

SNAT statistics report (CR67871)
When two SNATs have overlapping origin lists, the more specific SNAT correctly translates the traffic. However, both the general SNAT and specific SNAT increment their statistics, indicating that both SNATs handled the connection, which is incorrect.

Transaction compaction and mcpd (CR68230)
Very rarely, during the compaction of a transaction, an operation causes an mcpd service restart. This is due to a problem in the McObject® eXtremeDB b-tree module.

Static Layer 2 forwarding database entries on trunks (CR68584)
The syntax of adding a static Layer 2 forwarding database entry on a trunk is slightly different from adding a static Layer 2 forwarding database entry to a VLAN. You can run the following command to add or delete a static Layer 2 forwarding database entry on the trunk:
b vlan <vlan_name> fdb < mac_address> trunk <trunk_name> add|delete
For example:
b vlan coppervlan2 fdb 00:E0:81:25:3A:32 trunk coppertrunk2 add

You can run the following command to add or delete a static Layer 2 forwarding database entry on a VLAN interface:
b vlan <vlan_name> fdb < mac_address> interface <interface_name> add|delete
For example:
b vlan external fdb 00:E0:81:25:3A:31 interface 2.1 add

bd process as a monitored process (CR68907)
Currently, the bd process is not part of the snmpd.conf file, and as a result cannot be monitored by an SNMP manager. There is no workaround for this issue.

LCD panel and system halt (CR68925)
Occasionally, when you use the LCD panel to halt the system, the message remains Are you sure you want to halt? Ok Cancel. The LCD panel never clears, and you cannot select the Option menu.

Indefinite SSL session cache timeout (CR68996)
Setting a client SSL profile cache timeout to Indefinite has the opposite effect: sessions are never resumed. In this release, the longest period you can set the cache timeout to is one day.

iRule command use in Fast HTTP profiles (CR69212)
When using Fast HTTP profiles, you can use an iRule to select a pool but not a pool member.

Duplicate keys inside the FIPS card (CR69385)
If you rename .exp files (the exported keys) to a different name and re-import them, the system creates duplicate keys inside the Federal Information Processing Standard (FIPS) card. To work around this issue, do not rename and re-import exported key files.

Switchboard fail-safe during load test (CR70923)
A switchboard fail-safe can be caused by excessive numbers of connections being abandoned and then expired. This generates a number of RST (reset) packets which flood the NICs, thus causing LACP traffic to be dropped for 30 seconds, and eventually ending in the switchboard fail-safe.

bigd command and system messages (CR71195)
You can run the command b daemon bigd running enable, but it is only used (or has an effect) on Traffic Management Microkernel (TMM) and mcpd. The system should post an error message in this case, but it does not.

Daemon name parsing (CR71298)
Because the system does not parse for valid daemon names, when using the command line interface, if you misspell the name of a daemon, the system can create an invalid entry in the browser-based Configuration utility daemon table (but not in the command line high availability table). If you delete the entry using the command line interface, and then clear the bigip.conf entry, the entry still displays in the Configuration utility until you issue a bigstart restart command.

Pool delete when assigned to an HTTP class (CR71478)
The system does not warn or stop you from deleting a pool that is assigned to an HTTP class, even if the HTTP class is assigned to a virtual server. After you delete the pool, the system shows None as the pool property of the HTTP class. Upon deletion of the pool, any traffic that could pass through the HTTP class does not pass. If you then create a new pool of the same name (with members), the system automatically uses this pool for the pool property of the HTTP class, and the traffic passes as if you never deleted the pool.

b pool member ALL session enable in versions 9.2.3 and 9.1.2 (CR71601)
You cannot use the session enable and session disable actions when you use all as the pool member specifier in a bigpipe pool command, but you can use the show and list actions. That means that b pool <poolname> member all session disable does not work, but b pool < poolname> member all show does.

HTTP rewrite redirect and location header (CR71656)
Rewrite redirect does not check the location header syntax, so when you set to Redirect Rewrite All, the system inserts the letter s into a redirect URI after the fourth character, even if the first four characters are not HTTP.

SNMPv3 delete from properties screen (CR72057)
When you use the browser-based Configuration utility to delete an SNMPv3 access record from the record properties screen, the delete fails with an error 01020036:3: The requested BIGdb variable (snmp.conf.user.__iter__) was not found. You can delete the record from the access record list screen by, instead, selecting the associated check box and clicking the Delete button.

Special characters in HTML in iRule (CR72140)
The system incorrectly displays and saves special characters (such as accented e) in HTML in iRules.

SSL handshake and EV_SENT messages (CR72363)
Infrequently, client congestion during the initial SSL handshake can cause HTTP to log the message tmm[22210]: 011f0007:3: http_process_state_cx_wait - Invalid action EV_SENT during ST_HTTP_CX_WAIT and close the connection. SSL should not raise this event in this context, but the message is not critical.

IPv6 support in BIG-IP ZebOS implementation (CR72437)
Currently, the BIG-IP system ZebOS® set of advanced routing modules does not support IPv6 addressing format.

Network-dependent daemon and VLAN startup (CR72661)
If network-dependent daemons start before VLANs, self IP addresses, and routes are configured on the system, the daemons might not work correctly. This applies only to system startup. This release does not support triggering startup of network-dependent daemons based on completion of network configuration (that is, completion of trunk, VLAN, self IP address, and static route configuration).

Overlapping SNATs and the b load command (CR73523)
If you use the b load command to load a configuration that contains overlapping SNATs, the system returns a SNAT-creation error. Unfortunately, if the configuration contains other changes, those changes are merged into the existing configuration, resulting in a damaged configuration. At this point, the configuration of the mcpd service and the rest of the system are out of sync. Attempts to change the configuration result in Packet Velocity® ASIC (PVA) restarting and Traffic Management Microkernel (TMM) logging multiple MCP-related error messages to /var/log/ tmm. To work around this situation, you can increase the mcpd service transaction size using the -t option when you run the b load command.

Pool modification error: 01031000:3: eXtremeDB - data validation failed (CR73786)
If you name pools in a specific way (for example, gwp1 and gwp11), and both pools have min member up settings, the system can erroneously present a data-validation error pool modification error: 01031000:3: eXtremeDB - data validation failed. For an example of how to correctly configure pools to avoid this error, see the workaround, Changing the configurations of pools.

Two SNATs with same origin (CR73815)
When you create two SNATs with the same origin (such as mask, the system presents an unhelpful error message: 01070350:3: Snat Origin 8ff:aa09:f507::6100:b8ee:4400 does not have a valid netmask 8ff:aa09:b8ee:4400:88c5:fffe:55a9:4200. This simply means that you cannot create two SNATs with the same origin.

EUD notes (CR73866)
There is a note in the End-User Diagnostics (EUD): Field Testing Hardware documentation: The EUD is supported only on the following platforms running BIG-IP version 9.2. It should say that EUD runs on version 9.1.2 and later.

qkview and ldns.gz (CR74876)
The current qkview tool gathers all files under the /config/gtm directory, including the ldns.gz file. This file can get rather large, since it contains the known LDNS list.

ARP update warning message (CR75538)
The Address Resolution Protocol (ARP) update warning message binding for <IP address> changed from <MAC1> on vlan <VLAN1> to <MAC2> on vlan <VLAN2> displays the entire IEEE 802.1Q tags instead of VLAN IDs.

VLAN MAC address update (CR75974)
The VLAN MAC address does not change when the interface whose address has been used is removed from the VLAN. This may result in two VLANs using the same MAC address. This does not cause problems under normal circumstances, but when both VLANs are connected to the same physical segment, some switches might have problems. To initiate the change, you can issue a bigstart restart command.

Interaction between lasthop pools and auto_lasthop (CR76055)
Lasthop pools and auto_lasthop settings are not currently configurable via a DB variable causing routing differences between 4.x and 9.x.
Auditing information about forced failover (CR76096)
Currently, the system generates a log entry indicating that a virtual IP address has failed over, but the log does not indicate what forced the failover to occur.

TCP retransmit under low-memory conditions (CR76231)
If TCP attempts to transmit data when there is no room for the TCP header in the first fragment, and the attempt to prepend a fragment to the packet fails, when TCP attempts to retransmit the packet, it tries to delete the TCP header from the packet. This causes Traffic Management Microkernel (TMM) to restart, as the TCP header is not present. This occurs only on low-memory systems, such as the BIG-IP 1500.

FTP monitor behavior (CR76395)
The FTP monitor can mark a member as UP even if a file was not transferred. The FTP monitor should not mark the member as UP unless it can actually retrieve the file.

Port mirror from 1 GB port to 10/100 (CR76539)
Attempting to perform a tcpdump operation on a port or multiple ports while interface mirroring is configured, which is not recommended, can result in the following messages.
Jan 22 00:38:53 sccp bcm56xxd[369]: 00010016:6: Warning: timeout draining packets on port ge6 lcccount = 0x024a
Jan 22 00:38:53 sccp bcm56xxd[369]: 00010016:6: Port ge6: bcm_port_update failed: Internal error

Multiple default SNATs (CR76632)
If you configure multiple SNATs with the same origin, the system does not load the second SNAT, even though it is configured for different translations and associated with different VLANs.

statsd and New Connections graph (CR76848)
On the Performance screen with the All or Connections tabs selected, the New Connections graph shows the total count for all TCP connections, instead of the server-side connections for server connections. To get the correct statistics, click the detail graph.

Large iRules and snmpd (CR76931)
Large iRules can cause the snmpd process to restart. There are two possible workarounds: simplifying the iRule by removing several else-if statements, or changing any pool names so that they do not contain hyphens.

SNAT translation idle timeouts for FTP (CR76933)
The idle timeout settings that are set on SNAT translations do not work for FTP. The timeout for FTP is always set to 300 seconds.

Client-side connection reset and server-side connections (CR77060)
If the system is sending a response to the client, and before the response reaches the client, the client resets the connection, then the TCP window no longer responds. Subsequent requests serviced by the server-side connection still function, but TCP does not send data. The only workaround available is not using the OneConnect profile.

SSL monitor writing (CR77217)
The SSL monitor can halt processing. Running netstat -na shows the monitor connection as ESTABLISHED, but it simply stays in that state. If you determine that you have a halted SSL monitor, you can restart the bigd process, or remove the monitor instance and recreate it.

Remote user console access (CR77422)
Certain combinations of operations in the browser-based Configuration utility can allow all external users to have console access. For an example of how to prevent this, see the workaround, Preventing console access for remote users.

Floating self IP address validation message (CR77439)
During load, if the bigip.conf file contains an error, for example, if a self IP address refers to a nonexistent VLAN, the system does not post an error message. The result is that there is a mismatch in the system configuration that can lead to a Packet Velocity® ASIC (PVA) core dump
containing the following message: tmm tmm[1582]: 01010007:3: Config error: virtual_server_profile bad profile. To work around this situation, you can increase the mcpd service transaction size using the -t option when you run the b load command.

Virtual server created with port 0 (CR78293)
If you add a virtual server with a 0 port at the time you create the server object, the system does not create the virtual server.

Duplicate IP address configuration error silently ignored by bigpipe load (CR78952)
If you edit the bigip.conf to swap the IP addresses of two virtual servers, the first virtual server stops processing requests. The system reports no error.

Motherboard CPI temperature and fan sensor readings on BIG-IP 1500 (CR79150)
In this release, the system occasionally presents incorrect out-of-range readings for the BIG-IP 1500 platform motherboard CPU temperature and fan sensors. When this occurs, the system posts log messages indicating the CPU was too hot and fan speed were either non-existent or too low.

PVA1 and PVA2 and UDP checksum 0 (CR79749)
Packet Velocity® ASIC (PVA) versions 1 and 2 (PVA1 and PVA2) does not handle a connection received with a User Datagram Protocol (UDP) checksum of zero ( 0 ). To avoid the UDP-checksum-zero condition, create a Fast L4 profile and set PVA acceleration to none for that profile. Then use that customized Fast L4 profile instead of the standard Fast L4 profile for those UDP virtual IP addresses that might receive a UDP checksum of zero.

Node status marking (CR79972)
Nodes marked down by an ICMP monitor and then added as pool members, show as red (unavailable) in the browser-based Configuration utility but the command line utility reports the pool members ACTIVE,UNCHECKED SESSIONS ENABLED by the bigpipe command b pool output. The system incorrectly sends traffic to the nodes as if they were active. To work around this issue, assign the appropriate IP address to the server before you assign the node an ICMP monitor.

Behavior change for Platform.DiskMonitor.GrowthAlert.var_run variable (CR80622)
To handle an error condition in the BIG-IP system, we have changed the setting of the Platform.DiskMonitor.GrowthAlert.var_run database variable to 25%. Upgrading the software changes the setting of this variable to 25%, so if you specified a different value, you must reset it after you upgrade.

RSA keys with bit length not divisible by 8 causes assert in Nitrox driver (CR82078)
Certificates with RSA key lengths not divisible by 8 cause the parameters to the Nitrox device to be misaligned.

STPDU received on 10G port not forwarded in STP passthru mode (CR82508)
STPDU received on 10G port does not get forwarded in STP passthru mode.

Interface flaps during config load if fixed media set (CR82694)
An interface with the media hard set in the config file flaps UP/DOWN during a configuration load.

Redirect rewrite nodes modifies address, but not protocol or port (CR82702)
When using the redirect rewrite feature in node mode, only the address is modified, not the port.

Discrepancy in priority group default (CR83174)
Due to a discrepancy in the priority group default value, the system ignores least connections optimizations.

HTTP::host iRule command in server-side events (CR83776)
HTTP::host command should not be called within server-side events. Currently, this does not cause a failure during configuration.

Active FTP data connection can tear down pre-maturely (CR84083)
Active FTP data connections can be torn down prematurely if control flow is on a different VLAN from the active connection.

Using trunks on a 8400 platform (CR84156)
On an 8400 platform, when you are using trunks on a VLAN, the fdb show does not show any learned entries.

Selecting Addresses under the Server list page returns error (CR84202)
In the Global Traffic section when using the Configuration utility, if you select Addresses under the server list to sort, an error is returned.

System accessibility following a local upgrade from 9.1.x or 9.2.x to 9.3.1 (CR87065)
The problem can easily be resolved by running /usr/bin/ immediately after an upgrade from 9.1.x or 9.2.x to 9.3.1. Symptoms of this problem include being continually prompted to enter the SCCP password, and a continual restart of fpdd and stpd services. When this occurs, until you run the /usr/bin/ script, you will continue to see the message No license. Activation needed and the web UI remains inaccessible.

bcm56xxd should disable port 4.2 on 1500 platform (CR87184)
On 1500s platforms port 4.2 should be completely disabled. bcm56xxd reports 4.2 is UP followed by Traffic Microkernel Module (TMM) reporting that 0.1 is DOWN.

Connection limits for SNAT (CR86294)
Connection limit for SNAT translation is not working properly. Even though it is set to some integer, SNAT translation allows unlimited connections.
Example: snat translation {limit 2}

[ Top ]

Workarounds for known issues

This section describes the workaround for the corresponding known issue listed in the previous section.

Controlling fallback with an iRule (CR61942)

This workaround contains a sample iRule you can use to control fallback in situations in which there are still available nodes. For information about the known issue, see HTTP fallback host use with nodes that are available.

 rule my_lb_failed {

when LB_FAILED {

if { [active_members [LB::server pool]] != 0 } {

## As long as there are still active_members, we don't need to do the fallback.

} else {

## Pool has no active members, according to monitors. Let's fallback

HTTP::fallback ""




Rewriting the location header when Application Security Module is enabled (CR64136)

This workaround describes how to rewrite the location header when Application Security Module is enabled. For information about the known issue, see Redirect rewrite of host.

To use this iRule, at a minimum you need to modify the following line to match your setup:

set ::redirect_rewrite [list "" ""]

Here is the example iRule you can use:

 rule redirect_rewrite {

when RULE_INIT {

# Replace with your redirect url,

# syntax [list "a b"] , server redirect url "a" is rewritten to "b"

set ::redirect_rewrite [list ""




set host [HTTP::host];



if { [HTTP::status] starts_with "3" } {

set location [HTTP::header "Location"];

if { $location == "" } {



} else {



log LOCAL0.debug "Location: $location (check for rewrites)";


foreach x $::redirect_rewrite {

set a [getfield $x " " 1];

log LOCAL0.debug " ? starts_with "$a" ... ";

if { $location starts_with $a } {

set b [getfield $x " " 2];

log LOCAL0.debug "...yes, replace "$a" with "$b";

set len [string length $a];

set tmp [substr $location $len];

# set location "${b}${tmp}";

set location "https://$host$tmp"

log LOCAL0.debug "Location: $location";

HTTP::header replace "Location" $location;






Enabling port translation and address translation (CR65341, CR66193)

This workaround describes how to enable port translation and address translation for the virtual server, which is required if you are using the Application Security Manager (Application Security Module) with a wildcard virtual server or a wildcard pool. For information about the known issue, see Application security with wildcard virtual servers and pools.

Note: The following task assumes you are updating an existing virtual server.

To enable port translation and address translation

  1. On the Main tab of the navigation pane, expand Local Traffic, and then click Virtual Servers.
    The Virtual Servers screen opens.
  2. In the Name column, click the name of a virtual server.
    The Virtual Server Properties screen opens.
  3. Above the Configuration area, click Advanced.
    The screen refreshes, and you see additional configuration options.
  4. Check the Address Translation option.
  5. Check the Port Translation option.
  6. Click the Update button.
    The system saves any changes you have made, and displays Enabled next to the Address Translation and Port Translation options.

Using an iRule to manage fallback redirection after receiving a reset packet (CR66570)

This workaround describes how to use an iRule to manage fallback redirection after receiving a reset packet from the server. For information about the known issue, see Fallback redirect after RST packet from server.

To implement this workaround, first remove the fallback host for the configured HTTP profile. Then, add the following iRule to the profile:

 when LB_FAILED {

## Comment out either HTTP::fallback below to silently close/abort,

## or uncomment to send redirect.

if { [active_members [LB::server pool]] != 0 } {

## Selected a member, but connect failed or no response.

# HTTP::fallback "http://fallback-host/try-again.txt"

} else {

## Pool has no active members, according to monitors.

HTTP::fallback "http://fallback-host/service-down.txt"



Within the iRule, in either case, you have two options:

  • Simply close the connection.
    Comment out the HTTP::fallback line.
    The system sends an RST packet to the client (or performs a four-way shutdown).
  • Redirect to fallback URL.
    Another problem might prevent use of the commands HTTP::redirect, HTTP::respond, or even TCP::close without complications. But using the HTTP::fallback command to set the fallback URL at run-time does not have the same issues.

We recommend closing the connection in the first case (transient failure), and redirecting to the fallback URL in the second (pool empty). Regardless of which option you select in the first case, if the selected member sends an RST packet immediately after connection establishment, the system passes that through as-is to the client, rather than passing the spurious fallback redirect. This is generally the safest thing to do, and why this is recommended.

Rewriting the redirect address when using a non-standard port (CR67505)

This workaround describes how to use an iRule to rewrite the redirect address when using a non-standard port. For information about the known issue, see Redirect rewrite with non-standard port.


if {[HTTP::header exists Location]} {

set loc [HTTP::header value Location]

clientside {

set vhost [IP::local_addr]

set vport [TCP::local_port]


set uri "https://$vhost/"

set len [expr [string length $uri] - 1]

if {$loc starts_with $uri} {

set loc [string replace $loc $len $len ":$vport/"]

HTTP::header replace Location $loc




Changing the configurations of pools (CR73786)

This workaround describes how to change the configurations of pools when you receive a Pool modification error. For information about the known issue, see Pool modification error: 01031000:3: eXtremeDB - data validation failed.

You can resolve this issue using one of the following options:

  • Change the names so that each pool name starts with different characters. For example, change gwp1 gwp11 to gwpone and gwpeleven.
  • Change the pool configuration sequence so that gwpl1 appears above gwpl in the bigip.conf file.
  • Leave the pool name and sequence the same, but remove the min up member settings.

Preventing console access for remote users (CR77422)

This workaround describes how to prevent console access for remote users. For information about the known issue, see Remote user console access.

To prevent console access, follow these steps:

  1. In the browser-based Configuration utility, expand System, select Users.
    The Users List screen opens.
  2. On the menu bar, click the Users menu, and select Remote Access.
    The Remote Access screen opens.
  3. Change Web User Role from No Access to Administrator, and check Console Access.
  4. Click Update.
  5. Switch back to No Access, and click Update again.
[ Top ]

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

[ Top ]

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)