Applies To:

Show Versions Show Versions

Release Note: BIG-IP LTM and TMOS version 10.0.1
Release Note

Software Release Date: 05/31/2009
Updated Date: 08/23/2013


This release note documents the version 10.0.1 release of BIG-IP® Local Traffic Manager and TMOS®. To review what is new and fixed in this release, refer to New in version 10.0.1 and Fixed in version 10.0.1. For existing customers, you can apply the software upgrade to versions 9.3.x, 9.4.x, 9.6.x, and 10.0.x. For information about installing the software, refer to Installing the software.

Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available in the AskF5SM Knowledge Base,


- User documentation for this release
- Minimum system requirements and supported browsers
- Supported platforms
- Installing the software
- Upgrading from earlier versions
- New in version 10.0.1
- Fixed in version 10.0.1
- New in version 10.0.0
- Fixed in version 10.0.0
- Known issues
- Contacting F5 Networks

[ Top ]

User documentation for this release

In addition to these release notes, the following user documentation is relevant to this release.

You can find the product documentation and the solutions database in the Ask F5 Knowledge Base.

[ Top ]

Minimum system requirements and supported browsers

The minimum system requirements for this release are:

  • System hard drive
  • 768 MB RAM (1 GB recommended)

Note: You cannot run this software on a CompactFlash® media drive; you must use the system's hard drive.

You can work with the BIG-IP system Configuration utility using the following browsers:

  • Microsoft® Internet Explorer®, version 6.0x, and version 7.0x
  • Mozilla® Firefox®, version 1.5x, version 2.0x, and version 3.0x

Note that we recommend that you leave the browser cache options at the default settings.

Important: Popup blockers and other browser add-ons or plug-ins might affect the usability of the browser-based Configuration utility. If you experience issues with navigation, we recommend that you disable these types of browser plug-ins and add-ons.

[ Top ]

Supported platforms

This release supports the following platforms:

  • BIG-IP 1500 (C36)
  • BIG-IP 1600 (C102)
  • BIG-IP 3400 (C62)
  • BIG-IP 3410 (C100)
  • BIG-IP 3600 (C103)
  • BIG-IP 4100 (D46) - unit running Application Security Manager only
  • BIG-IP 4500 (D43) - unit running WebAccelerator System only
  • BIG-IP 6400 (D63)
  • BIG-IP 6800 (D68)
  • BIG-IP 6900 (D104)
  • BIG-IP 8400 (D84)
  • BIG-IP 8800 (D88)
  • BIG-IP 8900 (D106)
  • VIPRION (J100, J101)

Important: Version 10.0.0 does not support the BIG-IP 3900 platform.

Note: Although the BIG-IP 1500 with 768 MB of RAM is supported and does load the 10.x configuration, some performance metrics may be lower than for systems with 1 GB of RAM. It not recommended to attempt running additional product modules on a system that has only 768 MB of RAM

If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.

Note: The hardware and software for each unit in a redundant system must match.

[ Top ]

Installing the software

This section lists only the very basic steps for installing the software. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.

The steps in this section assume that:

  • The license is already reactivated and the service contract is already updated for this release, if applicable.
  • You downloaded the .iso file from F5 Downloads to /shared/images on the source for the operation.
    (Note that you might need to create this directory. If so, use this exact name, including capitalization.)
  • There is at least minimal partitioning on the system drives.
  • You have already configured a management port.
  • You are logged on to the management port of the system you want to upgrade.
  • You are logged on to a hard drive installation location other than the target for the operation.
  • You logged on using an account with administrative rights.
  • You have saved the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, if applicable.
  • You are logged on to the standby unit in a redundant system, if applicable, and that you will synchronize the configuration to the active unit.
  • You turned off mirroring, if applicable.
  • If you are upgrading from 9.3.x or 9.4.x, you ran im <downloaded_filename.iso> to copy over the new installation utility.

Installation consists of the following steps.

  1. To copy the upgrade utility, run the command im (for first-time 10.x installation).
  2. To install the software, use one of the following methods:
  • Run the command image2disk --instslot=HD<volume_number> <downloaded_filename.iso> (for first-time 10.x installation).
  • Run the command bigpipe software desired HD<volume_number>version 10.x build <nnnn.n> product BIG-IP
  • Use the Software Management screens in the browser-based Configuration utility.

After the installation finishes, you must complete the following steps before the system can pass traffic.

  1. Reboot to the new installation location.
  2. Log on to the browser-based Configuration utility.
  3. Run the Setup utility.
  4. Provision the modules.

Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and we recommend that you reference the guide to ensure successful completion of the installation process.

The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.

You can check the status of an active installation operation by running the command b software status.

If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.

[ Top ]

Upgrading from earlier versions

How you upgrade from earlier versions depends on the version of software you have.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Important: BIG-IP version 10.x introduced the ability to run multiple modules based on platform. The number and type of modules that can be run simultaneously is strictly enforced through licensing. For more information, see SOL10288: Supported product module combinations by platform for the BIG-IP version 10.x software branch.

Upgrading from version 9.6.x or 10.x

When you upgrade from software version 9.6.x or 10.x, you can use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help, or the relevant chapters in the BIG-IP® Systems: Getting Started Guide.

Important: Upgrading a version 9.6.x platform to version 10.x also performs a BIOS upgrade. If you also apply a version 10.x hotfix when you attempt the software upgrade, the operation fails to install the new BIOS. This can cause additional issues. For more information, see SOL10548: The BIOS of the VIPRION platform is not upgraded when installing BIG-IP version 10.0.x and a hotfix in a single step and SOL10016: A VIPRION kernel panic occurs following an upgrade to BIG-IP version 10.x.

Upgrading from version 9.3.x or 9.4.x

If you plan to install this version of the software onto a system running 9.3.x or 9.4.x, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.3.x or 9.4.x to 10.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the image2disk utility on the command line. For information about using the image2disk utility, see the BIG-IP® Systems: Getting Started Guide.

Upgrading from versions earlier than 9.3.x

You cannot upgrade directly to this version from BIG-IP version 4.x or from BIG-IP versions 9.0.x through 9.2.x. You must be running software version 9.3.x, 9.4.x, or 9.6.x. For details about upgrading to those versions, see the release notes for the associated release.

Note: Beginning with version 10.0.0 of the software, a redundant system configuration must contain failover peer management addresses for each unit. If you roll forward a redundant system configuration from 9.3.x or 9.4.x, the units start up in an offline state because each one needs a failover peer management address. To configure the failover peer management addresses, navigate to the Network Failover screen, available under High Availability on the System menu on the navigation pane, and specify the management IP address of the peer unit in the Peer Management Address field. Then do the same on the other unit in the redundant system. Once you specify both IP addresses, the system should operate as expected. Also note that setting an IP address other than the real management IP address can result in an active-active situation on redundant systems, so ensure that you specify the correct management IP address. For more information, see SOL9947: Change in Behavior: The Peer Management Address setting is required for BIG-IP version 10.x systems configured for network failover.

[ Top ]

New in version 10.0.1

Application templates (CR115226)
This release includes additional application templates. An application template corresponds to a particular application, such as Citrix® Presentation Server, and provides a fast, efficient way to configure the BIG-IP system to process the associated traffic. The application templates added in this release are:

  • Generic HTTP
  • Generic IP Forwarding
  • Generic LDAP
  • Generic RADIUS
  • Citrix® Presentation Server

Fixed in version 10.0.1

Large interval time changes and down pool members and LACP channels (CR66036)
Large time changes no longer cause pool members and LACP channels to go down. This might have occurred when an NTP server that a BIG-IP system used had a problem, and changed the time by a big interval. In response, the system might have posted a log entry similar to this, 11:24:35 customer_server ntp change of -20.346930, and marked down affected pool members and LACP channels.

Traffic statistics and the b pva 0.0 command (CR82189)
In this release, the b pva 0.0 command shows traffic statistics. Previously, it did not.

Client certificate handling and remote authentication (CR93894, CR124436)
Client certificate handling has been improved for non-standard clients when using remote authentication. In an earlier release, the system might incorrectly accept a client connection in certain configurations.

Fast L4 and SNAT mirrored connections after failback (CR101304)
In previous releases, Fast L4 and SNAT mirrored connections between the active and standby units were correct after failing over to the standby unit. However, after failing back to the original unit, the standby unit did not maintain the correct mirrored connection table. This release corrects that condition.

HTTP_REQUEST iRule and server-side requests (CR107335)
In this release, an HTTP_REQUEST iRule event that uses the LB::detach command followed by the selection of a new pool no longer results in the disappearance of server-side request. Now, in this case, requests are visible on server-side connections.

IPv6 vulnerability CVE-2008-2476 / VU#472363 (CR111056-4)
This release fixes an IPv6 vulnerability tracked by the Common Vulnerabilities and Exposures (CVE) project, which assigned the ID CVE-2008-2476 to the problem, and by the United States Computer Emergency Readiness Team (US-CERT), which assigned the ID VU#472363. For more information about the vulnerability, see CVE-2008-2476 or VU#472363.

active_members iRule logic (CR111235)
The active_members iRule logic no longer returns 1 for an unavailable pool. Now, it returns 0.

pvac process core files (CR112042-2)
The pvac process no longer occasionally produces core files in connection with no-cache or private cookie-based header tag scenarios.

Fast HTTP and prematurely closed connections (CR113258)
The BIG-IP system no longer prematurely closes connections when using a Fast HTTP profile in conjunction with multiple client requests using the same server-side connection, and the server is sending multi-packet responses. This previously occurred only when the client requests could not have any future requests (for example, HTTP/1.0 requests without Connection: Keep-Alive headers, or HTTP/1.1 requests with Connection: close headers).

Listener is bound message from listen command called in iRule (CR113797-5)
In this release, the listen command called in an iRule no longer crashes the Traffic Management Microkernel (TMM) process with the error message Listener is bound.

Cookie encryption and HTTP header values (CR114198)
Using HTTP cookie encryption in an HTTP profile now correctly adjusts the header position to account for the different (often larger) encrypted cookie header.

OpenSSL vulnerability CVE-2008-5077 (CR114792)
This release fixes an OpenSSL vulnerability tracked by the Common Vulnerabilities and Exposures (CVE) project, which assigned the ID CVE-2008-5077 to the problem. For more information about the vulnerability, see CVE-2008-5077.

Logging Profile Storage Type changed to log key=value pairs (CR115082)
The Application Security Manager Logging Profile Storage Type has changed to log key=value pairs instead of comma-separated string fields.

Fragmentation and MTUs less than 1500 (CR116540)
Fragmentation now works correctly on egress when using a Fast L4 profile, and the Maximum Transmission Unit (MTU) is less than 1500.

Slow client connections and large documents (CR116570)
Slow client connections are no longer closed incorrectly when they are transferring relatively large documents.

TMM core and RAM cache configuration (CR116568-3)
Traffic Management Microkernel (TMM) no longer writes out a core when memory limits are exceeded during RAM cache configuration. Previously, this caused the cache to not initialize, which resulted in the WebAccelerator system trying to access nonexistent RAM cache information.

provision.extramb variable setting (CR116571-1)
In previous releases, the system reset the db variable provision.extramb, back to 0 (zero). Now, the system ignores this variable setting. Note that the provisioning scheme in the 10.x version of the software has changed memory distribution sufficiently that any advantage you received by configuring this variable in version 9.4.x is likely incorrect for your needs in this release. You can set the variable to 0 by running the command b db provision.extramb 0.

mcpd[8035]: 01070267:4: Dossier warning 06 (CR117038)
In this release, the following benign message no longer occurs: mcpd[8035]: 01070267:4: Dossier warning 06 message.

10.x hotfix installation using im (CR117228)
An incorrect attempt to install a 10.x hotfix by running the im command now displays the following error message and exits gracefully: Logical volume disk management detected. This media not intended for application with the 'im' utility. Please consult your documentation on 'b software' commands for hotfix application. Exiting....

HTTPS server errors and bigd memory leak (CR117349)
This release corrects a big3d daemon memory leak that occurred occasionally when an HTTPS server returned an error, eventually causing the bigd daemon to crash.

libpng vulnerability CVE-2009-0040 (CR117746)
This release fixes a PNG reference library libpng vulnerability tracked by the Common Vulnerabilities and Exposures (CVE) project, which assigned the ID CVE-2009-0040 to the problem. For more information about the vulnerability, see CVE-2009-0040.

libicc vulnerabilities CVE-2009-0583 and CVE-2009-0584 (CR118548, CR119796)
This release fixes libicc vulnerabilities tracked by the Common Vulnerabilities and Exposures (CVE) project, which assigned the IDs CVE-2009-0583 and CVE-2009-0584 to the problems. For more information about the vulnerabilities, see CVE-2009-0583 and CVE-2009-0584.

[ Top ]

New in version 10.0.0

Support for a new platform
This release provides support for the new 8900 platform, which is designed to provide superior performance. For more information, see Platform Guide: 6900 and 8900, available in the Ask F5 Knowledge Base.

Logon enhancements for the Configuration utility
This release includes several enhancements to the logon function of the Configuration utility. The logon screen now includes an HTML-based form for authentication, a customizable security banner, the ability to log off of the Configuration utility without closing a browser window, and the ability to configure a session timeout period.

Resource provisioning
With this release, you can allocate CPU and memory resources for specific modules such as Local Traffic Manager, Global Traffic Manager, Link Controller, Application Security Manager, WebAccelerator, and WAN Optimization Module.

Application templates
This release includes a configuration tool known as application templates. An application template corresponds to a particular well-known vendor application, such as Microsoft IIS, and provides a fast, efficient way to configure the BIG-IP system to process traffic for that application. The application templates contained in this release are:

  • BEA® WebLogic®
  • Microsoft® Exchange Outlook® Web Access (OWA)
  • Microsoft® Internet Information Services (IIS)
  • Microsoft® SharePoint®
  • Oracle® Application Server
  • SAP® ERP Central Component
  • SAP® Enterprise Portal
  • VMware® Virtual Desktop Infrastructure (VDI)

High Availability configuration enhancements
This release offers two enhancements to ease the process of configuring and managing a redundant system. First, you can use the configuration tool known as the HA Wizard to initially set up a redundant system configuration. With this wizard, you can set up VLANs and unicast/multicast IP addresses for network failover, as well as IP addresses for connection mirroring. Also, the BIG-IP system includes two new redundant-system states: OFFLINE and FORCED_OFFLINE. Unlike the STANDBY state, these new states serve to indicate that a non-active system is unable to become active without user intervention.

Group-based privilege assignment for RADIUS and TACACS+ user accounts
For environments that store BIG-IP system user accounts on a remote server, your ability to assign user privileges on a group-wide basis has been expanded to include not only LDAP and Active Directory servers, but also RADIUS and TACACS+. Using the BIG-IP system's remoterole command, you can now assign a user role, partition access, and terminal access to a group of user accounts based on a specific RADIUS or TACACS+ attribute.

Additional support for Advanced Routing Modules
In addition to support for the BGP, RIP, and OSPFv2 dynamic routing modules, this version of the BIG-IP system now includes support for IS-IS (IPv4 and IPv6), OSPFv3, and RIPng. For VIPRION® platforms, this release supports the industry-standard graceful restart function. The graceful restart function allows the dynamic routing protocol control plane to move from one blade to another without disruption to traffic. Graceful restart is enabled in all supported protocols and for all supported address families by default.

Configuration utility-based software management
This release provides browser-based screens for installing, applying hotfixes, setting boot locations, rebooting, and designating the active software image location.

Cookie insert persistence and Performance (HTTP) virtual servers
With this release, users can now assign a Cookie persistence profile that uses the HTTP Cookie Insert method to a Performance (HTTP) virtual server.

New health and performance monitors
This release includes a number of new health and performance monitors. The Inband health monitor provides passive monitoring of nodes or pool members as part of a client request. The Module Score monitor works with the Global Traffic Manager BIG-IP monitor to assess the load on downstream devices running Application Security Manager and WebAccelerator system software. Finally, the new Session Initiation Protocol (SIP) monitor checks the status of SIP Call-ID services on a device.

Route domains for segmenting traffic
This release includes a new feature known as route domains. Route domains allow you to segment traffic on your network by appending a route domain ID to an IP address. This in turn allows you to assign the same IP address to multiple nodes on the network, as long as each of those nodes resides in a separate route domain.

RTSP and SIP configuration profiles for customized application traffic handling
This release includes a number of new profiles that you can configure for customizing the way that the BIG-IP system handles certain kinds of application traffic. These new profiles can efficiently process traffic pertaining to Real-Time Streaming Protocol (RTSP) and Session Initiation Protocol (SIP).

iSession profile for secure, optimized application traffic over the WAN
Using a new iSession profile, you can optimize application traffic traveling from one Local Traffic Manager device to another over a wide-area network (WAN). Configuring an iSession profile establishes a tunnel that can compress and encrypt data before the data travels across the WAN.

NTLM profile for optimized network performance
A new NT LAN Manager (NTLM) profile within BIG-IP Local Traffic Manager optimizes network performance when the system is processing NTLM HTTP traffic. When associated with a virtual server, the NTLM profile allows the local traffic management system to take advantage of server-side connection pooling for NTLM connections. The advantage of NTLM profiles over using a OneConnect profile by itself, is that a OneConnect profile alone can potentially allow idle NTLM-authenticated server connections to be reattached to unauthenticated clients.

Enhancements to clustered multi-processing
Support for the clustered multi-processing (CMP) feature has been expanded to include the BIG-IP 6400 and 6800 platforms. Also, the CMP feature now remains enabled when running BIG-IP system modules such as Application Security Manager and WebAccelerator, and when most features such as persistence and iRule read-only global variables are configured on a virtual server.

Kerberos delegation
The Kerberos delegation feature provides the ability to authenticate client traffic with Microsoft Windows Integrated Authentication. You can also use this feature to set cross-realm authentication if the two realms have a trust relationship.

Traffic classes
You can use a new feature within Local Traffic Manager, traffic classes, to classify traffic according to a set of criteria that you define, such as source and destination IP addresses. Once you have defined the traffic class and assigned the class to a virtual server, the BIG-IP system associates the traffic class with each traffic flow. In this way, the BIG-IP system can regulate the flow of traffic based on that classification, which helps you determine which optimizations to apply to WAN traffic, rate shape certain traffic, apply QoS policies, and so on. Traffic classes can be of particular benefit when configuring the WAN Optimization Module traffic.

Editable VLAN tags
With this release, you can now change the VLAN tag that you initially assigned to a VLAN without having to delete and then recreate the VLAN.

Traffic Management shell (tmsh)
This release includes a new command line interface known as the Traffic Management shell, or tmsh. The Traffic Management shell is a hierarchically based interface that offers features such as command completion, command history, and context-sensitive help. You can use tmsh to set up your network, configure local and global traffic management, and display information about performance, load balancing decisions, network traffic, and Traffic Management Operating System (TMOS®). The tmsh utility provides the first complete command line interface for configuring Global Traffic Manager.

Comparison of single configuration files
The single configuration file (SCF) feature of the BIG-IP system has been enhanced to allow you to compare two single configuration files to determine content differences.

Logging of administrative activities
The logging system of the BIG-IP system has been enhanced to provide logging of administrative activities such as logon and logoff operations and logon failures.

New iRules commands
This release includes a number of iRules enhancements, such as support for logic-execution timers and name/value lookup tables, and enhanced support for read-only global variables on CMP-enabled systems.

Time-limited (evaluation) product module support
With version 10.0.0 of the software, you can evaluate the add-on product modules Application Security Manager, WebAccelerator system, Protocol Security Module, and WAN Optimization Module. Each module provides a specific range of additional functionality for the BIG-IP software. You can obtain evaluation (time-limited) product module add-on registration keys from any F5 Networks sales representative. Upon activation and configuration, the evaluation module operates as full-featured software for a specific length of time. When the time-limited license expires, your system returns to its pre-evaluation licensed state, with only the evaluation module disabled. You can find descriptions of each product module in the TMOS® Management Guide for BIG-IP® Systems, available in the Ask F5SM Knowledge Base,

Ghostscript software
In this release, the WebAccelerator module contains the Ghostscript software, an interpreter for the PostScript language and for PDF. Ghostscript is covered under the GNU General Public License (GNU GPL). For more information about GNU GPL, see

Access to class contents with iRules: behavior change
In releases prior to version 10.0.0, you could use an iRule to access the contents of a class using Tcl lists. Starting with version 10.0.0, you must use the commands matchclass or findclass. There are a number of commands that operate on Tcl lists: foreach, join, lappend, lassign, lindex, linsert, llength, lrange, lrepeat, lreplace, lreverse, lsearch, lset, and lsort. In this release, you can use the iRule command class to provide list-type access to data groups. You can find extensive information about iRules on the Dev Central web site, available at

VLAN failsafe timeout value behavior change
In software versions 9.x, the system did not enforce a minumum value for the VLAN failsafe timeout value. Beginning in version 10.0.0, the minimum allowed VLAN failsafe timeout value is 10 seconds. Before you upgrade from version 9.x to version 10.x, F5 Networks recommends that you change your VLAN failsafe timeout value to 10 or greater in order to ensure a successful configuration load after the upgrade has been completed. For more information, see SOL7066: Overview of VLAN failsafe.

Virtual server total statistics and HTTP behavior change (CR109429-1)
The browser-based Configuration utility increments the total requests statistic for virtual servers only when the virtual server uses an HTTP profile, or when the virtual server is a Performance (HTTP) type.

Fixed in version 10.0.0

This release lists no specific fixes because it is a zero-level release.

[ Top ]

Known issues

This release contains the following known issues.

L7 mirrored connections after restart and failover (CR55926)
If the active unit in a redundant system reboots, the standby unit goes active and handles any established connections that were mirrored. However, when the previously active box comes back up, it does not re-synchronize the state for the mirrored connections. This means that the mirrored connections are lost in a subsequent failure or a forced fail-back. This does not affect connections that end before the second restart and failover. Also, this does not apply to Fast L4 profiles.

ICMP time exceeded on IPv6-addressed packets (CR79065, CR83552, ID 250921, ID 251174, ID 319551)
When, due to time-to-live (TTL) exceeded, the BIG-IP system drops IPv6 traffic being sent through a network virtual server or SNAT, the BIG-IP system responds with a destination-unreachable ICMP6 message. The BIG-IP system's IP address should be listed as the source in the ICMP response, and the client IP address should be listed as the destination. However, the BIG-IP system incorrectly reports the dropped IPv6 packet's destination address as the source address of the ICMP6 response. The result, from the client's perspective, is that BIG-IP system does not show up as a hop; the server is seen in place of the BIG-IP system.

Link status after replacing tri-speed copper SFP with fiber SFP (CR83207)
If you replace a tri-speed copper small form-factor pluggable (SFP) module with a fiber SFP, you may have to reinsert the fiber SFP module a second time before it accurately reports link status.

Baud rate setting and serial console access on VIPRION (CR80191)
In order to change the baud rate when you are using a serial terminal console server on the VIPRION® platform, you must follow a specific sequence to change the baud rate in three places, or you can lose communication with the system.

  1. On each blade in the system, run the following command:
    bigpipe baud rate <your_baud_rate_value>
    Make sure to complete this change on all blades in the system before proceeding to step 2.
  2. Next, change the Serial Port Redirector (SPR) baud rate by pressing ESC( to access the SPR Command Menu. When the menu opens, select B -- Set baud rate, and select from the six settings displayed.
  3. Finally, change the baud rate of your serial terminal server.
    The syntax for completing this step varies depending on the terminal server you are using, so you should consult your serial terminal server documentation for more specific information.

NTP server delete and nonexistent servers (CR85137)
If you run the b ntp servers delete command when no such Network Time Protocol (NTP) server exists in the configuration, the system adds the server. The workaround is to make sure the server exists before trying to delete it.

b <object> edit command (CR86175, CR119480)
Although the b <object> edit command is referenced in product documentation, the command is disabled in this release. If you run the b <object> edit command, the system presents a message indicating that the feature is not implemented.

Command b profile http all ramcache entry all show and error message (CR86593-1)
When using the command line to query for RAM Cache entries, if you specify anything (for example, filtration parameters such as uri or an unnecessary all) after ramcache entry other than actions (for example, show), you must include a specific profile name. If you do not, the system posts an error message. For example, if you issue the command b profile http all ramcache entry all show, the system returns the following messages:

  config # b profile http all ramcache entry all show
  BIGpipe unknown operation error:
    Profile name must be specified.

UCS error and remote user logon operations (CR87863)
If the user configuration set (UCS) file you roll forward at installation time contains a problem, subsequent system load operations can fail. If this happens, the remote users and administrators cannot log on to the system. To work around the situation, log on to the system as the root user or as the admin local user.

MSTP configuration name following a reboot (CR90249, ID 227304)
The Multiple Spanning Tree Protocol (MSTP) specifies that the system handles spanning tree packets in accordance with the MSTP protocol. When you create a new MSTP configuration on the system, the new MSTP configuration name is not retained following a system reboot or after running the bigstart restart command. For more information, see SOL8212: The BIG-IP LTM does not retain the MSTP configuration name following a reboot.

Duplicate SNATs in bigip.conf file (CR91719)
If you have duplicate names for SNATs in the bigip.conf file, the pvad service restarts and writes out a core file. To work around this situation, make sure each SNAT in the configuration has a unique name.

RAM cache, CMP, and memory sizing calculations (CR92541)
When RAM cache calculates the amount of memory available or allowed, it should take CMP into account. In this release, RAM cache does not take CMP into account.

Load balancing methods and low connection limits with low numbers of connections on multiple TMM services (CR93185, CR116200)
Many load balancing methods are implemented so that the system divides the connection limit among running Traffic Management Microkernel (TMM) services. If you set the connection limit to low values, the results you see might not be what you expect. For example, some nodes might receive more connections than you expect, and other nodes that you expect to receive connections might not receive any. These apparent anomalies are discernible only with small numbers of connections, and disappear with large numbers of connections.

CPU usage when pvad monitors many nodes (CR94039)
When the pvad service queries a very large number of objects (for example, 2000 nodes), the pvad service might use as much as 27% of CPU. This condition is intermittent, and might have other requisites. There is no workaround.

System restart and pam_audit messages on the console (CR96888)
Occasionally, a system restart might result in the system posting to the console messages of the following type:

  sshd(pam_audit)[4559]: user=root(pqizzjl1l) tty=/def/pts/1 host= attempts=1 start="Tue Aug 5 17:25:09 2008" end="Tue Aug 5 17:27:54 2008".
  sshd(pam_audit)[4559]: 01070417:0: AUDIT - user root - RAW: sshd(pam_audit): user=root(pqizzjl1l) tty=/def/pts/1 host= attempts=1 start="Tue Aug 5 17:25:09 2008" end="Tue Aug 5 17:27:54 2008".

These messages occur when the system shuts down logging to the syslog-ng file before all users who are logged on have logged off. Should this error occur, when the system comes back up, you can use the boot marker in the audit files to confirm that the system logged out the remaining users.

b persist show on cluster and incomplete results (CR97188)
Running the command b persist show on a cluster might return incomplete results in certain avoidable situations. To ensure complete results, leave the bigpipe shell read partition at all, and log on as a user who is authorized to view all partitions.

Status LED state after startup (CR97299-1)
The Status LED briefly shows green on power up. The LED should be blank or amber. Early during initialization, the software sets the LED color to amber, and finally to green once cluster quorum is reached. You can safely ignore the transient green LED on power up.

Resource Administrator and Administrator roles in partitions other than Common (CR98262)
In this release, only the Common partition can contain users with the Resource Administrator and Administrator roles. If you create users with these roles in other partitions, when you load the configuration, the system posts the error: BIGpipe user modification error: 01070821:3: User Restriction Error: The system user (admin-users) must be created in the Common partition, and the configuration does not load. In addition, a Resource Administrator cannot load a configuration that has users who are not in the Common partition. There is no workaround for this issue.

PVA acceleration and Mimic IP ToS (CR98536)
When you are using Fast L4 profiles, make sure to set the PVA Acceleration setting to None if you also specify the Mimic setting for IP ToS to Client or IP ToS to Server. Otherwise, the system cannot perform the mimic functionality.

bd restart and Tcl error messages (CR100240)
When the bd process restarts, the system stops all internal connections. If the next event that arrives on a halted connection is an HTTP request, the attempt to disable the plugin in HTTP_REQUEST fails, which logs a Tcl error to the /var/log/ltm file. This is a benign error message that you can safely ignore.

MGMT port on BIG-IP 1600, BIG-IP 3600, BIG-IP 6900, and BIG-IP 8900 (CR101418)
The MGMT port for the BIG-IP 1600, BIG-IP 3600, BIG-IP 6900, and BIG-IP 8900 systems always shows a status of up even if the management cable is not connected.

CLIENTSSL_DATA and SERVERSSL_DATA events and suspending running iRules (CR101506)
In this release, do not use the CLIENTSSL_DATA and SERVERSSL_DATA events with commands that suspend running iRules. If a command that suspends a running iRule occurs during the CLIENTSSL_DATA or SERVERSSL_DATA event, the system might reset the connection. There is no workaround for this issue.

SCF with different hostname value than system (CR102008)
If you have a Single Configuration File (SCF) that contains a different hostname value than the system, you cannot automatically roll forward that configuration. Instead, you must first modify the entry in the SCF so that the hostname matches the system.

Clear Performance Data button on detailed graphs (CR102918)
When you click the Clear Performance Data button in any view, the operation clears data for all historical statistics, not just the data for the specific view you are in.

Cluster member address and default netmask (CR103199)
When you specify the cluster management IP address, the netmask defaults to /32, or In order to use cluster member addresses, the netmask must be no more than /30, or Always specify the netmask when specifying the cluster management IP address if you plan ever to use cluster member addresses. That way, the address always gets set correctly, and you can configure the cluster member addresses on the same network.

Install and number of volumes behavior change (CR103500)
The 10.x installer creates four volumes by default, which differs from the two partitions that the 9.3.x and 9.4.x installer created.

System failover and b failover offline | online show commands (CR103596)
The command line help for the failover command indicates that the following commands are valid: b failover offline [show], b failover online [show]. Issuing either command without the optional show argument takes the system offline or online. Issuing the command with the show argument results in the following parsing error: 012e0051:3: The requested attribute (show) is invalid for 'failover'. These are invalid commands that you should not use; they should not appear in the help.

snmpd section in SCF (CR103956)
If you have a Single Configuration File (SCF) that contains an snmpd element, you cannot automatically roll forward that configuration. Instead, you must first modify the entry in the SCF so that it conforms to the current format. In this case, you must add braces ( { and } ) around the snmpd entry.

Unsupported SCF entries from earlier versions (CR103958)
If you have a Single Configuration File (SCF) that contains elements or formats that the current version does not support (for example, an SCF that contains the element failsafe action failover restart tm as a failsafe action), you cannot automatically roll forward that configuration. Instead, you must first modify the entry in the SCF so that it conforms to the current format. In the case of failover restart, the system supports the following failsafe options: failsafe action go offline, failsafe action reboot, failsafe action restart all, and failsafe action go offline abort tm.

Browser refresh on license properties page and user logon prompt (CR104124)
When you are on the license summary general properties screen and you refresh the browser after you reactivate a license, the system prompts you to log on again. There is no workaround for this issue.

err request_module messages at startup time (CR104325)
When you start up a system, you might see some of the following error messages. The messages are entirely benign, and you can safely ignore them.

Aug 4 11:16:34 slot4/RackB31 err request_module[net-pf-5]: waitpid(29047,...) failed, errno 512
Aug 4 11:18:56 slot1/RackB31 err request_module[net-pf-3]: waitpid(12541,...) failed, errno 512
Aug 4 11:22:01 slot4/RackB31 err request_module[block-major-43]: waitpid(31300,...) failed, errno 512

Extended volume names and 9.6.x (CR104327, CR114895)
If you install this version of the software on a volume that uses a nonstandard name (for example, HD.pc1 rather than HD1.1), you cannot access that volume using version 9.6.x of the software. To access volumes named in this manner, use version 10.x software.

Command line delete volumes (CR104468, CR115056)
The system does not prevent you from deleting all volumes, including the active volume, using the b software desired command. Doing so causes the system to boot into another location. To prevent potential system access problems, do not use the command line to delete the active volume.

Volume sets above HD1.4 and 9.6.x installation (CR104647)
On a VIPRION® system with the active volume set above HD1.4, if you then add a blade that has 9.6.x installed and active, the system does not run the installation on the 9.6.x blade to bring it into the cluster. This occurs because 9.6.x is hardcoded to support volumes 1-4 and cannot dynamically create new volume sets. To work around this issue, make sure all blades you want to add are running 10.x, or use a volume set between 1 and 4.

NTP server add and host name (CR105032)
When you specify the host name for the b ntp servers add command, the system returns false positives when translating the host name to an IP address. The workaround is to add Network Time Protocol (NTP) servers using an IP address instead of a host name.

High availability setup wizard settings and the Previous button (CR105101)
If you use the high availability setup wizard and specify settings, when you click the Previous button, the system clears all the values you specified, so you must re-enter the values.

Profile editing and system timeout (CR105105)
If you are editing a profile in the browser-based Configuration utility when the system times you out and requests a new logon operation, the system sends you to the Welcome screen instead of the screen of the profile you were editing when you were logged off.

Primary blade failover and user logon (CR105216)
When you are logged on to a cluster management address, and you or another user subsequently promotes one of the secondary blades to the primary, you and the other user might need to log on again.

Dashboard window and browser session timeout (CR105234)
When you have the dashboard window open, the browser session never times out. When you close the dashboard window, the timeout interval takes effect again.

Secondary self IP addresses and monitoring (CR105511)
If you configure secondary self IP addresses for a vlan/domain, the system uses the wrong self IP address for monitoring. In a typical scenario, the system uses the IP address that you created first as the primary IP address for monitoring. However, IPv6 in the Linux kernel does not set a preferred source by default. Because Linux treats routing domains like it treats IPv6 addresses, the Linux kernel does not set a preferred source. There is no workaround for this issue.

Reboot during system initialization on systems with SCCP (CR105604)
If you reset the Host on a platform that contains an SCCP after the system has completed initialization, the system attempts to PXE boot, making DHCP requests repeatedly and indefinitely. The workaround is to first use the SCCP Command Menu option 2 to put the SCCP into the proper state, and then reboot the system. You can also recover by powering the unit off and back on again.

Global Traffic Manager not provisioned and ConfigSync (CR105627)
In a redundant system that has Local Traffic Manager provisioned on both units and Global Traffic Manager provisioned on only one unit, you must provision Global Traffic Manager on the second unit. Failure to do so risks Global Traffic Manager becoming unprovisioned or unconfigured after a ConfigSync operation.

Partitioned systems and creating volumes (CR105797, CR114073)
When you use the Software Management screens in the Configuration utility or the b software commands on the command line to create a volume on a system hard drive that is formatted using the partitioning scheme, the system appears to try to create the volume, but the operation fails. The system should alert you immediately that you cannot create a volume on a partitioned system hard drive. In general, the software does not support use of the volume management screens on systems that use the partitioning drive-formatting scheme.

Route domain health check traffic and IPv6 statistics (CR106378)
The system counts route domain health check traffic as part of IPv6 traffic statistic totals. If your configuration has a monitor on a pool in a routing domain, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). There is no workaround for this issue.

Message modprobe: modprobe: Can't locate module tun6to4 (CR106750)
When you reboot a system from the serial console, the system reports the following message modprobe: modprobe: Can't locate module tun6to4... during the shutdown sequence. This message is benign, and you can safely ignore it.

Availability of user controls after password change (CR106828)
A display issue in the browser-based Configuration utility makes it appear as if users can modify user settings that they should not be able to access. For example, a user logs on using an account assigned a non-administrator role. When that user changes the password and clicks Update, the screen temporarily redisplays with available settings for file, partition, and shell access. The user can manipulate the controls, and select different settings. However, the system does not accept the change.

VIPRION and hardwired failover (CR106830)
This release supports only network failover for chassis-to-chassis failover on the VIPRION® platform. Do not configure hardwired failover using any failover cable included with the VIPRION platform you received.

User relogon after no password change (CR107046)
The system requires a user to relogon after changing a password to the same password as the one previously configured. There is no workaround for this issue.

SSL keys and certificates for HTTPS and SIP monitors (CR107415)
Unlike in SSL profiles, the system does not validate keys and certificates used for SIP and HTTPS monitors. That means that you can specify non-matching or invalid keys and certificates. There is no checking on the command line or in the browser-based Configuration utility to make sure keys and certificates are valid and usable.

SIP and HTTPS monitors and Intermediate CA signed certificates (CR107443)
If you use a SIP or HTTPS monitor on a server that requires authentication using a certificate signed by a certificate authority (CA), the monitor must use certificates signed by a CA that the server recognizes. Do not configure a monitor using certificates signed by an Intermediate CA because the monitor does not send such certificates to the server.

UDP checksum in IPv4 fragment (CR107852)
On BIG-IP 8400 and 8800 platforms, IPv4 fragments of a large User Datagram Protocol (UDP) datagram will be incorrectly modified at offset 6 from the end of the IP header (the location that would be the UDP checksum if the fragment were a full UDP datagram) from 0xfff to 0x0000. Although there is no workaround for this issue, it is not a common case.

VIPRION kernel panic and upgrade to version 10.0.0 (CR107874)
The VIPRION platform may experience a kernel panic and reboot following an upgrade to BIG-IP version 10.0.0. This issue occurs if the system is running BIOS firmware earlier than build 461, and the VIPRION unit is upgraded to version 10.0.0 with the management interface connected to a subnet with live traffic. For more information and a workaround for this condition, see SOL10016: A VIPRION kernel panic occurs following an upgrade to BIG-IP version 10.0.0.

CD-ROM or DVD-ROM drives that exceed the USB current specification (CR107883)
This release does not support USB CD-ROM or DVD-ROM drives devices that exceed the high-power USB current specification of five unit loads (500mA) per port.

Long VLAN name in Linux and fetching interface (CR107927, CR110084)
Linux represents long VLAN names using the first 13 characters and an appended ~1. If you use the Linux system command ifconfig to retrieve the interface configuration of a VLAN with a name longer than 9 characters, the operation truncates the name to 8 or 9 characters. To work around this issue, use the ip addr show command to retrieve the VLAN using the IP address.

Network failover and peer management address (CR108434, ID 212404, ID 247048)
Beginning with version 10.0.0 of the software, a redundant system configuration must contain failover peer management addresses for each unit. If you roll forward a redundant system configuration from 9.3.x or 9.4.x, the units start up in an offline state because each one needs a failover peer management address. To configure the failover peer management addresses, navigate to the Network Failover screen, available under High Availability on the System menu on the navigation pane, and specify the management IP address of the peer unit in the Peer Management Address field. Then do the same on the other unit in the redundant system. Once you specify both IP addresses, the system should operate as expected.

Memory report for modules (CR108667)
In this release, the system reports module memory mixed in with memory used by all processes. To determine actual memory usage, you must use standard Linux commands, such as ps, top, and other similar commands.

Module provisioning level set to Dedicated (CR108728, CR113440)
In the browser-based Configuration utility, if you try to set the provisioning level to Dedicated on a module when another module already has the Dedicated provisioning level, the system allows the change and sets the provisioning level to None on all other modules. When you use the command line for the same operation, the system presents and error: When a Dedicated provision level is set, all other module's provision levels must be set to None. To accomplish the change, you can use the Configuration utility, or you can use the command line to set the provisioning level to None for all other modules, and then set the Dedicated provisioning level on the module you want to configure. To do so, use the tmsh utility to issue the following commands (substituting your module names for <module-A> and <module-B>):

  (tmos)# create transaction
  [batch mode](tmos)# modify sys provision <module-A> level dedicated
  [batch mode](tmos)# modify sys provision <module-B> level none
  [batch mode](tmos)# submit transaction

Monitor limit on BIG-IP 8800 (CR108819)
The BIG-IP 8800 platform supports a maximum of 30,000 monitors in a single configuration. If you create more than 30,000 monitors, the BIG-IP 8800 might halt in a switchboard-failsafe state when you load the configuration.

Same user, different password (CR108965, CR114966)
When a user is logged on, if you use the b config install <ucs file>, b import <ucs file>, or b config sync commands, or when performing a ConfigSync operation in the Configuration utility to load a configuration that contains the same user, but with a different password, the system does not log off that user. After that user logs off, or when that user's session times out, that user must use the password from the new configuration to log on.

Default route domain information (CR108975)
In the browser-based Configuration utility, the Route Domain List screen shows the Default Route Domain information. However, the command line does not display the default route domain information in b route domain command results.

Disk provisioning information on partitioned system (CR109131)
On a system whose drives are formatted as volumes, on the Resource Provisioning screen in the Current Resource Allocation area, there is a section that displays Disk provisioning; if the drives are formatted as partitions, there is no Disk provisioning section. However, if you issue the b provision command on the command line, the results show a column for disk provisioning information.

HA Connection with peer established messages during upgrade (CR109301)
If you have state mirroring enabled, when you upgrade one unit of a redundant system, the system post messages until both systems are running the same version of the software. tmm tmm[1917]: 01340001:3: HA Connection with peer established. There is no workaround for this condition. Both units in a redundant system must be running the same version of the software.

Reboot on blades after b import operation (CR109381)
After a b import default operation, the prompt is set to reboot, but the operation does not instigate the reboot operation on the primary blade, although it does on the secondary blade. This is intentional behavior: the operation causes a reboot on secondary blades, but the primary blade does not reboot automatically in this case. To activate the imported configuration, reboot the primary blade.

Hotfix uninstall package behavior change (CR109472)
In this release, you no longer need the hotfix uninstall packages. Instead, you can use the b software commands to change the revision level of any 10.x image location to a higher or lower revision. For more information, see the man page for the b software command, available on the command line by typing man software.

Screen visible after timeout (CR109834)
When a system timeout occurs, the system grays out the screen behind the timeout alert box. Although you can access the browser window scroll bars to view the contents of the grayed-out screen, none of the options are active.

Mirroring interface delete and mirroring halt (CR109917)
When you delete an interface that is configured for interface mirroring, the system halts mirroring on all other configured interfaces. To work around this issue, when you delete an interface-mirroring configuration, recreate the configuration using all interfaces. As an alternative, after deleting an interface, save the configuration and issue the command bigstart restart.

Secondary blades and mcpd-primary user messages (CR110014)
The secondary blades in a chassis log messages using the user name mcpd-primary. That means that when the root user issues certain commands on the primary blade, such as one to disable a virtual server, the system logs messages similar to the following:

Oct 21 13:29:39 slot4/prd-061 alert mcpd[2415]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'root'.
   Oct 21 13:29:39 slot3/prd-061 alert mcpd[11909]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'mcpd-primary'.
   Oct 21 13:29:39 slot1/prd-061 alert mcpd[27136]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'mcpd-primary'.

These messages accurately represent the action taken and the origin of the command, and do not indicate an error condition.

Rate ceiling behavior change (CR110269)
In this release, when attaching a child class to a parent class, the system takes into account the rate of the parent class when verifying that the parent's rate ceiling is not exceeded. Now, the sum of a parent class' rate and child classes' rates cannot exceed the parent's rate ceiling. In previous releases, the system allowed the parent's rate to be, at most, equal to the rate ceiling, regardless of the rates of the child classes. This could have led to oversubscribing the configured rate ceiling in certain cases where traffic was assigned directly to a parent class. If you are rolling forward a configuration from a previous build, a quick workaround is to set the rates of all parent classes to 0bps by running the following command: bigpipe rate class <parent class name> rate 0bps. As a general rule, avoid assigning non-zero rates to parent rate classes.

iRule data collect and release (CR110761, CR113485)
There is a new iRules feature that provides support for suspending a running iRule (for example, with the after command). If you are running an indefinite collect operation (that is, the iRule is running a ::collect command with no arguments), and in response to a CLIENT_DATA event the iRule processes the payload to a certain point and then suspends iRule operation, when iRule operation resumes and the iRule issues a ::release command, the operation might release more data than the iRule processed. Specifically, data that arrives when the iRule is suspended does not trigger an additional CLIENT_DATA event. Here is an example of how to ensure that an iRule releases only the data that it has already processed: before running any command that suspends a running iRule, have the iRule save the ::payload length in a variable. When iRule operation resumes, have the iRule issue a ::release $payload_length command. You can find extensive information about iRules on the Dev Central web site, available at

Configuration data and module deprovisioning (CR110791)
If you deprovision a module, the system does not remove the configuration attributes associated with the module. Some configuration data, such as endpoint attribute definitions for the WAN Optimization Module, might interfere with Local Traffic Manager tunnel operations. In this case, when the definitions for endpoint advertised route, endpoint local, and endpoint remote remain in the configuration after deprovisioning WAN OPtimization Module, the Local Traffic Manager tunnel resets connections that were established when you had the module provisioned. As a workaround, remove the definitions from the bigip.conf files on both BIG-IP systems.

Multiple sessions and switchboot to previous version (CR110984)
If you have multiple sessions on a system and you change the active location to a different partition or volume, the first session you use to attempt a connection works to return you to the pre-10.0.0 version. The other browser sessions present different, unexpected results. As a workaround, when you change the active volume or partition and reboot the system, close all other active browser sessions, and reestablish the connection when the reboot finishes.

Configuration utility accessibility (CR111081)
On this version of the software, there is a longer interval between the time you restart the system when you can access the browser-based Configuration utility. For example, a typical interval on 9.4.5 software on a BIG-IP 1500 platform was 25 seconds. In 10.0.0, the interval is 95 seconds.

Upgrade and ha actions (CR111495)
This version of the software introduced new ha actions that the upgrade process cannot easily map to previous version's ha actions for daemon heartbeats. If you changed the ha action for a daemon heartbeat, the upgrade process returns the action to the default. After the upgrade installation finishes, you can configure the daemon heartbeat ha actions you want. (In the Configuration utility, you can find the Fail-safe settings on the High Availability screen, available on the System menu in the navigation pane.)

McpIOException exception catalina.out and changing user role in Configuration utility (CR111700)
When a user configured for one role is logged on to the browser-based Configuration utility, and you change that user's role to another type, also using the Configuration utility, the system logs off that user. When that user logs back on, the system writes to the catalina.out file error messages such as Error while reading message at. These messages are benign, and you can safely ignore them.

Password policy disabled and message in ltm log file (CR111848)
If you set the number of required numeric characters for a password, yet you disable password policy checking, when you create a password that is longer than six characters but contains no numbers, the system posts following message in the ltm log file:

01070366:3: Bad password (operator_common): BAD PASSWORD: needs numeric characters

This message appears only in the log file; it is not presented to the user. This message is spurious, and you can safely ignore it.

Password policy message (CR112076)
When you enable password policy checking, if you create a password that does not meet the password-policy criteria, the system presents a message. The message indicates that the operation failed because the new password is based on a dictionary word, regardless of the reason for the failure. The functionality is correct; only the message is inaccurate.

Setup utility and already configured system (CR112077)
The system requires that you run the Setup utility in the browser-based Configuration utility, even if you have already configured the system using the command line. This occurs because there is a hardcoded requirement for the Setup utility to run at least once. You can prevent the Setup utility from running by running the following command: b db false.

Node use in partitions (CR112120)
When you create a pool in one partition that includes a node from the Common partition, if the node has no associated screen name, when that node is referenced from a third partition, the system posts the error 01070726:3: A pool may only reference nodes in the same partition or the common partition (xyz_pool: and removes the node from the Common partition. The workaround is to add a screen name to the node. To do so, at the command line, issue a command similar to the following example: b node { screen dontremove }

Performance statistics formula display (CR112128)
The help frame crops the right edge of some of the formula definitions on the Performance statistics screen. As a workaround, you can click the Launch button to view the full text.

System shell and mkdisk utility (CR112255)
The mkdisk utility functions only if the system shell, /bin/sh, is bash or a symbolic or hard link to bash.

Installation and message for ntpdate step time server offset (CR112464)
Occasionally during installation, you might see the message ntpdate[12549]: step time server offset 0.474943 sec. The message is benign, and you can safely ignore it.

Firefox 2.x and system memory usage (CR112524)
You can use the Firefox 2.x browser to manage a BIG-IP system. Firefox 2.x has some well-documented memory usage growth-over-time variances, and using Firefox 2.x to access the BIG-IP system is no exception. The workaround is to use Firefox 3.x, or to periodically close the browser session and open a new one.

Port movement warning message and tcpdump on VIPRION (CR112953)
When you start or stop the tcpdump utility on a VIPRION® system, the system logs messages similar to the following entries in the /var/log/ltm file:

slot1/tmm warning pu[24652]: 01230114:4: port movement detected for 00:01:23:45:67:10, vlan tmm_bp - 0.0 to 0.1

These messages are benign and you can safely ignore them.

Cluster ha state (CR113055)
If you issue the commands b cluster all ha state or b cluster default ha state, the system always returns the result offline. This is because there is no cluster ha state to report. To get the state of a system, you can use the browser-based Configuration utility. The system displays the state at the top of every screen.

Watchdog timeout reboot and copying large files to USB thumb drive (CR113134-6)
Occasionally, when you create an installation repository on a USB thumb drive from the BIG-IP system, the operation fails while copying the repository files to the thumb drive. (The failure might also occur when reading or writing any large file to the thumb drive from the BIG-IP system.) When the failure occurs, the system reboots and writes a log entry similar to the following in the /var/log/ltm file:

Dec 10 10:13:12 local/8900 notice overdog[2401]: 01140108:5: Overdog scheduling exceeded 1/2 timeout of 5 seconds (measured:8060 ms)

The workaround is to create the installation repository on a USB thumb drive using a Linux workstation, as documented in the BIG-IP® Systems: Getting Started Guide. In any case, do not perform the operation on a BIG-IP system that is actively in production to prevent the potential failure from affecting live traffic.

Large number of persistent connections and bp persist show (CR113322)
On a system with a very large persistence table (millions of entries) running the command b persist show might cause the system to become unstable or fail over. To obtain an accurate count of persistence entries, use the command tmctl --wrap=100 memory_usage_stat | grep persist. The last column shown represents the current number of persistence records. If you want to show an individual record, you can use the command b persist client <client_addr> show.

TCP profile congestion control settings (CR113431)
On a TCP profile, the Packet Loss Ignore Rate and Packet Loss Ignore Burst settings, which perform congestion control, are not operational for this release. Leave them set to the default value of 0.

Templates and Wizards menu (CR113601)
The Templates and Wizards menu does not change even when templates are not available under the license.

Wildcards in b httpd allow and Configuration utility access (CR113812)
If you use wildcard characters to specify IP addresses in the b httpd allow command, the result is that the system forbids all access to the browser-based Configuration utility. The workaround is to use other forms of specifying IP addresses. For example, b httpd allow 10.10.*.* does not work; instead use a command similar to b httpd allow

License reactivation and partition setting (CR113919)
If you are in a partition other than Common when you reactivate a license, the system automatically changes the partition to the Common partition. There is no workaround for this issue.

tmm.debug and TCP::collect from SERVER_CONNECTED iRule (CR114167)
Invoking a TCP::collect method from the SERVER_CONNECTED iRule event might cause associated connections to stall and timeout when running the tmm.debug daemon. This should not affect typical deployments since the tmm.default daemon behaves as expected in this configuration, and an administrator must explicitly configure the Traffic Management Microkernel (TMM) to use debug mode. Note that you should set TMM to debug mode only when requested to do so by an F5 Technical Support representative. The F5 Networks Technical Support representative will ensure that your system stays stabilized in this mode and will assist you in interpreting the debug output.

Cfm1F5Util error and multiple fipsutil monitor commands (CR114185)
Running the command fipsutil monitor multiple times followed by a fipsutil reset or fipsutil crash command, leaves the FIPS card in a test-failed state and causes the system to issue messages such as Cfm1F5Util? error (line 1335): Library Initialization : 0xffffffff : Undefined Error Code. As a workaround, make sure the system has time to completely process one fipsutil monitor command before issuing subsequent fipsutil reset or fipsutil crash commands. Note that in general, fipsutil reset or fipsutil crash commands are for testing purposes, and you should not use them in typical operations.

Multicast, virtual servers, and route domains (CR114381)
Configuring a virtual server for multicast communications inside a route domain does not work. Do not configure a virtual server for multicast communications inside a route domain.

License reactivation and the navigation pane License item (CR114587)
Intermittently, reactivating an existing or expired license can show only a License entry in the navigation pane in the browser-based Configuration utility. In most cases, invoking the browser's refresh or reload feature returns the proper content to the navigation pane.

License reactivation and changing partitions (CR114764)
After the system finishes reactivating a license when you are on the full License Summary screen, if you change to a partition other than Common, the system returns you to the Reactivate License property screen.

Reactivate button and partition selection (CR114766)
When the license expires, if you are on the License Summary page on a partition other than Common, the system automatically returns you to the Common partition, but does not activate the Reactivate button. The workaround is to select a different partition and then reselect the Common partition. This should reset the Reactivate button to an active state.

Software Management screens and b software commands partitioned systems (CR115139)
You cannot use the b software commands on a partition installed with 9.3.x or 9.4.x (or earlier). You can use some b software commands on a partition installed with 10.x. Supported commands include changing the default boot location (b software desired HD1.x active enable), adding or deleting product .iso or hotfix .iso files (b software images (<pathname> add | delete or b software hotfix (<pathname> add | delete), and installing 10.x to existing partitions (b software desired HD1.2 product BIG-IP version 10.x build 1234.0) You can also use the b software commands that return product, version, and build information. Note that you should not use the Software Management screens or b software commands to delete existing partitions or to add new partitions. Doing so might result in access errors that would require low-level formatting of the system drives to recover.

Entitlement check failure during installation (CR115236)
If the system fails the entitlement check when you attempt an upgrade, the system posts the following message:

warning: License entitlement check failed. Please reactivate. Cannot continue (use --nvlicenseok to force).

If you then use the --nvlicenseok to force installation to continue, the resulting installation completes without a valid license, and you must relicense the system. The error message should actually read:

Software version not covered by service agreement. Reactivate license before continuing.

If you reactivate your license before installing, you can prevent the error.

SSL::respond and CLIENTSSL_CLIENTCERT iRules (CR115328)
You should not use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event. This combination results in a handshake failure, because the CLIENTSSL_CLIENTCERT event happens before the connection is ready for the transmission of user data.

Authentication statistics (CR115521)
The system returns correct authentication profile statistics when profiles are queried individually. However, summaries, such as data returned on the Performance Statistics screen in the browser-based Configuration utility or values reported by the global option in Traffic Management Shell (the tmsh utility) do not properly summarize the cumulative statistics from those profiles, but instead return values of 0 (zero).

TCP Profile Verified Accept setting and optimized connections (CR115565)
On a TCP profile, the Verified Accept setting ensures that the system can communicate with the server before it establishes a client connection. In this release, this setting works fine on Local Traffic Management but has no effect on optimized traffic.

MTU setting for VLANs (CR115736)
The system does not honor the Maximum Transmission Unit (MTU) value for VLANs. To get the value to persist, delete the VLAN first, then recreate it with the settings you want. After the configuration is saved, the settings persist. Otherwise, the system uses the default MTU value of 1500.

Blade changes between versions (CR115774)
If you move blades between a chassis running software version 9.6.x and a chassis running 10.x, the 10.x system might report incorrect volume information on the blade that came from the 9.6.x chassis. F5 Networks does not recommend switching blades between chassis running differing versions of the software.

Incorrectly expired persist entries on standby system (CR115916)
There is an extremely rare chance that, if the high-availability mirroring connection fails and recovers, the result might be a new persistence record and an expired record using the same key to send their respective messages. For example, if a record comes in that would have matched an old one on the active system, it is possible that the old record's expiration action might arrive after the new record's update action. If the key matching the old record expires, the standby system incorrectly deletes the corresponding new record.

USB1.1 CD-ROM Drives and the BIG-IP 8900 platform (CR116108)
USB1.1 CD-ROM Drives are not supported on the BIG-IP 8900 platform.

Verified Accept option in TCP profile help (CR116118)
The Verified Accept option is missing from the TCP profile online help. On a TCP profile, the Verified Accept setting ensures that the system can communicate with the server before it establishes a client connection.

Hash profile and http_wan-optimized-compression profile (CR116124)
When you use both the Hash Persistence profile and the http_wan-optimized-compression HTTP profile, operations fail if you set the Hash Length and Hash Buffer Limit values in the Hash profile to 1000. To work around this issue, set the Hash Length and Hash Buffer Limit values to 100. Note that this workaround does not correct the issue on VIPRION® systems. For this issue, do not combine these profiles in configurations on VIPRION platforms.

Pass-phrase-protected certificates on VIPRION platforms (CR116238)
This release does not support the use of pass-phrase-protected certificates on VIPRION® systems.

SIP headers and special characters (CR116361)
In this release, the system supports the use of all ASCII printable characters in SIP headers. Certain characters, such as quotation marks ( " ) and backslash ( \ ), need to be escaped with a backslash for the monitor to correctly parse the header. The command line adds an extra level of parsing, which requires that you increase the number of escape characters when using the command line to define a backslash compared with the number you specify in the browser-based Configuration utility definition. This is correct functionality. In this release, however, the b load command incorrectly parses the escape characters in SIP headers, the result of which requires you to work around the issue by increasing the usually required number of escape characters for the backslash. For example, normally, you would add one escape character in the Configuration utility, and three on the command line (for a total of two and four, respectively), to get one backslash. In this release, if you plan to run the b load command, to get one backslash you must increase the normal number, for a total of four (for the Configuration utility) and eight (for the command line). Because of the complexity of this issue, in this release, we recommend that you use the Configuration utility to define SIP headers that contain backslash characters. In addition, do not run the b load command on the command line when you have a configuration that contains SIP headers that contain backslash characters. Note that this increased-escaping requirement is relevant only when the character you want is a literal backslash. For other characters that need escaping, you can use the normal number of backslashes for escaping SIP header special characters (one in the Configuration utility, and three on the command line).

CompactFlash and failed to install message (CR116929)
Because the CompactFlash® media drive is not a valid installation target, the system should prevent you from selecting it. However, this version of the software allows you to target a CompactFlash drive. If you accidentally installed to the CompactFlash drive, the system posts a failed to install state for the CompactFlash drive. The workaround to return to the original state is to issue the command bigstart restart lind on the command line.

Route domains and Global Traffic Manager (CR117427)
In this version of the software, you cannot use Global Traffic Manager to monitor or send traffic to any virtual servers that are in a route domain. Therefore, Global Traffic Manager is not supported to run on a Local Traffic Manager system that is using route domains.

Route domains and the advanced routing modules (ZebOS) (CR117428)
If you are using the ZebOS® advanced routing modules, it is important to consider the following:

  • Dynamic routing is supported on interfaces in the default route domain. The advanced routing modules cannot access interfaces, self IP and virtual addresses, and static routes in non-default route domains. A static route is considered as belonging to a non-default route domain if either the destination or the nexthop gateway address belongs to a route domain other than the default route domain.
  • All routes learned by way of dynamic routing protocols are inserted into the routing table for the default route domain only.
  • With respect to advertising routes, virtual addresses, or self IP addresses to other routers, the advanced routing modules advertise only those routes or addresses that are in the default route domain. As previously stated, the advanced routing modules are not aware of routes or addresses in other route domains.

Route domains and IPv6 (CR117429)
The route domains feature does not support IPv6-formatted IP addresses in this version of the software.

Route domains and diagnostic utilities (CR11430)
Some command line diagnostic tools, such as curl and traceroute do not work with route domains.

Route domains and custom monitors (CR117431)
Custom monitors that are not IPv6 aware (for example, EAV (Extended Application Verification) monitors) do not work with route domains.

Version 9.4.7 installation on system also containing 10.x (CR117480)
There is the possibility of a failed version 9.4.7 installation when installing on a system that also contains version 10.x software. When the failure occurs, the last three lines in the /var/tmp/install/session.log file are:

   install.error: An installation error has occurred; code 130
   install.debug: Session ended
   install.error: Critical failure; no fallback possible.

To work around the issue, you can use install the software using the PXE or thumb drive methods.


6900 platform with FIPS card (CR117492)
If you are running version 9.4.7 software on the 6900 platform with a Federal Information Processing Standards (FIPS) card, and you want to upgrade to BIG-IP version 10.x software, you cannot do so with a 10.0.x release. There is no support for FIPS on the 6900 platform in version 10.0.x software. You must wait for a later 10.x release to upgrade a 6900 system with a FIPS card.

Highlight movement on initial key press (CR117809)
If you run the grub_default -d command to view the boot configuration information of the grub.conf file, the initial arrow key press moves the menu selector highlight two spaces instead of one. After, the initial key press, the arrow keys operate normally when maneuvering (meaning that if you press the arrow keys once, the highlight moves one space in the arrow direction).

Enterprise Manager and BIG-IP software version 10.0.0 (CR118049)
Enterprise Manager software versions 1.2, 1.4, 1.6, and 1.7 do not support BIG-IP system software version 10.0.0. There is no workaround for this issue.

Suspended processing on reboot and delay of serial failover on 8900 redundant systems (CR118208)
It is possible for the BIG-IP 8900 to sometimes suspend processing for as long as four minutes after a reboot has been commanded. This delay can interfere with signaling a peer over the serial failover cable in a redundant system configuration. Until this issue is resolved, always use network failover for redundant system configurations containing 8900 platforms. To work around the problem in the interim, when the suspended processing delay occurs, you can immediately reset the system using the Always-On Management (AOM) Command Menu by pressing the key sequence Esc ( 3 y. For more information about this issue, see SOL9872: A stall during a reboot may delay serial failover on a BIG-IP 8900 high availability pair. For more information about AOM, see SOL9403: Overview of the Always-On Management (AOM) subsystem.

Amber Alarm LED (CR118217)
The front panel Alarm LED turns amber within approximately 60 seconds after initialization on a TMOS®, BIG-IP® 6900, or BIG-IP 8900 system. This is the result of the system treating an informational message, Unit Going Active, as a warning. There is no error/warning condition present, and you can clear the Alarm LED by pressing the Check key twice on the LCD panel.

Classes in configurations and upgrade (CR118866)
If you roll forward a version 9.4.x configuration that contains a defined class that does not exist, the resulting configuration fails to load. This is correct functionality. Previous versions did not validate whether defined classes existed before rolling forward a configuration. You can work around this issue by ensuring the external class file has been created on the system before loading a configuration that references it. If the external class is no longer required, you can remove the class definition that references the nonexistent class file. For more information, see the associated Solution in the SOL10139: A configuration referencing a nonexistent external class file fails to load.

Blade swap and VLAN MAC addresses (CR119247-1)
When you swap a blade to the same slot in a different VIPRION® chassis, the system uses VLAN MAC addresses based on the old chassis. The workaround is to avoid moving a blade to the same slot in another chassis. If necessary, shift blades around in the target chassis so that the incoming blade always goes into a slot that is different from the one it came out of.

bigpipe persistence profile creation error (CR119976-1)
When you upgrade from 9.3.x or 9.4.x and roll forward a configuration containing persistence profiles that use a cookie method setting of hash, the configuration might not load, and the system posts the following error: BIGpipe persistence profile creation error: 01070695:3: timeout immediate (or 0) invalid for persist mode given in persist profile <name>. This occurs because timeout must be set to a value other than 0. To ensure that your configuration loads correctly, before you upgrade, make sure that any cookie persistence profiles utilizing a cookie method setting of hash have the timeout specified. To do so, run the command b profile <name> timeout <value>, where <name> is the name of the profile utilizing a cookie method of hash, and <value> is either indefinite, or a number from 1 to 2147483647. Then save your configuration and try the upgrade again.

Message err clusterd[2707]: 013a0004:3: Error deleting cluster mgmt addr, HAL error 7 (CR120321)
After installing, you might see a message similar to the following in the ltm log file. Apr 23 11:38:16 slot3/p4-019 err clusterd[2707]: 013a0004:3: Error deleting cluster mgmt addr, HAL error 7. This message is benign, and you can safely ignore it.

Roll forward from 9.x and Application Security Manager and Global Traffic Manager (CR120828)
When you roll forward a 9.x user configuration set (UCS) file that is configured for Application Security Manager and Global Traffic Manager, provisioning for Global Traffic Manager is not enabled. To enable Global Traffic Manager using the browser-based Configuration utility, in the navigation pane, expand System, and click Resource Provisioning. In the Module Resource Provisioning section, select the provisioning level you want from the Global Traffic (GTM) and Link Controller (LC) drop-down lists.

Neighbor Solicitation messages and IPv6-formatted addresses (CR120842)
When you have an IPv6-formatted IP address, and a node sends a Neighbor Solicitation message whose hop limit is not equal to 255, the system should ignore the message; however, it fails to ignore it. There is no workaround for this issue

mysql database volume and deprovisioning (CR120943)
If you deprovision the WebAccelerator system, Application Security Manager, or Protocol Security Module, the system retains the mysql database volume. Because the database might contain important configuration data for the deprovisioned modules, you must determine whether or not to retain the mysql database volume. For information on locating and removing an unneeded mysql database volume, see the associated Solution in the Ask F5 Knowledge Base.

Second hard disk on the 8900 and version 10.0.0 (CR121134)
The 8900 platform comes with version 10.0.1 installed both hard drives. If you decide to downgrade to version 10.0.0, the software installs correctly. However, the version 10.0.0 software management scheme was not designed to work with a second hard drive. If you downgrade to version 10.0.0 on the second hard drive, do not operate on the second hard drive using the b software commands or the Software Management screens in the browser-based Configuration utility.

Delete all VLANs using iControl and blade errors (CR121237)
Using iControl to delete all VLANs causes the primary blade on a VIPRION® system to go offline. To work around this condition, use the iControl Networking.VLAN.delete_vlan function to delete each individual VLAN. If your system is already in this condition, reboot the blade or issue a bigstart restart command on the affected blade.

VIPRION and switchboot (CR121301)
The VIPRION® system does not support the switchboot command. Instead of using the switchboot command, you can run the command bigpipe software desired HD1.<volume> active enable to reboot the blade (and the rest of the cluster if you run the command on the primary blade) into the specified installation location.

Sensor check fan speed data (CR121475)
In this release, the command b platform may report fan speeds as high as 19 KB RPM on some BIG-IP 1600 and BIG-IP 3600 units. Also, if a fan is malfunctioning, the command system_check -D may report incorrectly that the fan is properly functioning. To get correct fan speed and temperature readings for these units, you can use the End User Diagnostics (EUD) software.

Garbage characters on console with different baud rate on host and AOM (CR131108, CR132835)
The serial console baud rate of systems with Always-On Management (AOM) (1600, 3600, 3900, 6900, and 8900 platforms) can be corrupted if you install using a serial console baud rate other than 19200. When the corruption occurs, you see garbage characters on the serial console. To prevent this issue, change the baud rate to 19200 before installing. When reboot after installation is complete, you can set a different baud rate.

LCD and baud rate changes (CR131168)
In this release, when you use the LCD to change from a higher baud rate down to 19200, the host serial console can become garbled, while Always-On Management (AOM) displays correctly. To recover, reboot the system. Note that you can successfully change baud rates for the host from low to high using the LCD, and output is not garbled.

image2disk utility from version 9.4.5 (CR131343)
The version of the image2disk utility that shipped with version 9.4.5 does not support the -format option. You can install a new version of the image2disk utility from a version 10.x ISO. First, to uninstall the version of the utility that shipped with 9.4.5, run the command rpm -e tm_install-2- The command removes the utility, but posts no message at completion. Then, to install a new version of the utility, run the command im /var/tmp/<iso_file>. For more information, see SOL10702: The image2disk utility that shipped with BIG-IP version 9.4.5 does not support the --format option.

diskinit and sfdisk error (CR131441)
If you run the diskinit utility with no arguments, and then run the diskinit utility again with options or run the image2disk utility without rebooting, the operation fails and posts an error similar to the following message:

error: sfdisk failed; bc_ratio=8032.58652549568, total_KiB=160836480, total_cyl=20023

To work around this error, you must have console access to the system, either through a console server or directly through the serial connection. Once you boot into the MOS, you lose connection with the system. At the command line, type mosreboot to reboot into the Maintenance Operating System (MOS). Once reboot is complete, you can reformat the disk by typing diskinit –style [volumes|partitions], or you can install using the appropriate image2disk commands.

Inband monitors on Fast L4 virtual servers and PVA acceleration (CR131555)
On a system using Packet Velocity® application-specific integrated circuit (ASIC) version 2 (PVA2) and version 10 (PVA10), specifically the 3400, 6400, 6800, 8400, and 8800 platforms, if you configure an inband monitor on a virtual server configured for Fast L4 traffic, the Traffic Management Microkernel (TMM) never receives the traffic necessary to mark pool members up or down. You can work around this issue by setting Fast L4 Profile option PVA Acceleration to Assisted on these platforms.

AUTH_RESULT and suspend commands (CR140154)
This release does not support using a command that suspends iRule processing (session, persist add/lookup/delete, table, after) in the AUTH_RESULT event in an iRule. There is no workaround for this issue.

Installing hotfix and waiting for image message (CR140238)
When you apply a version 10.x hotfix, the base software ISO image must be present in the /shared/images directory, along with the hotfix image. If there is no base software ISO image, no hotfix update operation begins, and the system presents a message similar to the following: waiting for image (BIG-IP 10.0.1 402.16). This message is misleading. The system is actually waiting for the base image. For example, for version 10.0.1, the base image is BIGIP- To work around this issue, copy the base ISO image file to the /shared/images directory, and try the hotfix update again.

Hotfix installation and formatting for volumes (ID 349340)
You cannot simultaneously move to logical volume management (LVM) and install a hotfix. If you run the image2disk command with both the --hotfix and --format=volumes options, the system completes the hotfix installation, but does not format the drives. To work around this issue, format the system for volumes first, and then install the hotfix update.

[ Top ]

Contacting F5 Networks

  Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Additional Comments (optional)