big-ip ltm and tmos version 10.2

8/3/2019 Big-ip Ltm and Tmos Version 10.2

1/22


2/22

Home | Site Map | Contact F5 | Glossary | Policies | Trademarks | Web Survey 19982011 F5 Networks, Inc. All rights reserved.

This release adds support for the new Network Equipment-Building System (NEBS) compliant version of the BIG-IP

11050 platform, and a NEBS-compliant version of our latest high performance blade (PB200) for the VIPRION

platforms. For a VIPRION system to be completely NEBS-compliant, you must use a NEBS-compliant chassis and

blades. For more information, see the setup guides provided with the hardware, and the Platform Guide: 11050 and

Platform Guide: VIPRION platform guides.

New in 10.2.0

BIG-IP Local Traffic Manager Virtual Edition

You can now run the BIG-IP system in a virtual machine environment. BIG-IP Local Traff ic Manager Virtual Edition(VE) is a version of the BIG-IP system that runs as a virtual machine, packaged to run with a VMware hypervisor on amachine running Microsoft Windows, or on a Linux-hosted machine. BIG-IP Local Traffic Manager Virtual Editionincludes all features of BIG-IP Local Traffic Manager, running on the standard BIG-IP Traffic Management OperatingSystem (TMOS).

EtherIP tunneling between data centers

The EtherIP tunnel is designed as a generic way of bridging two remote data centers. To configure an EtherIP tunnel,you use VLANs that span pairs of BIG-IP systems in separate data centers. This enables uninterrupted support forexisting IP connections before and after a live migration event in which the application resource is moved from thelocal to the remote data center.

Application templates

This release includes additional application templates. An application template corresponds to a particular application,

such as generic DNS traffic management, and provides a fast, efficient way to configure the BIG-IP system toprocess the associated traffic. The application templates added in this release are:

Generic DNS

Microsoft Exchange 2010 Client Access server (CAS), (formerly known as Outlook Web Access), which supportsOutlook Anywhere, POP3, and IMAP4 virtual servers

VMware View

XML content-based routing

You can now route XML messages to different destinations based on specific content in a document. The system

queries document content using an XML Path Language (XPath) expression, which assures fast, simple, and accurate

operation. For example, you can specify a purchase-order (PO) routing scheme, in which the system routes a PO

totaling less than $10k to one pool member, and a PO totaling more than $10k to another pool member.

Receive Disable String (RECV drain string) monitor optionIn this release, you can configure the Receive String attribute and a new Receive Disable String attribute Receive

Disable String for HTTP, HTTPS, TCP, and UDP monitors. When configured in certain combinations, these att ributes

cause all existing connections to be methodically drained from the server instead of being dropped suddenly. This

feature is helpful when you are planning to per form maintenance on the server. For configuration information, see

Configuring Receive Disable String (RECV drain string) monitor option.

Virtual Location monitor

The Virtual Location monitor optimizes end-user response time in environments with dynamic distr ibution of application

resources across multiple data centers. When using the Virtual Location monitor, the BIG-IP sets the Priority Group

value of all local pool members to 2 (a higher priority). When a member of a load balancing pool migrates to a remote

data center the Virtual Location monitor lowers the members Priority Group value to 1 (a lower priority). This value

adjustment results in subsequent connections being sent to local pool members only if available. If no local pool

members are available, connections are sent to the remote pool member.

TCP persist timeout configuration (CR75559-8)

There is now a TCP profile option for specifying the length of time that the TCP connection can receive zero-length

window probes before the system closes the connection. The Zero Window Length option has default value of 20000

milliseconds. If you set the value to 0 (zero), the system closes the connection immediately upon receiving a

zero-length window probe. The timer starts when an effective window size becomes zero, and stops when the window

size becomes greater than zero. When the interval reaches the value specified, the connection is terminated. This

setting is useful for handling slow clients with small buffers, such as cell phones.

User authentication lockout

You can now deny access to a user after a configured number of failed authentication attempts. The administrator can

then reset the lock to re-enable access for the user.

5 | Release Note: BIG-IP LTM and TMOS version 10.2.1 http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/p

2 9/20/2011


3/22

Public Key Infrastructure/Common Access Card (PKI/CAC) support

The BIG-IP Kerberos Delegation authentication module has been extended so that the system can now transition SSL

certificates to Kerberos credentials. More specifically, the BIG-IP Advanced Client Authentication component can

offload SSL processing and authenticate the identity of an end-user based on an attribute obtained from a Common

Access Card (CAC) certificate.

BIG-IP Access Policy Manager on 3600, 3900, 6900, 6900 FIPS, 8900, 8950, and 11050

platforms

You can provision a free ten-concurrent-connection license of the BIG-IP Access Policy Manager module for web

application access management on the following BIG-IP platforms: 3600 (C103), 3900 (C106), 6900 (D104), 6900

FIPS (D104), 8900 (D106), 8950 (D107), and 11050 (E102). The BIG-IP Access Policy Manager is a software

component of the BIG-IP hardware platform that provides your users with secured connection to Local Traffic

Manager virtual servers, specific web applications, or the entire corporate network. For provisioning details, see

BIG-IP Systems: Getting Started Guide. For more information about BIG-IP Access Policy Manager and its

associated documentation, see Release Note: BIG-IP Access Policy Manager version 10.2.0.

Module integration into the Configuration utility

In this release, the Application Security Manager module and Web Accelerator system are now fully integrated into

the BIG- IP Configuration utility.

Support for two new platforms

This release provides support for the new 8950 and 11050 platforms, which are designed to provide superior

performance. For more information, see Platform Guide: 8950 and Platform Guide: 11050, available in the AskF5

Knowledge Base.

Logging to RADIUS or TACACS+ accounting servers

When you configure the new logging to RADIUS or TACACS+ accounting servers feature, the BIG-IP system

forwards audit log messages to remote Remote Authentication Dial In User Service (RADIUS) and Terminal Access

Controller Access-Control System Plus (TACACS+) servers in appropriate logging format. For configuration

information, see Configuring logging to RADIUS or TACACS+ accounting servers.

When you configure the new logging to RADIUS or TACACS+ accounting servers feature, the BIG-IP system

forwards audit log messages to remote Remote Authentication Dial In User Service (RADIUS) and Terminal Access

Controller Access-Control System Plus (TACACS+) servers in appropriate logging format. For configuration

information, see Configuring logging to RADIUS or TACACS+ accounting servers.

Installation overview

This document lists only the very basic steps for installing the software. The BIG-IP Systems: Getting Started Guide

contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the

getting started guide for all installation operations.

Installation checklist

Before you begin:

If using partitions, reformat for the 10.1.0 and later partition size, if needed (partitions created using version 9.x or10.0.x do not accommodate the 10.1.0 and later software).

Reactivate the license and update the service contract.

Have otherwise available, or download the .iso file from F5 Downloads to /shared/images on the source for theoperation. (If you need to create this directory, use the exact name /shared/images.)

Configure a management port .

Set the console and system baud rate to 19200, if it is not already.

Log on as an administrator using the management port of the system you want to upgrade.

Boot into an installation location other than the target for the installation.

Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copythe UCS file to a safe place on another device.

Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.

Turn off mirroring.

If you are upgrading from version 9.3.x or 9.4.x, run im to copy over the newinstallation utility.


2 9/20/2011


4/22

If you are running WAN Optimization Module, set the module's provisioning to Minimum.

Installing the software

F5 offers several installation methods. Choose the method that best suits your environment.Warning: Do not use the --nomoveconfig option described in the following table on systems with existing, running

installations of Application Security Manager. Doing so removes all content from the associated database. Instead,

ensure that the configuration on the source installation location matches the one on the destination. To do so, save

the UCS configuration on the location you want to preserve, and apply that configuration to the destination before or

after the installation operation.

To install the software, use one of the methods described.

INSTALL METHOD COMMAND

Format for volumes,migrate sourceconfiguration to destination

image2disk --format=volumes

Format for volumes,preserve destinationconfiguration (for fully 10.xenvironments)

image2disk --nomoveconfig --format=volumes

Install without formatting(not for first-time 10.xinstallation)

bigpipe software desired HD. version 10.x build .iso product

BIG-IP

Format for partitions (formixed 9.x and 10.xenvironments)

image2disk --format=partitions

Install from thebrowser-based

Configuration utility

Use the Software Management screens in a web browser.

Post-installation tasks

This document lists very basic steps for installing the software. The BIG-IP System: Upgrading Active/Standby

Systems and BIG-IP System: Upgrading Active-Active Systems contain details and step-by-step instructions for

completing an upgrade.

After the installation finishes, you must complete the following steps before the system can pass traffic.

Ensure the system rebooted to the new installation location.1.

Log on to the browser-based Configuration utility.2.

Run the Setup utility.3.

Provision the modules.4.

Convert any bigpipe scripts to tmsh. (Version 11.0.0 does not support the bigpipe utility.)5.

Installation tips

The upgrade process installs the software on the inactive installation location that you specify. This processusually takes between three minutes and seven minutes. During the upgrade process, you see messages postedon the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD),depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.

You can view a list of the image2disk utility options by running the command image2disk --help.

You can check the s tatus of an active installation operation by running the command watch tmsh show syssoftware, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watchfeature.

If installation fails, you can view the log file. For image2disk installations, the system logs messages to the fileyou specify using the --t option. For other installations, the system stores the installation log file as /var/log

/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running. Software version 10.x

introduced the ability to run multiple modules based on platform. The number and type of modules that can be run

simultaneously is strictly enforced through licensing. For more information, see SOL10288: BIG-IP software and

platform support matrix.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys

software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions.

Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade

from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a

version 9.x installation method described in the version 9.x release notes to install the version 9.x software.


2 9/20/2011


5/22

Upgrading from version 9.6.x or 10.x

When you upgrade from software version 9.6.x or 10.x, you can use the Software Management screens in the

Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of

the Configuration utility, expand System, and click Software Management. For information about using the Software

Management screens, see the online help, or the relevant chapters in the BIG-IP Systems: Getting Started Guide.

Important: Upgrading a version 9.6.x platform to version 10.x also performs a BIOS upgrade. (You can find moreinformation in the f ollowing Solution: SOL10633: BIOS update may be required before installing BIG-IP version 10.1.0or later on the VIPRION platform.) If you also apply a version 10.x hotfix when you attempt the software upgrade, theoperation fails to install the new BIOS. This can cause additional issues. For more information, see SOL10548: TheBIOS of the VIPRION platform is not upgraded when installing BIG-IP version 10.0.x and a hotfix in a single step and

SOL10016: A VIPRION kernel panic occurs following an upgrade to BIG-IP version 10.x.

Upgrading from version 9.3.x or 9.4.x

If you plan to install this version of the software onto a system running 9.3.x or 9.4.x, you must perform a one-time

upgrade procedure to make your system ready for the new installation process. When you update from software

version 9.3.x or 9.4.x to 10.x, you cannot use the Software Management screens in the Configuration utility. Instead,

you must run the image2disk utility on the command line. For information about using the image2disk utility, see the

BIG-IP Systems: Getting Started Guide.

Upgrading from versions earlier than 9.3.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x or from BIG-IP versions 9.0.x

through 9.2.x. You must be running software version 9.3.x, 9.4.x, 9.6.x, or 10.x. For details about upgrading to those

versions, see the release notes for the associated release.

Important: Beginning with version 10.0.0 of the software, a redundant system configuration must contain failover peermanagement addresses for each unit. If you roll forward a redundant system configuration from 9.3.x or 9.4.x, theunits start up in an offline state because each one needs a failover peer management address. To configure thefailover peer management addresses, navigate to System > High Availability > Network Failover , and specify themanagement IP address of the peer unit in the Peer Management Address field. Then do the same on the other unit inthe configuration. Once you specify both IP addresses, the system should operate as expected. For more information,see SOL9947: Change in Behavior: The Peer Management Address setting is required for BIG-IP version 10.xsystems configured for network failover.

Fixes in 10.2.1

The current release includes the fixes and enhancements from previous releases and the fixes that were distributed in

SOL12729: Overview of BIG-IP version 10.2.1 HF1 and SOL12778: Overview of BIG-IP version 10.2.1 HF2.

ID NUMBER DESCRIPTION

ID 224391,CR135937

The system now correctly parses iRule if commands that contain an escape character previously described asa suspended command following an escaped newline character.

ID 224506 TCP connections on a FastL4 virtual server with mirroring enabled now have the handshake timeout setcorrectly.

ID 224726 Clustered multi-processing CMP enabled forward listeners no longer map ephemeral ports created for passiveFTP clients to the incorrect VLAN when VLAN-keyed connections are disabled.

ID 224958 The CLIENTSSL_DATA event now fires correctly regardless of whether or not a pool or profile is configured.

ID 225448,CR139406

The system now correctly supports 4096-bit SSL keys to configure Server SSL profiles.

ID 225618 Session Initiation Protocol SIP support is now more stable when using the iRule drop command.

ID 225747 Enhancements have been made to the Traffic Management Microkernel TMM with respect to iRules andclustered multi-processing CMP.

ID 225930 When the Client SSL profile is configured to require a certificate, the client would reject the serverHellomessage due to excessive data, and the system logged a message Apr 26 16:31:56 local/tmm1info tmm1[5208]: 01260013:6: SSL Handshake failed for TCP from

10.10.7.163:20000 to 10.10.1.0:35937. This has been corrected and clients no longer reject theserverHello message.

ID 225957 Previously, a pool member or a node that was previously set to Forced Offline was set to Enabled by a user,the pool member or node's state would be set to checking. Now, when a pool member or node is set toEnabled from the Forced Offline state, its status is set to Down until the associated health monitors bring itback up.

ID 226188 On early 8400 and 8800 platforms, using the 10 Gig-E interfaces, frame sizes of 1514 and 1518 bytes nolonger cause a connected switch to report frame check sequence FCS errors, due to a mismatch between thephysical MTU and the reported MTU.

ID 226397 FastL4 connections using SYN cookies and a profile with tcp generate isn set now work correctly.

ID 226399, ID248017,CR141404

VIPRION systems correctly handle traffic after configuring a wildcard virtual server or a virtual server listeningon UDP port 62720.

ID 226531 The WMI and Real Server monitors are now compatible with route domains.

ID 226783 BIND now responds correctly to DNS requests against IPv6 self IP addresses.

ID 226818, ID226920

Enhancements have been made to SSL client certificate handling in resumed sessions.

ID 226969 Fragmented Datagram Transport Layer Security DTLS requests are now handled properly.


2 9/20/2011


6/22


ID 226971 The SSL filter now properly responds with a full SSL handshake when an SSL connection is renegotiated withFirefox and Safari browsers.

ID 227062 Diameter flows are now torn down more reliably.

ID 247801 When the static ARP entry is added while a dynamic entry exists for the same address, the static ARP entrytakes precedence, and you no longer see two ARP entries for the same address.

ID 324272 Log messages for pool member status changes are no longer throttled, so that the system reports all poolmember status changes.

ID 324276 Statistics query performance for pool members and node addresses has been improved.

ID 324283 The SNMP DCA monitor now sends the Community string properly to monitored nodes.

ID 324287 The bgpd service no longer intermittently sends corrupted route update messages to peers.

ID 324297 The High Speed Logging feature can now correctly log binary data.

ID 324299, ID324310

Memory configuration issues on the 3900, 6900, and 8900 platforms with Local Traffic Manager, ApplicationSecurity Manager, and WebAccelerator system modules have been resolved.

ID 324303 A memory leak and crash condition with SSL has been fixed.

ID 324325 Performance improvements have been made to the FIPS driver to enhance performance on platforms withCMP Clustered Multi-Processing.

ID 324326 The BIG-IP system now supports pipelining for configured HTTP/1.0 clients.

ID 324329 Enhancements for Traffic Management Microkernel TMM stability now prevent a potential crash when an SSLrenegotiation request is received after processing a shutdown event.

ID 324330 HTTP requests that did not specify the HTTP version that is, HTTP version 0.9 requests were erroneouslyreported as having a bad http version violation. This has been corrected.

ID 324334 An error with processing of packets smaller than 64 bytes and applying minimum size padding in hardware onplatforms with HSB has been mitigated by switching to performing minimum size padding in software.

ID 324335 When using the ACCESS::session data get and ACCESS::respond combination in an iRule onsystems with clustered multi-processing CMP, the tmm service could have become unresponsive. This hasbeen resolved.

ID 324337, ID337159

Clicking the Update button on the Network Failover screen in the browser-based Configuration utility no longertriggers a failover operation, which caused the active unit to switch to standby.

ID 324345 This release fixes a kg_accept_krb5 function vulnerability tracked by the Common Vulnerabilities andExposures CVE project, which assigned the ID CVE-2010-1321 to the problem. For more information about thevulnerability, see CVE-2010-1321.

ID 324348 Memory allocation for WebAccelerator system can now be provisioned by administrators.

ID 324355 The Generic HTTP virtual server application template has been updated to contain the correct syntax for theHTTP monitor.

ID 324361 On platforms with Packet Velocity application-specific integrated circuit PVA, a restart of the pvad service nolonger produces UDP path probes with bad checksum values, which caused the system to drop the packets.This issue has been resolved.

ID 324362 Under certain conditions in which the mcpd service received a high volume of messages, a timer becameaccelerated and triggered an early scrub of the Link Aggregation Control Protocol LACP packet registry, whichprevented forwarding of packets, and resulted in lacpd warning messages in the logs. This version of thesoftware corrects this issue.

ID 324363 This release fixes a GhostScript 8.70 and 8.64 parser function vulnerability tracked by the CommonVulnerabilities and Exposures CVE project, which assigned the ID CVE-2010-1869 to the problem. For moreinformation about the vulnerability, see CVE-2010-1869.

ID 324364 Specifying GMT0 as the time zone no longer prevents the browser-based Configuration utility from updatingthe system configuration.

ID 324366 Users can now configure an SSL proxy between Enterprise Manager and a managed device.

ID 324368 Users who are not administrators or superusers that is, users with the role of Manager can now import/exporton partitions for which they have access permissions.

ID 324372 Kerberos protocol transition now works with keep-alive settings.

ID 335621,CR140560

The mcpd process no longer restarts on secondary blades on the VIPRION system after resetting statistics onobjects in administrative partitions other than the Common partition.

ID 336848 SSL certificates and their chain of authority certificates may now be contained in the same file.

ID 337378 Session tickets are now disabled for SSL sessions using COMPAT ciphers, which corrects an issue thatoccurred when session tickets were enabled.

ID 337382 Route domain selection is now honored properly for web applications with servers in route domains other thanthe default.

ID 338062 On 3400, 6400, 6800, 8400, and 8800 platforms, that is, platforms with Packet Velocity application-specificintegrated circuit PVA, the system now correctly sends ICMP Unreachable - Fragmentation Neededpackets to FastL4 virtual servers set for PVA assist.

ID 338148 Inherited Client SSL profile attributes changed on the parent are no longer out of sync between the primary

and secondary blades on a VIPRION system.ID 338708 The mcpd process no longer leaks memory when changes are made to node monitors in non-commonpartitions.

ID 338827 IPv6 autoconfiguration now works across VLAN groups.

ID 338852 Full hardware acceleration is more accurately applied on 6800 platforms.

ID 339379 Traffic Management Microkernel TMM now responds correctly when the virtual server references an iRulewith the HTTP::header sanitize command.

ID 339524 Improvements have been made to SSL offloading when processing requests with malformed SSL applicationdata.

ID 339586 The pvad service now properly marks nodes as up to allow for full Packet Velocity application-specificintegrated circuit PVA acceleration.

ID 339735 When attempting to configure Web Cache Communication Protocol WCCP between a BIG-IP system and aCisco Nexus 7000 switch using the Layer-2 routing method, the Cisco switch would log errors stating that theWCCP packet length was invalid. This has been corrected, and WCCP in Layer-2 routing mode now functionsproperly between BIG-IP systems and the Cisco Nexus 7000.


2 9/20/2011


7/22


ID 339744 This release corrects the condition that caused the Traffic Management Microkernel TMM core events thatproduced a ** SIGSEGV ** that included the following notices: notice fault addr: 0x68 andnotice fault code: 0x1.

ID 339847 The msktutil and domaintool utilities no longer crash when run by an unprivileged user, reporting the messageglibc detected-msktutil: munmap_chunk: invalid pointer: 0xff920190. The output nowcorrectly reports that the logged on user must be an administrator.

ID 339955 The Configuration utility now correctly updates the /config/bigip_sys.conf file so that ConfigSync orconfiguration reload does not disable initial network failover configuration.

ID 340407 Basic TCP monitors that are associated with a pool or pool member that is not listening on the monitored port,no longer erroneously mark a node up when it is actually down.

ID 340651 This release corrects the condition on VIPRION platforms, in which setting the db variable vlan mac

assignment to global resulted in some or all of the VLANs receiving a zero MAC assignment, which couldcause no traffic to pass on a VLAN. You can now set db variable vlan mac assignment to global and there areno longer VLANs with MAC address of zero.

ID 340696 The system now correctly handles a large number of self IP addresses or VLANs when starting up the ntpdprocess, and no longer halts with a segmentation violation or related crash.

ID 341217 The system now correctly removes the trailing semicolon; and whitespace when removing an HTTP cookiefrom HTTP header data.

ID 341404 VLAN group Proxy Exclusion List now correctly loads on secondary blades in a VIPRION cluster.

ID 341414 The system no longer incorrectly uses the CompactFlash card as a swap partition. Now, the system correctlyuses a swap partition on the system hard drive.

ID 341655 This release corrects a problem where ARP handling resulted in packet loss under certain packet-delayconditions.

ID 342010 Use of the table keys -subtable iRule command no longer causes a memory leak.

ID 342357 A defect in processing ActiveSync, clientless POST operations has been corrected.

Fixes in 10.2.0

The current release includes the fixes and enhancements from previous releases and the fixes that were distributed in

SOL11853: Overview of BIG-IP version 10.2.0 HF1 with the exception of the following Change Requests (CRs):

CR136629: The performance of queries for pool member and node address statistics.

CR139372: The High Speed Logging feature and logging binary data.

After you have installed the software, you can use any of the following configuration options to update your

configuration.

CR134037: Corrected fixed-ratio calculations to improve performance and accuracy.

Receive Disable String (RECV drain string) monitor option: The Receive Disable String advanced configurationsetting applies to HTTP, HTTPS, TCP, and UDP monitors. You can use a Receive String value together with aReceive Disable String value to match the value of a response from the origin web server and create one of three

states for a pool member or node: Up (Enabled), Up (Disabled), orDown. When a pool member or nodeis Up (Enabled), a new connection can be made. When Up (Disabled), a new connection cannot be made,existing connections become depleted, and maintenance can be performed on the server. When Down, a newconnection cannot be made, existing connections are immediately terminated, and maintenance can be performedon the server. Additionally, if you choose to set the Reverse setting to Yes, the Receive Disable String optionbecomes unavailable and the monitor marks the pool, pool member, or node Down when the test is successful.

RECEIVE STRING MATCHES RECEIVE DISABLE STRING MATCHES STATE OF POOL MEMBER OR NODE

Yes No Up (Enabled)

No Yes Up (Disabled)

No No Down (Disabled)

Note: F5 Networks recommends using mutually exclusive values for Receive String and Receive Disable String. If a

response matches both values, the monitor indicates the state as Up (Enabled).

Configuring logging to RADIUS or TACACS+ accounting servers: This release introduces RADIUS and TACACS+accounting support, where syslog messages that are written to the /var/log/audit log are sent in encrypted form

to either a RADIUS (port 1813) or TACACS+ (port 49) accounting server. You can use the Traffic Managementshell (tmsh) to configure the RADIUS or TACACS+ components.

To configure the BIG-IP system for logging to RADIUS or TACACS+ accounting servers

In the browser-based Configuration utility, navigate to System > Logs > Options and select Enable from thebigpipe list in the Audit Logging section.

1.

Using the tmsh utility on the command line, navigate to the /sys module.2.

Within the /sys module, modify the config.auditing.forward.destination component to use an IPv4 or IPv6 addressfor the destination. For example, to configure a destination IPv4 address of192.168.10.1, use the following

command:

3.

tmsh modify sys db config.auditing.forward.destination value 192.168.10.14.

Modify the config.auditing.forward.sharedsecret component to use a secret string. For example, to configure a5.


2 9/20/2011


8/22

secret string called mysecret, use the following command:

tmsh modify sys db config.auditing.forward.sharedsecret value mysecret6.

Modify the config.auditing.forward.type component to use eitherradius ortacacs+. For example, to configuretacacs+, use the following command:

7.

tmsh modify sys db config.auditing.forward.type value tacacs+8.

After you complete these steps to configure RADIUS or TACACS+ accounting support, the system automatically

creates a log file in the destination specified.

Note:

If connectivity to the remote auditing server is lost, messages are not transmitted and there is no message-retransmission mechanism. You can still find those messages in the /var/log/audit log on the BIG-IP system,however.

All messages are fully written to the log file on the BIG-IP system; however, on the accounting server, messagesare truncated to 255 characters.

When you set the variable type to radius ortacacs+ for config.auditing.forward.type, you must also specify asecret string for config.auditing.forward.sharedsecret.

You must use port 1813 for logging to RADIUS accounting servers, and port 49 for logging to TACACS+accounting servers.

To disable logging to RADIUS or TACACS+ accounting servers

Navigate to the /sys module.1.

Within the /sys module, set the config.auditing.forward.type component to none using the following command:2.

tmsh modify sys db config.auditing.forward.type value none3.

To customize messages from the audit log to the accounting servers

Modify the Tcl procedure called Transform in /etc/syslog-ng/audit_forwarder.tcl. (You must use the exact

procedure name Transform.)

1.

To have the change take effect, run the command bigstart restart syslog-ng at the tmsh command line.2.

Note:

This feature gives you total control over what is sent to the accounting server. However, although you can modify

the script in any way to change what is sent to an accounting server, F5 Networks supports only the unmodifiedscript.

A Transform procedure for a customized message must return a transformed string.

Default functionality for a customized message leaves the message unchanged when the Tcl procedure isomitted, the Tcl file does not exist, or an error occurs on evaluation.

This procedure does not modify messages written to the /var/log/audit file.

Tcl Transform procedure options for customized messages

You can also use the following additional Tcl procedures. These procedures are mutually exclusive, so uncomment

only the one you want to use and comment out the other one.

To configure the /etc/syslog-ng/audit_forwarder.tcl script not to send variants of bigpipe show and bigpipe list

commands, comment out the top procedure and uncomment the second procedure in the file.

To modify the Tcl script to skip the first 16 characters, comment out the second procedure, and uncomment thethird procedure. This eliminates the date and time portion of the message. Since the accounting server truncatesmessages to 256 characters, this might be useful to include more relevant data from longer messages.

Behavior changes in 10.2.1


Commands for--instslot and--format inimage2disk utility

Beginning in BIG-IP version 10.2.1 and Enterprise Manager version 2.1.0, the image2disk utility --instslot and--format options are mutually exclusive. If you attempt to invoke the image2disk utility specifying both options,the system returns the following error message: Terminal error: You cannot specify the target location whenusing the format option. You can specify the --format option to perform the formatting and installation operationsimultaneously on all platforms except the 1500 and 3400 platforms with 1 GB of memory. For moreinformation, see SOL12561: Change in Behavior: The image2disk utility --instslot and --format options are now


2 9/20/2011


9/22


mutually exclusive. For information about the 1500 and 3400 platforms, see SOL11396: Error message:Terminal error: System memory of 1 GiB is insufficient for 'format=volumes' with this product image; 1.5 GiB isrequired.

ID 207411,CR120157

In versions prior to 10.1.0, a null response from an HTTPS service with no receive string would be marked asUP. This behavior changed in version 10.1.0 to require at least one byte of data after SSL negotiation to beconsidered UP. For more information, see SOL10904: An HTTPS monitor incorrectly marks a node as UPwhen no data was sent in the server response.

Behavior changes in 10.2.0


CR109429-1 The browser-based Configuration utility increments the total requests statistic for virtual servers only when thevirtual server uses an HTTP profile, or when the virtual server is a Performance (HTTP) type.

CR110198,CR127136,CR134054-1

F5 Networks has changed the default behavior for SSL profiles that do not have customized cipher lists. Theset of ciphers negotiable by default no longer includes DES-CBC-SHA and all MD5 cipher suites. You canre-enable these ciphers by customizing the SSL profiles' ciphers attribute with the desired ciphers explicitlyenabled and/or selecting the appropriate clientssl-insecure-compatible or serverssl-insecure-compatible profilefrom which to inherit default settings that include the deprecated ciphers.

CR131461 In version 10.2.0 when you boot from a DVD, thumb drive, or Pre-boot Execution Environment (PXE) server,the system presents a menu. You can press Enter to initiate an installation operation. The system indicatesthat you can also use Ctrl+C to access the command line shell to perform additional installation operations. Inversion 10.2.0, however, when you use Ctrl+C at this point, the system leaves a boot partition mounted, whichcauses all subsequent installation operations to fail. For more information about the known issue and itsworkaround, see Manufacturing installation menu and Ctrl+C to enter Bash (CR138343). In previous releases,the system did not present the menu, but instead presented the command line shell immediately.

CR135199 The BIG-IP products support an extensive range of SSL ciphers. You can find an overview of the SSL ciphersBIG-IP systems support in SOL8802: Overview of SSL ciphers supported in BIG-IP systems, and an updatedlist of all SSL ciphers supported on the BIG-IP product in SOL6808: SSL Ciphers supported on the BIG-IP

1500,1600, 3400, 3600, 3900, 6400, 6800, 6900, 8400, 8800, and 8900 platforms.CR135548-1 When you create a new TCP, HTTP, or HTTPS monitor in version 10.2.0, you must include \r\n at the end

of a non-empty Send String, for example GET /\r\n instead ofGET /. If you do not include \r\n at the endof the Send String, the TCP, HTTP, or HTTPS monitor fails.

Communicationbetween BIG-IP or3-DNS version 4.xand version 10.1.0or later

A 3-DNS Controller or BIG-IP system running version 4.xcannot communicate with BIG-IP systems configured

with version 10.1.0 or later. For more information, see SOL11106: Change in Behavior: iQuery communicationis not supported between BIG-IP or 3-DNS version 4.x and BIG-IP LTM or GTM version 10.1.0 or later.

VLAN failsafetimeout valuebehavior change

In software versions 9.x, the system did not enforce a minimum value for the VLAN failsafe timeout value.Beginning in version 10.0.0, the minimum allowed VLAN failsafe timeout value is 10 seconds. Before youupgrade from version 9.x to version 10.x, F5 Networks recommends that you change your VLAN failsafetimeout value to 10 or greater in order to ensure a successful configuration load after the upgrade has beencompleted. For more information, see SOL7066: Overview of VLAN failsafe.

Known issues


CR55926 If the active unit in a redundant system reboots, the standby unit goes active and handles any establishedconnections that were mirrored. However, when the previously active box comes back up, it does notre-synchronize the state for the mirrored connections. This means that the mirrored connections are lost in asubsequent failure or a forced fail-back. This does not affect connections that end before the second restartand failover. Also, this does not apply to Fast L4 profiles.

CR79065,CR83552, ID250921, ID251174, ID 319551

When, due to time-to-live (TTL) exceeded, the BIG-IP system drops IPv6 traffic being sent through a networkvirtual server or SNAT, the BIG-IP system responds with a destination-unreachable ICMP6 message. TheBIG-IP system's IP address should be listed as the source in the ICMP response, and the client IP addressshould be listed as the destination. However, the BIG-IP system incorrectly reports the dropped IPv6 packet'sdestination address as the source address of the ICMP6 response. The result, from the client's perspective, isthat BIG-IP system does not show up as a hop; the server is seen in place of the BIG-IP system.

CR80191 In order to change the baud rate when you are using a serial terminal console server on the VIPRION platform,you must follow a specific sequence to change the baud rate in three places, or you can lose communicationwith the system.

On each blade in the system, run the following command:1.

bigpipe baud rate 2.

Make sure to complete this change on all blades in the system before proceeding to step 2.3.

Next, change the Serial Port Redirector (SPR) baud rate by pressing ESC( to access the SPR CommandMenu. When the menu opens, select B -- Set baud rate, and select from the six settings displayed.

4.

Finally, change the baud rate of your serial terminal server.5.

The syntax for completing this step varies depending on the terminal server you are using, so you shouldconsult your serial terminal server documentation for more specific information.

6.

CR83207 If you replace a tri-speed copper small form-factor pluggable (SFP) module with a fiber SFP, you may have toreinsert the fiber SFP module a second time before it accurately reports link status.

CR80078-1,CR128607

If you replace a copper (Cu) small form-factor pluggable (SFP) with a fiber SFP, the link might remain down,even when connected to an active peer. The workaround is to issue a bigstart restart bcm56xxd command.


2 9/20/2011


10/22


CR85137 If you run the b ntp servers delete command when no such Network Time Protocol (NTP) server exists in theconfiguration, the system adds the server. The workaround is to make sure the server exists before trying todelete it.

CR87863 If the user configuration set (UCS) file you roll forward at installation time contains a problem, subsequentsystem load operations can fail. If this happens, the remote users and administrators cannot log on to thesystem. To work around the situation, log on to the system as the root user or as the admin local user.

CR90249, ID227304

The Multiple Spanning Tree Protocol (MSTP) specifies that the system handles spanning tree packets inaccordance with the MSTP protocol. When you create a new MSTP configuration on the system, the newMSTP configuration name is not retained following a system reboot or after running the bigstart restartcommand. For more information, see SOL8212: The BIG-IP LTM does not retain the MSTP configurationname following a reboot.

CR91719 If you have duplicate names for SNATs in the bigip.conf file, the pvad service restarts and writes out a corefile. To work around this situation, make sure each SNAT in the configuration has a unique name.

CR92541 When RAM cache calculates the amount of memory available or allowed, it should take CMP into account. Inthis release, RAM cache does not take CMP into account.

CR93185,CR116200

Many load balancing methods are implemented so that the system divides the connection limit among runningTraffic Management Microkernel (TMM) services. If you set the connection limit to low values, the results yousee might not be what you expect. For example, some nodes might receive more connections than you expect,and other nodes that you expect to receive connections might not receive any. These apparent anomalies arediscernible only with small numbers of connections, and disappear with large numbers of connections.

CR94039 When the pvad service queries a very large number of objects (for example, 2000 nodes), the pvad servicemight use as much as 27% of CPU. This condition is intermittent, and might have other requisites. There is noworkaround.

CR96888 Occasionally, a system restart might result in the system posting to the console messages of the followingtype: sshd(pam_audit)[4559]: user=root(pqizzjl1l) tty=/def/pts/1 host=172.17.251.100 attempts=1 start="TueAug 5 17:25:09 2008" end="Tue Aug 5 17:27:54 2008". sshd(pam_audit)[4559]: 01070417:0: AUDIT - userroot - RAW: sshd(pam_audit): user=root(pqizzjl1l) tty=/def/pts/1 host=172.17.251.100 attempts=1 start="TueAug 5 17:25:09 2008" end="Tue Aug 5 17:27:54 2008". These messages occur when the system shuts down

logging to the syslog-ng file before all users who are logged on have logged off. Should this error occur, whenthe system comes back up, you can use the boot marker in the audit files to confirm that the system logged outthe remaining users.

CR97188 Running the command b persist show on a cluster might return incomplete results in certain avoidablesituations. To ensure complete results, leave the bigpipe shell read partition at all, and log on as a user who isauthorized to view all partitions.

CR97299-1 The Status LED briefly shows green on power up. The LED should be blank or amber. Early duringinitialization, the software sets the LED color to amber, and finally to green once cluster quorum is reached.You can safely ignore the transient green LED on power up.

CR98536 When you are using Fast L4 profiles, make sure to set the PVA Acceleration setting to None if you also specifythe Mimic setting for IP ToS to Client or IP ToS to Server. Otherwise, the system cannot perform the mimicfunctionality.

CR100240 When the bd process restarts, the system stops all internal connections. If the next event that arrives on ahalted connection is an HTTP request, the attempt to disable the plugin in HTTP_REQUEST fails, which logsa Tcl error to the /var/log/ltm file. This is a benign error message that you can safely ignore.

CR102064 The b config check all command returns different results depending on whether you run the command on achassis (such as a VIPRION system) or an appliance (such as a BIG-IP 6900). On a chassis, the system

returns the message No reports have been received. On an appliance, the system returns aresponse similar to the following messages: DAEMON STATUS bcm56xxd Configuration OK at 14062d21:07:29 Last error at 14062d 21:07:29 Message: Received remote heartbeat registration message:pid=8714, timeout=60

CR102918 When you click the Clear Performance Data button in any view, the operation clears data for all historicalstatistics, not just the data for the specific view you are in.

CR103199 When you specify the cluster management IP address, the netmask defaults to /32, or255.255.255.255.In order to use cluster member addresses, the netmask must be no more than /30, or255.255.255.252 .Always specify the netmask when specifying the cluster management IP address if you plan ever to usecluster member addresses. That way, the address always gets set correctly, and you can configure the clustermember addresses on the same network.

CR103500 The 10.x installer creates four volumes by default, which differs from the two partitions that the 9.3.x and 9.4.xinstaller created.

CR104124 When you are on the license summary general properties screen and you refresh the browser after youreactivate a license, the system prompts you to log on again. There is no workaround for this issue.

CR104327,CR114895

If you install the 9.6.x version of the software on a volume that uses a nonstandard name (for example,HD.pc1 rather than HD1.1), you cannot access that volume using version 9.6.x of the software. To access

volumes named in this manner, use version 10.x software.CR104468,CR115056

The system does not prevent you from deleting all volumes, including the active volume, using the b softwaredesired command. Doing so causes the system to boot into another location. To prevent potential systemaccess problems, do not use the command line to delete the active volume.

CR104583,CR108667

Beginning with version 10.0.0, the system reports module memory mixed in with memory used by allprocesses. To determine actual memory usage, you must use standard Linux commands, such as ps, top, andother similar commands.

CR104647 On a VIPRION system with the active volume set above HD1.4, if you then add a blade that has 9.6.x installedand active, the system does not run the installation on the 9.6.x blade to bring it into the cluster. This occursbecause 9.6.x is hardcoded to support volumes 1 through 4 and cannot dynamically create new volume sets.To work around this issue, make sure all blades you want to add are running 10.x, or use a volume setbetween 1 and 4.

CR105032 When you specify the host name for the b ntp servers add command, the system returns false positives whentranslating the host name to an IP address. The workaround is to add Network Time Protocol (NTP) serversusing an IP address instead of a host name.

CR105101 If you use the high availability setup wizard and specify settings, when you click the Previous button, thesystem clears all the values you specified, so you must re-enter the values.


22 9/20/2011


11/22


CR105216 When you are logged on to a cluster management address, and you or another user subsequently promotesone of the secondary blades to the primary, you and the other user might need to log on again.

CR105234 When you have the dashboard window open, the browser session never times out. When you close thedashboard window, the timeout interval takes effect again.

CR105511 If you configure secondary self IP addresses for a vlan/domain, the system uses the wrong self IP address formonitoring. In a typical scenario, the system uses the IP address that you created first as the primary IPaddress for monitoring. However, IPv6 in the Linux kernel does not set a preferred source by default. BecauseLinux treats routing domains like it treats IPv6 addresses, the Linux kernel does not set a preferred source.There is no workaround for this issue.

CR105604 If you reset the Host on a platform that contains an SCCP after the system has completed initialization, thesystem attempts to PXE boot, making DHCP requests repeatedly and indefinitely. The workaround is to first

use the SCCP Command Menu option 2 to put the SCCP into the proper state, and then reboot the system.You can also recover by powering the unit off and back on again.

CR105627 In a redundant system that has Local Traffic Manager provisioned on both units and Global Traffic Managerprovisioned on only one unit, you must provision Global Traffic Manager on the second unit. Failure to do sorisks Global Traffic Manager becoming unprovisioned or unconfigured after a ConfigSync operation.

CR105797,CR114073

When you use the Software Management screens in the Configuration utility or the b software commands onthe command line to create a volume on a system hard drive that is formatted using the partitioning scheme,the system appears to try to create the volume, but the operation fails. The system should alert youimmediately that you cannot create a volume on a partitioned system hard drive. In general, the software doesnot support use of the volume management screens on systems that use the partitioning drive-formattingscheme.

CR106378 The system counts route domain health check traffic as part of IPv6 traffic statistic totals. If your configurationhas a monitor on a pool in a routing domain, you will see an increase in IPv6 traffic. If you remove the monitorfrom the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). There is no workaround forthis issue.

CR106750 When you reboot a system from the serial console, the system reports the following messagemodprobe:modprobe: Can't locate module tun6to4... during the shutdown sequence. This message is

benign, and you can safely ignore it.CR106828 A display issue in the browser-based Configuration utility makes it appear as if users can modify user settings

that they should not be able to access. For example, a user logs on using an account assigned anon-administrator role. When that user changes the password and clicks Update, the screen temporarilyredisplays with available settings for file, partition, and shell access. The user can manipulate the controls,and select different settings. However, the system does not accept the change.

CR106830 This release supports only network failover for chassis-to-chassis failover on the VIPRION platform. Do notconfigure hardwired failover using any failover cable included with the VIPRION platform you received.

CR107046 The system requires a user to relogon after changing a password to the same password as the one previouslyconfigured. There is no workaround for this issue.

CR107415 Unlike in SSL profiles, the system does not validate keys and certificates used for SIP and HTTPS monitors.That means that you can specify non-matching or invalid keys and certificates. There is no checking on thecommand line or in the browser-based Configuration utility to make sure keys and certificates are valid andusable.

CR107443 If you use a SIP or HTTPS monitor on a server that requires authentication using a certificate signed by acertificate authority (CA), the monitor must use certificates signed by a CA that the server recognizes. Do notconfigure a monitor using certificates signed by an Intermediate CA because the monitor does not send such

certificates to the server.CR107852 On BIG-IP 8400 and 8800 platforms, IPv4 fragments of a large User Datagram Protocol (UDP) datagram willbe incorrectly modified at offset 6 from the end of the IP header (the location that would be the UDP checksumif the fragment were a full UDP datagram) from 0xfff to 0x0000. Although there is no workaround for this issue,it is not a common case.

CR107874 The VIPRION platform may experience a kernel panic and reboot following an upgrade to BIG-IP version10.0.0. This issue occurs if the system is running BIOS firmware earlier than build 461, and the VIPRION unitis upgraded to version 10.0.0 with the management interface connected to a subnet with live traffic. For moreinformation and a workaround for this condition, see SOL10016: A VIPRION kernel panic occurs following anupgrade to BIG-IP version 10.0.0.

CR107883 This release does not support USB CD-ROM or DVD-ROM drives devices that exceed the high-power USBcurrent specification of five unit loads (500mA) per port.

CR107927,CR110084

Linux represents long VLAN names using the first 13 characters and an appended ~1. If you use the Linuxsystem command ifconfig to retrieve the interface configuration of a VLAN with a name longer than 9characters, the operation truncates the name to 8 or 9 characters. To work around this issue, use the ip addrshow command to retrieve the VLAN using the IP address.

CR108434 Beginning with version 10.0.0 of the software, a redundant system configuration must contain failover peer

management addresses for each unit. If you roll forward a redundant system configuration from 9.3.x or 9.4.x,the units start up in an offline state because each one needs a failover peer management address. Configurethe failover peer management addresses on the System > High Availability > Network Failover menu. Specifythe management IP address of the peer unit in the Peer Management Address field. Then do the same on theother unit in the redundant system. Once you specify both IP addresses, the system should operate asexpected.

CR108728,CR113440

In the browser-based Configuration utility, if you try to set the provisioning level to Dedicated on a modulewhen another module already has the Dedicated provisioning level, the system allows the change and setsthe provisioning level to None on all other modules. When you use the command line for the same operation,the system presents an error: When a Dedicated provision level is set, all other module's provision levels mustbe set to None. To accomplish the change, you can use the Configuration utility, or you can use the commandline to set the provisioning level to None for all other modules, and then set the Dedicated provisioning levelon the module you want to configure. To do so, use the tmsh utility to issue the following commands(substituting your module names for and ): (tmos)# create transaction batchmode](tmos)# modify sys provision level dedicated batch mode](tmos)# modify sys provision level none batch mode](tmos)# submit transaction


22 9/20/2011


12/22


CR108819 The BIG-IP 8800 platform supports a maximum of 30,000 monitors in a single configuration. If you create morethan 30,000 monitors, the BIG-IP 8800 might halt in a switchboard-failsafe state when you load theconfiguration.

CR108965,CR114966

When a user is logged on, if you use the b config install , b import , or b config synccommands, or when performing a ConfigSync operation in the Configuration utility to load a configuration thatcontains the same user, but with a different password, the system does not log off that user. After that userlogs off, or when that user's session times out, that user must use the password from the new configuration tolog on.

CR109131 On a system whose drives are formatted as volumes, on the Resource Provisioning screen in the CurrentResource Allocation area, there is a section that displays Disk provisioning; if the drives are formatted aspartitions, there is no Disk provisioning section. However, if you issue the b provision command on the

command line, the results show a column for disk provisioning information.CR109230-1 If you attempt to mirror virtual servers that have RAM Cache enabled, depending on the cache state, the

system leaks the connection on the standby unit when the connection is closed on the active unit.

CR109301 If you have state mirroring enabled, when you upgrade one unit of a redundant system, the system postmessages until both systems are running the same version of the software. tmm tmm[1917]:

01340001:3: HA Connection with peer 10.60.10.3:1028 established. There is noworkaround for this condition. Both units in a redundant system must be running the same version of thesoftware.

CR109381 After a b import default operation, the prompt is set to reboot, but the operation does not instigate the rebootoperation on the primary blade, although it does on the secondary blade. This is intentional behavior: theoperation causes a reboot on secondary blades, but the primary blade does not reboot automatically in thiscase. To activate the imported configuration, reboot the primary blade.

CR109472 Beginning with version 10.0.0, you no longer need the hotfix uninstall packages. Instead, you can use the bsoftware commands to change the revision level of any 10.x image location to a higher or lower revision. Formore information, see the man page for the b software command, available on the command line by typingman software.

CR109834 When a system timeout occurs, the system grays out the screen behind the timeout alert box. Although you

can access the browser window scroll bars to view the contents of the grayed-out screen, none of the optionsare active.

CR109917 When you delete an interface that is configured for interface mirroring, the system halts mirroring on all otherconfigured interfaces. To work around this issue, when you delete an interface-mirroring configuration,recreate the configuration using all interfaces. As an alternative, after deleting an interface, save theconfiguration and issue the command bigstart restart.

CR110014 The secondary blades in a chassis log messages using the user name mcpd-primary. That means thatwhen the root user issues certain commands on the primary blade, such as one to disable a virtual server, thesystem logs messages similar to the following: Oct 21 13:29:39 slot4/prd-061 alert mcpd[2415]: 01070921:1:Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'root'. Oct 21 13:29:39slot3/prd-061 alert mcpd[11909]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common'disabled by user 'mcpd-primary'. Oct 21 13:29:39 slot1/prd-061 alert mcpd[27136]: 01070921:1: Virtual Server'new_test_virtual_8255' on partition 'Common' disabled by user 'mcpd-primary'. These messages accuratelyrepresent the action taken and the origin of the command, and do not indicate an error condition.

CR110269 In version 10.0.0, when attaching a child class to a parent class, the system takes into account the rate of theparent class when verifying that the parent's rate ceiling is not exceeded. Now, the sum of a parent class' rateand child classes' rates cannot exceed the parent's rate ceiling. In previous releases, the system allowed the

parent's rate to be, at most, equal to the rate ceiling, regardless of the rates of the child classes. This couldhave led to oversubscribing the configured rate ceiling in certain cases where traffic was assigned directly to aparent class. If you are rolling forward a configuration from a previous build, a quick workaround is to set therates of all parent classes to 0bps by running the following command: bigpipe rate class rate 0bps. As a general rule, avoid assigning non-zero rates to parent rate classes.

CR110761,CR113485

There is a new iRules feature that provides support for suspending a running iRule (for example, with the aftercommand). If you are running an indefinite collect operation (that is, the iRule is running a ::collect commandwith no arguments), and in response to a CLIENT_DATA event the iRule processes the payload to a certainpoint and then suspends iRule operation, when iRule operation resumes and the iRule issues a ::releasecommand, the operation might release more data than the iRule processed. Specifically, data that arriveswhen the iRule is suspended does not trigger an additional CLIENT_DATA event. Here is an example of howto ensure that an iRule releases only the data that it has already processed: before running any command thatsuspends a running iRule, have the iRule save the ::payload length in a variable. When iRule operationresumes, have the iRule issue a ::release $payload_length command. You can find extensive informationabout iRules on the Dev Central web site, available at http://devcentral.f5.com/.

CR110791 If you deprovision a module, the system does not remove the configuration attributes associated with themodule. Some configuration data, such as endpoint attribute definitions for the WAN Optimization Module,might interfere with Local Traffic Manager tunnel operations. In this case, when the definitions for endpoint

advertised route, endpoint local, and endpoint remote remain in the configuration after deprovisioning WANOptimization Module, the Local Traffic Manager tunnel resets connections that were established when youhad the module provisioned. As a workaround, remove the definitions from the bigip.conf files on both BIG-IPsystems.

CR111495 Version 10.0.0 of the software introduced new ha actions that the upgrade process cannot easily map to

previous version's ha actions for daemon heartbeats. If you changed the ha actions for a daemonheartbeat, the upgrade process returns the action to the default. After the upgrade installation finishes, youcan configure the daemon heartbeat ha actions you want. (In the Configuration utility System > High

Availability > Fail-safe screen.)

CR111700 When a user configured for one role is logged on to the browser-based Configuration utility, and you changethat user's role to another type, also using the Configuration utility, the system logs off that user. When thatuser logs back on, the system writes to the catalina.out file error messages such ascom.f5.mcp.io.McpIOException: java.io.EOFException: Error while reading message

at. These messages are benign, and you can safely ignore them.


22 9/20/2011


13/22


CR112077 The system requires that you run the Setup utility in the browser-based Configuration utility, even if you havealready configured the system using the command line. This occurs because there is a hard-codedrequirement for the Setup utility to run at least once. You can prevent the Setup utility from running by runningthe following command: b db setup.run false.

CR112120 When you create a pool in one partition that includes a node from the Common partition, if the node has noassociated screen name, when that node is referenced from a third partition, the system posts the error01070726:3: A pool may only reference nodes in the same partition or the common

partition (xyz_pool:1.1.1.1) and removes the node from the Common partition. The workaround isto add a screen name to the node. To do so, at the command line, issue a command similar to the followingexample: b node 1.1.1.1 { screen dontremove }

CR112128 The help frame crops the right edge of some of the formula definitions on the Performance statistics screen.

As a workaround, you can click the Launch button to view the full text.CR112411-2 The version 10.1.0 release contains the new OpenSSH client and server, which addresses the vulnerability

Plaintext Recovery Attack Against SSH, reported as CPNI-957037. When an older client connects to the new

server, however, a vulnerability exists. If you are still using old SSH clients, you should manually set thoseclient's cipher list to only include CTR ciphers. To use only CTR ciphers for the OpenSSH client, the commandline must include the following option: -c aes128-ctr,aes192-ctr,aes256-ctr.

CR112953 When you start or stop the tcpdump utility on a VIPRION system, the system logs messages similar to thefollowing entries in the /var/log/ltm file: slot1/tmm warning pu[24652]: 01230114:4: port movement detected for00:01:23:45:67:10, vlan tmm_bp - 0.0 to 0.1 These messages are benign, and you can safely ignore them.

CR113055 If you issue the commands b cluster all ha state or b cluster default ha state, the system always returns theresult offline. This is because there is no cluster ha state to report. To get the state of a system, you can usethe browser-based Configuration utility. The system displays the state at the top of every screen.

CR113134-6 Occasionally, when you create an installation repository on a USB thumb drive from the BIG-IP system, theoperation fails while copying the repository files to the thumb drive. (The failure might also occur when readingor writing any large file to the thumb drive from the BIG-IP system.) When the failure occurs, the systemreboots and writes a log entry similar to the following in the /var/log/ltm file: Dec 10 11:13:12 local/8900 noticeoverdog[2401]: 01140108:5: Overdog scheduling exceeded 1/2 timeout of 5 seconds (measured:8060 ms)

The workaround is to create the installation repository on a USB thumb drive using a Linux workstation, asdocumented in the BIG-IP Systems: Getting Started Guide. In any case, do not perform the operation on aBIG-IP system that is actively in production to prevent the potential failure from affecting live traffic.

CR113322 On a system with a very large persistence table (millions of entries) running the command b persist showmight cause the system to become unstable or fail over. To show an individual record, you can use thecommand b persist client show.

CR113601 The Templates and Wizards menu does not change even when templates are not available under the license.

CR113812 If you use wildcard characters to specify IP addresses in the b httpd allow command, the result is that thesystem forbids all access to the browser-based Configuration utility. The workaround is to use other forms ofspecifying IP addresses. For example, b httpd allow 10.10.*.* does not work; instead use a command similar tob httpd allow 10.10.0.0/255.255.0.0.

CR113919 If you are in a partition other than Common when you reactivate a license, the system automatically changesthe partition to the Common partition. There is no workaround for this issue.

CR114167 Invoking a TCP::collect method from the SERVER_CONNECTED iRule event might cause associatedconnections to stall and timeout when running the tmm.debug daemon. This should not affect typicaldeployments since the tmm.default daemon behaves as expected in this configuration, and an administratormust explicitly configure the Traffic Management Microkernel (TMM) to use debug mode. Note that you should

set TMM to debug mode only when requested to do so by an F5 Technical Support representative. The F5Networks Technical Support representative will ensure that your system stays stabilized in this mode and willassist you in interpreting the debug output.

CR114381 Configuring a virtual server for multicast communications inside a route domain does not work. Do notconfigure a virtual server for multicast communications inside a route domain.

CR114766 When the license expires, if you are on the License Summary page on a partition other than Common, thesystem automatically returns you to the Common partition, but does not activate the Reactivate button. Theworkaround is to select a different partition and then reselect the Common partition. This should reset theReactivate button to an active state.

CR115139,CR130414

Do not use the b software add | delete commands on a partitioned system. Doing so results in the accesserrors on the partitions. For example, if you try to delete an existing partition using the b software deletecommand, the system posts a failed to delete volumeset error. In this case, run the command b

software product none version none build none on the partition. This removes the installation from thepartition, and you can install the software again. If you try to add a partition using the b software add commandand see a failed to create volumeset error, in this case, run the command b software delete on thepartition you tried to create. This removes the failed attempt from the Software Status table, so you can tryyour installation operation again.

CR115326,CR115328

You should not use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event. This can resultin a handshake failure, because the CLIENTSSL_CLIENTCERT event can fire before the connection is readyfor the transmission of user data.

CR115670 If you add a user, either explicitly or by restoring a user configuration set (UCS) file that contains the user, andthat user has different access or role settings, the system reports an error similar to the following: Nov 609:02:08 slot4/p4-019 err mcpd[3533]: 0107082a:3: Disconnecting user yyy2 on change of user role data(partition:Common->PartitionOne). This is a benign message, and you can safely ignore it.

CR115736 The system does not honor the Maximum Transmission Unit (MTU) value for VLANs. To get the value topersist, delete the VLAN first, then recreate it with the settings you want. After the configuration is saved, thesettings persist. Otherwise, the system uses the default MTU value of 1500.

CR115774 If you move blades between a chassis running software version 9.6.x and a chassis running 10.x, the 10.xsystem might report incorrect volume information about the blade that came from the 9.6.x chassis. F5Networks does not recommend switching blades between chassis running differing versions of the software.

CR115916 There is an extremely rare chance that, if the high-availability mirroring connection fails and recovers, theresult might be a new persistence record and an expired record using the same key to send their respectivemessages. For example, if a record comes in that would have matched an old one on the active system, it ispossible that the old record's expiration action might arrive after the new record's update action. If the key


22 9/20/2011


14/22


matching the old record expires, the standby system incorrectly deletes the corresponding new record.CR116108 USB1.1 CD-ROM Drives are not supported on the BIG-IP 8900 platform.

CR116929 Because the CompactFlash media drive is not a valid installation target, the system should prevent you fromselecting it. However, this version of the software allows you to target a CompactFlash drive. If youaccidentally installed to the CompactFlash drive, the system posts a failed to install state for theCompactFlash drive. The workaround to return to the original state is to issue the command b software

CF1.x product none version none build none and then issue the command bigstartrestart lind on the command line.

CR117427 In this version of the software, you cannot use Global Traffic Manager to monitor or send traffic to any virtualservers that are in a route domain. Therefore, Global Traffic Manager is not supported to run on a LocalTraffic Manager system that is using route domains.

CR117428 If you are using the ZebOS advanced routing modules, it is important to consider the following:

Dynamic routing is supported on interfaces in the default route domain. The advanced routing modulescannot access interfaces, self IP and virtual addresses, and static routes in non-default route domains. Astatic route is considered as belonging to a non-default route domain if either the destination or thenexthop gateway address belongs to a route domain other than the default route domain.

All routes learned by way of dynamic routing protocols are inserted into the routing table for the defaultroute domain only.

With respect to advertising routes, virtual addresses, or self IP addresses to other routers, the advancedrouting modules advertise only those routes or addresses that are in the default route domain. Aspreviously stated, the advanced routing modules are not aware of routes or addresses in other routedomains.

CR117429 The route domains feature does not support IPv6-formatted IP addresses in this version of the software.

CR117430 Some command line diagnostic tools, such as curl and traceroute do not work with route domains.

CR117431 Custom monitors that are not IPv6 aware (for example, EAV (Extended Application Verification) monitors) donot work with route domains.

CR117480 There is the possibility of a failed version 9.4.7 installation when installing on a system that also containsversion 10.x software. When the failure occurs, the last three lines in the /var/tmp/install/session.log file are:install.error: An installation error has occurred; code 130 install.debug: Session ended install.error: Criticalfailure; no fallback possible. To work around the issue, you can use the PXE or thumb-drive methods to installthe software.

CR115798 The small form-factor pluggable (SFP) ports on BIG-IP 8900 platforms are 10Gbps-only ports. On a BIG-IP8900 platform, a SFP plus can operate at 1Gbps speed in an SFP slot, but SFP modules do not operate at1Gbps speeds in an SFP plus slot. This is a hardware constraint.

CR117359 Do not use the b sshd include parameter without assistance from the F5 Technical Support team. The systemdoes not validate the commands issued using the include parameter. If you use this parameter incorrectly, youput the functionality of the system at risk.

CR117809 If you run the grub_default -d command to view the boot configuration information of the grub.conf file, theinitial arrow key press moves the menu selector highlight two spaces instead of one. After, the initial key press,the arrow keys operate normally when maneuvering (meaning that if you press the arrow keys once, thehighlight moves one space in the arrow direction).

CR118049 Enterprise Manager software versions 1.2, 1.4, 1.6, and 1.7 do not support BIG-IP system software version10.0.0. There is no workaround for this issue.

CR119247-1 When you swap a blade to the same slot in a different VIPRION chassis, the system uses VLAN MACaddresses based on the old chassis. The workaround is to avoid moving a blade to the same slot in anotherchassis. If necessary, shift blades around in the target chassis so that the incoming blade always goes into aslot that is different from the one it came out of.

CR120321 After installing, you might see a message similar to the following in the ltm log file. Apr 23 11:38:16slot3/p4-019 err clusterd[2707]: 013a0004:3: Error deleting cluster mgmt addr, HAL error 7 This message isbenign, and you can safely ignore it.

CR120550 This version of the software supports systems with multiple drives using the RAID disk managementoperations. We have not removed the sparedisk utility, which was included in version 10.0.1 to supportoperations on multi-drive systems. The workaround is to use the RAID features for these types of operations.You should use the sparedisk utility only on version 10.0.1 systems. For related issues, see the known issuefor CR120550, CR127003, and CR138582 .

CR120190-2,CR127965-2

Do not use the --nomoveconfig option with the image2disk command (or the db variableLiveInstall.MoveConfig set to disabled) for systems with existing installations of Application Security Manager.Doing so removes all content from the associated database. Instead, you should ensure that the configurationon the installation source matches the one on the installation destination. To do so, save the UCSconfiguration file on the location you want to preserve, and apply that configuration to the destination before

beginning the installation operation. Here are the steps to perform.

Boot into the location containing the configuration and database you want to preserve.1.

To save the existing configuration and database, run the command bigpipe config save.

2.

Copy the .ucs file to a secure, remote location.3.

Boot into the location you want to update.4.

To move the configuration and database to the target installation location, run the command bigpipeconfig install .

5.

Install or upgrade the software using procedures described in the section Installing the software.6.


22 9/20/2011


15/22


CR120828 When you roll forward a 9.x user configuration set (UCS) file that is configured for Application SecurityManager and Global Traffic Manager, provisioning for Global Traffic Manager is not enabled. To enable GlobalTraffic Manager using the browser-based Configuration utility, in the navigation pane, expand System, andclick Resource Provisioning. In the Module Resource Provisioning section, select the provisioning level youwant from the Global Traffic (GTM) and Link Controller (LC) drop-down lists.

CR120943 If you deprovision the WebAccelerator system, Application Security Manager, or Protocol Security Module, thesystem retains the mysql database volume. Because the database might contain important configuration datafor the deprovisioned modules, you must determine whether or not to retain the mysql database volume. Forinformation about locating and removing an unneeded mysql database volume, see the associated Solution inthe AskF5 Knowledge Base.

CR120550,

CR127003, andCR138582

On 6900 and 8900 platforms, the RAID functionality supersedes the sparedisk utility, which was provided in

version 10.0.1 to support operations on multi-drive systems. The 8950 and 11050 platforms do not support thesparedisk utility, although the utility is present on those platforms as well. In this version of the software,although you should not use the sparedisk utility for any operation, F5 Networks has not removed the utility.Running various commands (for example, making a disk active using the command sparedisk -m) canresult in an unstable disk situation. Instead, you should use the RAID features for all multi-disk operations. Youshould use the sparedisk utility only on 6900 and 8900 platforms running version 10.0.1.

CR121134 The 8900 platform comes with a post-10.0.0 version of the software installed both hard drives. If you decide todowngrade to version 10.0.0, the software installs correctly. However, the version 10.0.0 softwaremanagement scheme was not designed to work with a second hard drive. If you downgrade to version 10.0.0on the second hard drive, do not operate on the second hard drive using the b software commands or theSoftware Management screens in the browser-based Configuration utility.

CR122160 If there are static Address Resolution Protocol (ARP) entries targeted to the management network in either theexisting configuration or in the configuration being installed or used in a ConfigSync operation, theconfiguration may fail to load. To work around the issue, first delete any static ARP entries targeted at themanagement network and then complete the configuration load or ConfigSync operation.

CR119132,CR125534, ID

222400

Depending on what processes run after restarting the system, you might see the following error message:warning process `' is using deprecated sysctl (syscall)

net.ipv6.neigh.tmm0.base_reachable_time; Use net.ipv6.neigh.tmm0.base_reachable_time_ms instead This isa benign message, and you can safely ignore it.

CR125790 After deprovisioning modules, the system might run sluggishly or respond slowly to commands. The systemreturns to a normal operational state after approximately 1 minute if you leave the system to recover, orapproximately three minutes if you run commands during this time. The slow response time occurs while thesystem recovers virtual memory after a deprovisioning operation.

CR125800 The iRule statistics counters inaccurately report an inflated number of iterations of an iRule when an iRuleevent suspends. There is no workaround for this issue.

CR126842-1 On platforms equipped with Packet Velocity application-specific integrated circuit (ASIC) version 10 (PVA10),specifically the BIG-IP 8400 and BIG-IP 8800 platforms, client-requested TCP maximum segment size (MSS)may not be honored if the PVA10 is in hardware syn-cookie mode. This can result in a larger-than-requestedMSS being set with the back-end server, causing the server packets to be dropped before reaching the client.This problem occurs because of a problem in the PVA10 hardware. To avoid this problem, disable hardwaresyn cookies by setting the connection threshold to 0 (zero) by running the following command on the systemcommand line: b db Pva.SynCookies.ConnectionThreshold = 0.

CR126976 If you run the tcpdump utility from a PB100 blade on a VIPRION chassis containing a mix of PB100 and PB200blades, the process does not show packets from the PB200 blades. To work around this issue, run thetcpdump operation from the PB200 blade.

CR127003 Although you should not use the sparedisk utility in this version of the software (see known issue CR120550),the utility remains in the software. If you run the command sparedisk -m, the system marks an active disk as aspare disk without notice or warning. Changing the active disk to a spare can result in an unstable disksituation. The workaround is to use the RAID features for these types of operations. You should use thesparedisk utility only on version 10.0.1 systems.

CR127123 Every time you run a b load command on 1600, 6900, and 8900 platforms, the system posts a message similarto the following: local/tmm3 notice tmm3[19557]: 01010029:5: Clock advanced by 112 ticks. This message is adiagnostic message only, so you can safely ignore this message.

CR127332 As of version 10.1.0, the system no longer supports user accounts with custom home directories. If youupgrade a configuration containing user accounts with custom home directories, after reboot, the systembecomes inoperative because it cannot load the configuration. You can prevent the issue before upgrading byrunning the following command to change the user's home directory, or you can run the following commandafter upgrading to recover from the error condition: tmsh modify auth user home-dir /home/

CR127435 When you run the image2disk utility from the Management Operating System (MOS) of a system, the processhas no active configuration to use for installation, so the operation halts with an error: error: No configurationfound in HD1.1 (location looks empty). Use '--nosaveconfig' if appropriate. To work around this issue, run thecommand again, and specify the --nosaveconfig option.

CR127754 When you use the Weighted Least Connections (Node) load balancing method, you must set a connectionlimit for each node prior to adding the pool member to the pool. In this release, you must use the followingprocess to accomplish this.

Create a pool that uses the Weighted Least Connections (Node) load balancing method.1.

Explicitly create the node entries for the pool members on the Local Traffic > Nodes > Node List (create)screen.

2.

For each node, specify a value other than 0 (zero) in the Connection Limit box.3.

Return to the pool configuration screen by clicking its link in the Local Traffic > Pools > Pool List .4.

Select the Members tab and add the pool members to the pool, using the same IP addresses as thenodes that you configured in the earlier step.

5.

If you fail to specify the connection limit for the node prior to adding the pool members, the system presents aconfiguration validation error.


22 9/20/2011


16/22


CR127803 When you view the Software Management List screen or the result of the b software desired show command,you might see the CF designation that represents the CompactFlash drive listed as a possible installationdestination. 10.x installation is not supported on the CompactFlash drive, so do not select it as an installationtarget. This happens only on systems with drives using the partitioning formatting scheme.

CR127971 When a drive is replicating or being added or removed in the Management Operating System (MOS), the mdoperation outputs all its status to the terminal, which can make it difficult to perform recovery operations, suchas removing or adding a drive. The workaround is to wait for the replication operation to complete beforeperforming recovery operations.

CR128272 When you specify any method other than Round Robin for load balancing traffic from virtual serversconfigured with RADIUS, Diameter, or SIP profiles, you can see unexpected results, such as the systemsending most of the t

big-ip ltm and tmos version 10.2

Documents