Original Publication Date: 11/19/2015
This release note documents version 1.0.0 of BIG-IQ Cloud. BIG-IQ Cloud 1.0.0 is available as a Virtual Edition image only. An ISO image is not available.
Cloud administrators can use BIG-IQ Cloud to supply tenants with on-demand access to resources such as networks, servers, storage, applications, and services. These cloud resources can be located on BIG-IP devices in a private local network, a public third-party cloud service, or a combination of both.
Tenants have restricted and dedicated access to resources based on their unique tenant role and user account. Cloud space can be expanded, retracted, and reallocated to tenants as needed, providing flexible resource balancing.
To properly display, the BIG-IQ system requires that your screen resolution is set to 1280x1024 or higher.
This release supports the following browsers and versions:
SOL14592 provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IQ Cloud version 1.0.0 documentation page.
For procedures about specifying network options and performing initial configuration, refer to the BIG-IQ System: Licensing and Initial Configuration guide.
|ID Number||Functional Area||Description|
|540595||Cloud||Protocol compatibility improvements in AWS EC2 connector.|
|509751||Cloud||Updating Applications through the default UI has been fixed.|
|505313||Cloud||During click-to-provision VE for NSX, the user specifies the external network and the IP pool to use (vNIC #1) . This IP pool's default gateway will be used as the TMM default gateway.|
|497497||Cloud||If the user wants to use VLAN-based network for existing BIG-IP chassis, the user can either specify existing VLANs or new VLANs. The user will need to manually create the new VLAN and SELF-IP on the BIG-IP chassis.|
|485374||Cloud||The iApp that was causing the cluster to register out of sync has been removed.|
|532459||Device||Though BIG-IQ does not have full support for vlan-group and tunnel objects, BIG-IQ can now discover BIG-IP devices with Self IPs that reference a vlan-group or tunnel.|
|530721||Device||When properly configured, Device Managers now have permission to view the following device properties: self-ips, vlans, interfaces, and routes.|
|531786||Device||Improved SMTP Destination worker credential handling|
|531701||Device||Improved device discovery task worker credential handling|
|534129||Device||SNMP settings are now configurable per-device in an Active/Active setup.|
|537009||Device||Pool licenses no longer display date fields if the license never expires.|
|520818||Device||UCS backups triggered an extended period of high CPU usage. This was due to background search-query optimizations combined with the "Highlight Related Items" feature. The "Highlight Related Items" feature is now disabled in the Device module to avoid this issue.|
|521277||Platform||Searches in the object editor are now optimized.|
|516875||Platform||Fixed CVE-2015-0286 CVE-2015-0287 CVE-2015-0289 CVE-2015-0293 CVE-2015-0209 CVE-2015-0288.|
|531778||Platform||The circumstances that caused the Null Pointer Exception are now anticipated and these will be logged. The Exception will no longer be propagated back to the UI.|
|533733||Platform||SMTP notifications that previously stopped working when authentication was required on the server side now perform correctly.|
|531735||Platform||Improved device group credential handling.|
|519414||Platform||Fixed bug where failed aggregation tasks would block generation of health alerts.|
|532195||Platform||Improved handling of special characters when using LDAP authentication.|
|526428||System||BIG-IQ can now connect to configured SMTP servers with no authentication.|
|ID Number||Functional Area||Description|
|520908||Platform||The disk capacity for the BIG-IQ system was previously 55 GB. Starting in this release, the disk capacity is increased to 95 GB.|
|525980||System||The install options have been replaced with a single checkbox to 'Reboot to target volume'.|
|ID Number||Functional Area||Description||Workaround (if available)|
|558584||Cloud||Administrative user creates a group of tenant users and grants access to tenant role. Tenant users login but are unable to see tenant resources.||Do not use Group functionality for tenant users instead grant tenant role directly to each tenant user account.|
|557613||Cloud||The wrong help content can be shown after moving from one module to another. Confusing and incorrect help content could be shown. Occasionally seen when moving from one module to another.||Help content is context sensitive and can be updated by clicking again on the part of the form where help is needed.|
|557660||Cloud||BIG-IQ Cloud 1.0 only supports Pool licensing model for VE's. The UI and API's included will activate Utility and Volume licenses but these models are not supported for 1.0 workflows.||Don't issue or use Utility or Volume licenses on BIG-IP's managed by BIG-IQ Cloud 1.0|
|557341||Cloud||"Racing internal processes cause these messages to be logged to /var/log/restjavad.0.log [SEVERE][10 Nov 2015 03:33:12 UTC][8100/cm/cloud/tenants/apic-common-default-52870/services/iapp/~apic_52870~WebGraph- ADC-5507.app~WebGraph-ADC-5507/servertiers ServerTierCollectionWorker] Failed to send update to self: java.lang.IllegalArgumentException: Invalid generation. Need 5, received 4"||Ignore these messages|
|555952||Cloud||User is unable to manage a vCMP guest that was previously successfully managed by BIG-IQ. This occurs upon a subsequent discovery of a vCMP guest. Discovery of vCMP guest fails. The UI prompts the user to upgrade the REST framework, but the user is unable to do so. The vCMP guest is removed from list of devices managed by BIG-IQ.||Delete the failed device record and re-discover it using an API instructing BIG-IQ to explicitly ignore the REST framework version. To do so, run the following commands:
curl -k -u admin:password https://BIG-IQ_address/mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices -d '
|Cloud||User cannot set the HTTP Redirect option under the Device Config Folder in APIC. This occurs when using the HTTP Redirect Option under Device Config Folder in APIC. Cannot associate an HTTP Redirect on a Virtual Server from APIC. The _sys_https_redirect iRule can be used, but a user cannot use another iRule.||Use the http_redirect iRule. When filling in parameters in APIC do the following:
1) Go to Device Config :: Local Traffic :: iRule.
|548373||Cloud||When using a BIG-IP VE, it can only be used with one APIC context. (Physical BIG-IPs and vCMP guests work with multiple APIC contexts). When adding a BIG-IP VE to a second APIC context, it will fail, but the failure will not be reported to APIC correctly. The failure is only in the debug.log on the APIC host. This issue will be addressed when a future release of APIC supports trunk ports. A BIG-IP VE can only be used with one APIC context This occurs when using a BIG-IP VE and attaching it to more than one APIC context.||There are two workarounds: Either use a distinct BIG-IP VE per context or use physical BIG-IPs or vCMP guests.|
|553544||Cloud||The tenant user view of tenant templates lists variable names instead of variable descriptions. Information from the override descriptions set in a provider template will not be visible to tenants in the tenant template through the UI.||All relevant tenant template information is available through the API.|
|483048||Cloud||Cannot modify HA self-IP address. Cannot modify HA self-IP address. Once you set up a device cluster with the device package, you cannot change the self-IP address used for high availability configurations.||Recreate the device cluster.|
|552889||Cloud||Discovering a BIG-IP system using the Device module does not discover it in the Cloud module, and vice versa. It might appear as if all BIG-IP systems have been discovered. Discovering a BIG-IP system using the Device module or in the Cloud module||Discover BIG-IP systems in the Cloud portion of the UI, and then add them from inventory to the Device portion, or vice versa.|
|549939||Cloud||If you try to modify the HA VLAN tag of an APIC device cluster, it will not change.|
|533923||Cloud||There are many options/settings that a user can specify in the VMware/NSX UI that are ignored by BIG-IQ. There are also major features that cannot be used with a BIG-IP load balancer. "In the NSX UI, under the 'Virtual Server' feature when a user deploys (or Edits) a virtual server a dialog box appears. Because BIG-IQ is using a catalog item derived from an iApp, and the NSX UI 'Virtual Server' fields listed below are only used with the NSX Load Balancer, they are ignored when using Service Insertion with F5. In the General Tab of the Virtual Server the following are ignored by BIG-IQ: Description: Protocol: Port: Connection Limit: Connection Rate Limit: In the 'Pools' feature when the user creates/edits a pool the following are ignored: Description: Algorithm: Algorithm Parameters: Monitors: In the 'Pools' feature when the user adds/edits Members of the Pool the following are ignored: Port: Monitor Port: Weight: Max Connections: Min Connections: When a user creates a catalog entry for f5.http or f5.http:ssl-offload the only tenant editable options under the 'Customize Application Template' that are visible on the NSX UI are: Net Snatpool Member: Addr Pool Host: Name Pool Members: Addr All other Pool Members settings (Connection Limit, Port, Port Secure, Priority, and Ratio) do not appear in the Advanced Tab for the Virtual Server." When users navigate to an NSX Edge that they wish to associate with a BIG-IQ connector, they can select the 'Manage' tab and select 'Load Balancer'. On the right side, they can select features to manage ('Global Configuration', 'Application Profiles', 'Service Monitoring', 'Pools', 'Virtual Servers', and 'Application Rules'). Currently the only features available to the users are: 'Global Configuration', 'Pools', and 'Virtual Servers'.||None.|
|508469||Device||If a managed BIG-IP has a large (more than a few minutes) clock skew from BIG-IQ, the BIG-IQ may receive 401 authorization errors from the BIG-IP. BIG-IQ cannot manage the device. BIG-IQ managing a BIG-IP with a large clock skew.||Set the system time on BIG-IP to reduce the clock skew. Alternatively, configure the BIG-IP and BIG-IQ to use the same NTP server to automatically keep the system time in sync.|
|555083||Device||In a BIG-IQ cluster, the provisioned BIG-IP VE device health may report invalid framework upgrade status. The API/UI reports invalid framework upgrade status. Provisioning of BIG-IP VEs in a BIG-IQ cluster of 2-3 BIG-IQs.||Please verify the framework version as appropriate to ignore the framework status.|
|556693||Device||User activates a pool of more than 90 licenses and attempts to license 90+ BIG-IP's.||Don't use license pool larger than 75 with BIG-IQ Cloud 1.0|
|474742||Device||While running a Deployment Job to perform a Factory Install, the job might fail to re-discover the target device, causing the job to time out with the following message: "Attempting preliminary device configuration", "Attempting to re-discover device", and "Rediscovering device failed, retrying". The message "Rediscovery failed in job <job ID>, will retry" may periodically be logged in /var/log/restjavad.0.log on the BIG-IQ. It's also possible in some cases for the job's message field to simply report "Attempting to re-discover device" until the job times out. Deployment jobs doing a factory install of an older BIG-IP software version will not be able to complete. The target device will be left unconfigured. The target device may also become unreachable over its management interface when its DHCP lease expires, because the deployment job is unable to disable DHCP on the management interface. The discovery process requires updating the version of the framework on the target device in order for discovery to complete. Currently Deployment Jobs are not able to cause a REST framework update to occur, so the discovery process cannot complete. When discovery fails in a deployment job it is assumed that the cause could be related to the device being in a transitional state following reboot, and therefore the discovery is retried indefinitely until the job times out.||This occurs when the BIG-IP device is running a version that requires an update of the REST Framework. To work around this issue, select the Update Framework check box for this device and re-run the deployment job.|
|556610||Device||You cannot select an end date for a scheduled backup using an Internet Explorer (IE) browser versions 9, 10, or 11. Cannot schedule a backup with end date. Select an End Date to schedule a backup on IE browser versions 9, 10, or 11.||Use a different browser, such as Chrome or Firefox, or another version of the IE browser. Or if using IE browser versions 9, 10, or 11, do not specify an end date.|
|501508||Device||BIG-IQ file upload operations (such as importing devices or uploading software images) do not work when using Internet Explorer versions prior to 10, because those versions do not contain the HTML5 file API required to upload files to a BIG-IQ system. This occurs when Internet Explorer 9 is used to upload files.||Use Microsoft Internet Explorer version 10 or later, Mozilla Firefox version 29.x and later, or Google Chrome version 34.x and later.|
|557194||Device||The Certificate panel does not display if you are logged in as the Device Manager role. 'Certificate' blade is missing. User logged in 'Device Manager' role.|
|514164||Device||The BIG-IQ system does not check storage availability before it downloads a UCS backup file. This could cause the BIG-IQ system to use all the storage when creating a backup. All storage space is consumed. This might occur when executing backups without sufficient storage space on the device.||To avoid this issue, configure an alert condition for the /shared/ucs_backups file so you are notified when storage is reaching a specific threshold. The alert conditions are set from the BIG-IQ Systems group > Properties > Alert Conditions screen.|
|558058||Platform||"If user notices this message /var/log/restjavad.0.log and system is unresponsive. [SEVERE][12 Nov 2015 16:08:21 UTC][8100/shared/tmsh-parser ShellParserWorker] Failed to retrieve group resolver state. Error: com.f5.rest.common.RestWorkerUriNotFoundException: URI path not registered. Please verify URI is supported and wait for /available suffix to be responsive."||bigstart restart restjavad icrd|
|516565||Platform||events not associated with any local traffic management are shown in /var/log/ltm BIG-IQ logs system and other events to /var/log/ltm. BIG-IQ is in use, and LTM may or may not be present in the environment.||BIG-IQ makes use of /var/log/ltm for system events and other messages as it is based off of the TMOS architecture. Events can be reconfigured into different local logs or off-box logging, if desired.|
|553898||Platform||BIG-IQ user interface login box appears and valid credentials are entered but login is not successful. /var/log/restjavad.0.log is filled with messages similar to the following:
[WARNING][22 Oct 2015 14:00:12 UTC][8100/shared/authn/login AuthnWorker][logAndFailDrainedOperation] URI:http://localhost:8100/shared/authn/login, Referrer:10.255.252.111, Method:POST, Exception:java.util.concurrent.TimeoutException: remoteSender:10.255.252.111, method:POST
|Restart the restjavad process by running the following command on the command line: bigstart restart restjavad.|
|557480||Platform||During provisioning of BIG-IP 184.108.40.206.0.442 VE on NSX, the framework upgrade process will download rpm files to /var/config/rest/downloads. This fill up the /var temporarily and the device appear unhealthy. BIG-IP 220.127.116.11.0.442 VE appear unhealthy for an hour or so. Provisioning of BIG-IP 18.104.22.168.0.442 VE on NSX.||"1) The downloaded rpm files in /var/config/rest/downloads get removed in an hour so the device will be become healthy then. 2) Enable admin's shell access to BIG-IP and remove the downloaded rpm files after provisioning."|
|553957||Platform||A "Group" property dropdown with unsupported options is shown when adding a peer BIG-IQ through the System module UI. Adding BIG-IQ HA peers could be interrupted by selecting unsupported options in the UI.||Select "HA Peer Group", the other listed groups are not supported.|
|557847||Platform||If secondary BIG-IQs crashed during the initial Active/Standby HA setup, the secondary may end up in HA Error state on restart. You must destroy the HA cluster by removing the peer BIG-IQ and recreate the Active/Standby HA again. Active/Standby HA fails to setup. Secondary crashed after the initial Active/Standby HA setup.||After setting up Active/Standby HA, an admin should verify secondary is in a good state (no HA Error) on restart.|
|553670||Platform||After promoting the peer device to primary in a BIG-IQ HA setup, the UI of the new primary system may come back and be accessible before all entries in the blades are populated. A finite amount of time may be needed to populate the yet to be filled in data.||A browser refresh may expedite recovery.|
|550394||Platform||When a HA sync is performed, the storage from the primary will overwrite the storage on the secondary. This causes any active sessions to terminate on the secondary because the auth tokens are overwritten. Minimal. Users should not be using the secondary because any changes made on the secondary will be overwritten on the next sync.||Log back into secondary.|
|521867||Platform||Software upgrade fails with "create_ucs failed; No such file or directory" error. The BIG-IQ configuration is not loaded on the upgraded boot location and the software upgrade is marked as failed. The /shared partition has a limited amount of free disk space. The amount of free space required will vary based on the configuration on the BIG-IQ, but the amount required should be approximately double the size of the /var/config/rest directory.||To avoid this issue, /shared needs to have additional free space. This can be accomplished by deleting files from the /shared disk partition or extending the disk partition to be larger (procedure described in SOL14952)|
|528253||Platform||Without the Roles panel, the non-admin user cannot determine their administrative-role assignments.|
|497373||Platform||When the BIG-IQ system discovers or re-discovers a multi-slot VIPRION device, it prompts the device to upgrade its framework, regardless of its current version. This happens with any framework revision present on the VIPRION device. All multi-active-slot devices are affected. Framework upgrade is triggered.||Always allow discovery to upgrade the framework, even in cases where it seems unnecessary. You can only discover devices with multiple active slots through the command line. The BIG-IQ system cannot validate the existing framework revision with this technique.|
|551729||Platform||'Users' blade constantly spinning with no users getting populated. 'Users' blade constantly spinning with no users getting populated. LDAP/Radius auth provider + missing username||"1. Identify the provider restcurl cm/system/authn/providers/radius or restcurl cm/system/authn/providers/ldap 2. Find the users with no name restcurl cm/system/authn/providers/radius/3918ff0c-a6c4-470c-a7d7-09f91648a084/users 2. Delete the user with no name restcurl -X DELETE cm/system/authn/providers/radius/3918ff0c-a6c4-470c-a7d7-09f91648a084/users/ed2d2dca-e78e-47ea-b8d9-f14f91623d13"|
|510102||Platform||Firefox version 30 or greater, and Internet Explorer version 11 or greater ignore the autocomplete="off" attribute in HTML. If the password autofill behavior is not desired, the user should disable the feature in their browser. When using one of these browsers with their default autofill or password management settings, the browser might automatically populate a password field in the BIG-IQ user interface.||One workaround is to disable the autofill or password management features of the browser. Another workaround is to use the Google Chrome browser, which still honors autocomplete=off in HTML.|
|496091||Platform||You might not be able to click-to-provision a BIG-IP VE machine on an ESXi host if there is a time stamp issue on the ESXi host. The BIG-IP VE will not be fully provisioned.||"To determine if this is a time issue, view the BIG-IQ system /var/log/restjavad.0.log file and look for something similar to the following line: Illegal state, startTime is before oldStartTime: startTime=Wed Dec 10 22:10:27 GMT 2014; oldStartTime=Wed Dec 10 22:25:41 GMT 2014. To resolve this issue, refer to the VMWare ESXi documentation to set the NTP server or fix the NTP issue and then restart the click-to-provision VE process."|
|558049||Platform||"User restarts BIG-IQ or restjavad and notices SEVERE message in /var/log/restjavad.0.log [SEVERE][11 Nov 2015 15:46:00 UTC][8100/cm/asm/working-config/signatures-defaults-loader LocalSignaturesDefaultsHelperWorker] java.util.concurrent.CancellationException: onShutdown() called." Although SEVERE log message appears significant, this is a benign error message that can be ignored safely. User restarts BIG-IQ device or restjavad process.||None needed. Cosmetic message that can be ignored.|
|517723||Platform||In some cases, you cannot access the BIG-IQ system user interface using Mozilla Firefox version 37 or later. BIG-IQ GUI becomes inaccessible or unusable with Firefox 37 or greater Access BIG-IQ GUI from Firefox 37 or greater||To work around this issue, delete the Firefox cert8.db file or open Firefox and click Help :: Troubleshooting and go through the Refresh Firefox process. Alternatively you can use Chrome or Internet Explorer to access the BIG-IQ system.|
|481360||Platform||An erroneous warning icon with a 'Device is not available' error might appear in either the BIG-IQ Device or BIG-IQ Security areas for managed BIG-IP devices even though the BIG-IQ system can reach those devices. The system posts the erroneous error message that the device is not available. However, you can still reach the system via HTTPS and SSH. There is no functional issue with the BIG-IP system. The actual issue is that the BIG-IQ fails to provide the correct status. The specific conditions under which this occurs are not easily reproducible.||None.|
|490343||Platform||"The framework upgrade process on a BIG-IP vCMP guest that spans multiple slots on the host system fails with the following error: ""Discovery Failed: Failed to upgrade REST framework on 172.27.78.240: java.lang.IllegalStateException: One or more slot upgrades failed.""" RJD remains a backlevel version. Some functionality might be limited when a vCMP guest BIG-IP resides in a hypervisor guest that spans multiple slots on the host system the rest framework for that BIG-IP cannot be upgraded through the automated process.||"Warning: Do not perform the following procedure on BIG-IP devices running version 12.0.0. To work around this issue, run the following commands to manually update the framework: ""cd /usr/lib/dco/packages/upd-adc/"" and ""./update_bigip.sh"""|
|499273||Platform||When managing a large number (dozens to hundreds) of devices, you might notice the memory utilization for the BIG-IQ system is high and reports OutOfMemory exceptions in /var/log/restjavad.*.log or /var/tmp/restjavad.out file. If restjavad is indeed leaking socket connections then it will eventually run out of file descriptors and/or report OutOfMemory exceptions in /var/log/restjavad.*.log or /var/tmp/restjavad.out. "BIG-IQ restjavad is expiring outbound REST operations that haven't completed after 60 seconds. This can occur when a managed BIG-IP is unresponsive or there are network communication problems. Shell command shows sockets that are not being closed over time: lsof -p <restjavad PID>"||"If you cannot communicate with the managed BIG-IP devices, attempt to fix any network communication problems by pinging or routing the BIG-IP device from the BIG-IQ system, and then restart the restjavad process on the BIG-IQ system by typing the following command: # bigstart restart restjavad"|
|513613||Platform||If someone makes a modification to the certificate information on a managed device (for example, changing the certificate's canonical name), that device becomes unavailable to the BIG-IQ system managing it. Functional, performance degradation. Any attempt to communicate with the BIG-IP device fails until restjavad is restarted on the BIG-IQ device. However, even after the restjavad restart, although BIG-IQ-to-BIG-IP device communication is restored, subsequent changes to the certificate will again disrupt communication. BIG-IQ 4.5 managing BIG-IP devices whose device certificates change.||"There are two workarounds for this situation. The first (A) is the recommended workaround. Workaround A.) With this solution, communication (and device discovery) is restored and socket reuse is disabled for the BIG-IQ system. Disabling reuse can impact performance, but future changes to the authentication certificate do not disable management for the device. 1. Using SSH, log in to the BIG-IQ system as root. 2. Stop restjavad by typing the command, bigstart stop restjavad. 3. In /etc/bigstart/scripts/restjavad, edit ARGS=""--port=8100 ..."" to read as follows: ARGS=""--port=8100 --isConnectionReUseDisabled=true ..."". 4. Start restjavad by typing: bigstart start restjavad. Workaround B.) With this solution, communication (and device discovery) is restored, but future changes to the managed device's authentication certificate again disables device management and requires a restjavad restart. 1. Using SSH, log in to the BIG-IQ system as root. 2. Start restjavad by typing the command, bigstart start restjavad."|
|532781||System||The UI reports the memory that is allocated to the BIG-IQ VE as 4096 MB, even if more memory has been allocated to the VE. To view memory allocated to a VE, user must use the CLI or hypervisor reporting. Greater than 4 GB of memory allocated to a BIG-IQ Virtual Edition||Use free command from the CLI to see how much memory is allocated to the VE.|
|514694||System||Forms containing usernames and passwords in a Mozilla Firefox browser might not function as expected. The values for username and password display, but you cannot click the button to submit. The user may not understand why the form cannot be submitted. This would occur only in the Firefox browser, and only if the "remember passwords for sites" feature is enabled. It may also occur if the user has installed a 3rd party password management utility as an addon to Firefox.||"Use one of the following solutions to work around this issue: () From the Preference setting of the Security section disable the ""remember passwords for sites"" feature. () Instead of using a Firefox browser, use Chrome or Internet Explorer to access the BIG-IQ system. () Retype the username and password values for all forms."|
$ bigstart stop restjavad
mount -o remount,rw /usr
rpm -qa | grep f5-rest-java | xargs rpm -e --nodeps
mount -o remount,ro /usr
This removes the BIG-IQ system components from the BIG-IP device.
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.