Big-Ip LTM and Tmos Version 10.2

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.
http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/r...
Support
Global Sites
How to Buy
Careers
Contact
Login
HOME ABOUT F5 SOLUTIONS PRODUCTS SERVICES PARTNERS NEWS RESOURCES
Search
COMMUNITY
ASKF5 KNOWLEDGE BASE

Search AskF5 Supported Products BIG-IP LTM / VE BIG-IP ASM BIG-IP Link Controller BIG-IP GTM / VE BIG-IP WebAccelerator BIG-IP PSM BIG-IP SAM BIG-IP APM / VE BIG-IP WOM BIG-IP Edge Gateway BIG-IP Analytics Enterprise Manager / VE FirePass / VE ARX / VE ARX Cloud Extender WANJet Data Manager WebAccelerator 5.x F5 Management Pack End-of-Life Products Recent Additions About AskF5 Home > Supported Products > BIG-IP LTM / VE > BIG-IP LTM and TMOS version 10.2.1
Applies To:
Show Versions
Release Note: BIG-IP LTM and TMOS version 10.2.1
Updated Date: 09/16/2011 Summary:
This release note documents the version 10.2.1 release of BIG-IP Local Traffic Manager and TMOS. To review what is new and fixed in this release, refer to New in version 10.2.1 and Fixed in version 10.2.1. For existing customers, you can apply the software upgrade to versions 9.3.x, 9.4.x, 9.6.x, and 10.x. For information about installing the software, refer to Installing the software.
Contents:
Downloads BIG-IP iHealth WebSupport Licensing
Supported hardware User documentation for this release New in 10.2.1 New in 10.2.0 Installation overview - Installation checklist - Installing the software - Post-installation tasks - Installation tips Upgrading from earlier versions Fixes in 10.2.1 Fixes in 10.2.0 Behavior changes in 10.2.1 Behavior changes in 10.2.0 Known issues Contacting F5 Networks Legal notices
Supported hardware
You can apply the software upgrade to systems running software versions 9.3.x, 9.4.x, 9.6.x, and 10.x. For a list of supported platforms, see SOL9412: The BIG-IP release matrix. For information about which platforms support which module combinations, see SOL10288: BIG-IP software and platform support matrix.
User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP LTM / VE 10.2.1 Documentation page.
New in 10.2.1
Application templates
This release includes one new application template and one upgraded application template. An application template corresponds to a particular application, such as email access, and provides a fast, efficient way to configure the BIG-IP system to process the associated traffic. The new and upgraded application templates provided in this release are: Microsoft Exchange 2010 Citrix XenApp
NEBS support
1 of 22
9/20/2011 5:20 PM
AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1
Home | Site Map | Contact F5 | Glossary | Policies | Trademarks | Web Survey 19982011 F5 Networks, Inc. All rights reserved.
This release adds support for the new Network Equipment-Building System (NEBS) compliant version of the BIG-IP 11050 platform, and a NEBS-compliant version of our latest high performance blade (PB200) for the VIPRION platforms. For a VIPRION system to be completely NEBS-compliant, you must use a NEBS-compliant chassis and blades. For more information, see the setup guides provided with the hardware, and the Platform Guide: 11050 and Platform Guide: VIPRION platform guides.
New in 10.2.0
BIG-IP Local Traffic Manager Virtual Edition
You can now run the BIG-IP system in a virtual machine environment. BIG-IP Local Traffic Manager Virtual Edition (VE) is a version of the BIG-IP system that runs as a virtual machine, packaged to run with a VMware hypervisor on a machine running Microsoft Windows, or on a Linux-hosted machine. BIG-IP Local Traffic Manager Virtual Edition includes all features of BIG-IP Local Traffic Manager, running on the standard BIG-IP Traffic Management Operating System (TMOS).
EtherIP tunneling between data centers

The EtherIP tunnel is designed as a generic way of bridging two remote data centers. To configure an EtherIP tunnel, you use VLANs that span pairs of BIG-IP systems in separate data centers. This enables uninterrupted support for existing IP connections before and after a live migration event in which the application resource is moved from the local to the remote data center.
Application templates
This release includes additional application templates. An application template corresponds to a particular application, such as generic DNS traffic management, and provides a fast, efficient way to configure the BIG-IP system to process the associated traffic. The application templates added in this release are: Generic DNS Microsoft Exchange 2010 Client Access server (CAS), (formerly known as Outlook Web Access), which supports Outlook Anywhere, POP3, and IMAP4 virtual servers VMware View
XML content-based routing

You can now route XML messages to different destinations based on specific content in a document. The system queries document content using an XML Path Language (XPath) expression, which assures fast, simple, and accurate operation. For example, you can specify a purchase-order (PO) routing scheme, in which the system routes a PO totaling less than $10k to one pool member, and a PO totaling more than $10k to another pool member.
Receive Disable String (RECV drain string) monitor option

In this release, you can configure the Receive String attribute and a new Receive Disable String attribute Receive Disable String for HTTP, HTTPS, TCP, and UDP monitors. When configured in certain combinations, these attributes cause all existing connections to be methodically drained from the server instead of being dropped suddenly. This feature is helpful when you are planning to perform maintenance on the server. For configuration information, see Configuring Receive Disable String (RECV drain string) monitor option.
Virtual Location monitor

The Virtual Location monitor optimizes end-user response time in environments with dynamic distribution of application resources across multiple data centers. When using the Virtual Location monitor, the BIG-IP sets the Priority Group value of all local pool members to 2 (a higher priority). When a member of a load balancing pool migrates to a remote data center the Virtual Location monitor lowers the members Priority Group value to 1 (a lower priority). This value adjustment results in subsequent connections being sent to local pool members only if available. If no local pool members are available, connections are sent to the remote pool member.
TCP persist timeout configuration (CR75559-8)

There is now a TCP profile option for specifying the length of time that the TCP connection can receive zero-length window probes before the system closes the connection. The Zero Window Length option has default value of 20000 milliseconds. If you set the value to 0 (zero), the system closes the connection immediately upon receiving a zero-length window probe. The timer starts when an effective window size becomes zero, and stops when the window size becomes greater than zero. When the interval reaches the value specified, the connection is terminated. This setting is useful for handling slow clients with small buffers, such as cell phones.
User authentication lockout

You can now deny access to a user after a configured number of failed authentication attempts. The administrator can then reset the lock to re-enable access for the user.
2 of 22
9/20/2011 5:20 PM
Public Key Infrastructure/Common Access Card (PKI/CAC) support

The BIG-IP Kerberos Delegation authentication module has been extended so that the system can now transition SSL certificates to Kerberos credentials. More specifically, the BIG-IP Advanced Client Authentication component can offload SSL processing and authenticate the identity of an end-user based on an attribute obtained from a Common Access Card (CAC) certificate.
BIG-IP Access Policy Manager on 3600, 3900, 6900, 6900 FIPS, 8900, 8950, and 11050 platforms
You can provision a free ten-concurrent-connection license of the BIG-IP Access Policy Manager module for web application access management on the following BIG-IP platforms: 3600 (C103), 3900 (C106), 6900 (D104), 6900 FIPS (D104), 8900 (D106), 8950 (D107), and 11050 (E102). The BIG-IP Access Policy Manager is a software component of the BIG-IP hardware platform that provides your users with secured connection to Local Traffic Manager virtual servers, specific web applications, or the entire corporate network. For provisioning details, see BIG-IP Systems: Getting Started Guide. For more information about BIG-IP Access Policy Manager and its associated documentation, see Release Note: BIG-IP Access Policy Manager version 10.2.0.
Module integration into the Configuration utility

In this release, the Application Security Manager module and Web Accelerator system are now fully integrated into the BIG-IP Configuration utility.
Support for two new platforms

This release provides support for the new 8950 and 11050 platforms, which are designed to provide superior performance. For more information, see Platform Guide: 8950 and Platform Guide: 11050, available in the AskF5 Knowledge Base.
Logging to RADIUS or TACACS+ accounting servers

When you configure the new logging to RADIUS or TACACS+ accounting servers feature, the BIG-IP system forwards audit log messages to remote Remote Authentication Dial In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+) servers in appropriate logging format. For configuration information, see Configuring logging to RADIUS or TACACS+ accounting servers. When you configure the new logging to RADIUS or TACACS+ accounting servers feature, the BIG-IP system forwards audit log messages to remote Remote Authentication Dial In User Service (RADIUS) and Terminal Access Controller Access-Control System Plus (TACACS+) servers in appropriate logging format. For configuration information, see Configuring logging to RADIUS or TACACS+ accounting servers.
Installation overview
This document lists only the very basic steps for installing the software. The BIG-IP Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 recommends that you consult the getting started guide for all installation operations.
Installation checklist
Before you begin: If using partitions, reformat for the 10.1.0 and later partition size, if needed (partitions created using version 9.x or 10.0.x do not accommodate the 10.1.0 and later software). Reactivate the license and update the service contract. Have otherwise available, or download the .iso file from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.) Configure a management port. Set the console and system baud rate to 19200, if it is not already. Log on as an administrator using the management port of the system you want to upgrade. Boot into an installation location other than the target for the installation. Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device. Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory. Turn off mirroring. If you are upgrading from version 9.3.x or 9.4.x, run im <downloaded_filename.iso> to copy over the new installation utility.
3 of 22
9/20/2011 5:20 PM
If you are running WAN Optimization Module, set the module's provisioning to Minimum.
Installing the software

F5 offers several installation methods. Choose the method that best suits your environment. Warning: Do not use the --nomoveconfig option described in the following table on systems with existing, running installations of Application Security Manager. Doing so removes all content from the associated database. Instead, ensure that the configuration on the source installation location matches the one on the destination. To do so, save the UCS configuration on the location you want to preserve, and apply that configuration to the destination before or after the installation operation. To install the software, use one of the methods described.
INSTALL METHOD COMMAND
Format for volumes, image2disk --format=volumes <downloaded_filename.iso> migrate source configuration to destination image2disk --nomoveconfig --format=volumes <downloaded_filename.iso> Format for volumes, preserve destination configuration (for fully 10.x environments) Install without formatting bigpipe software desired HD.<n.n> version 10.x build <nnnn.n>.iso product (not for first-time 10.x BIG-IP installation) Format for partitions (for image2disk --format=partitions <downloaded_filename.iso> mixed 9.x and 10.x environments) Install from the Use the Software Management screens in a web browser. browser-based Configuration utility
Post-installation tasks
This document lists very basic steps for installing the software. The BIG-IP System: Upgrading Active/Standby Systems and BIG-IP System: Upgrading Active-Active Systems contain details and step-by-step instructions for completing an upgrade. After the installation finishes, you must complete the following steps before the system can pass traffic. 1. Ensure the system rebooted to the new installation location. 2. Log on to the browser-based Configuration utility. 3. Run the Setup utility. 4. Provision the modules. 5. Convert any bigpipe scripts to tmsh. (Version 11.0.0 does not support the bigpipe utility.)
Installation tips
The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no. You can view a list of the image2disk utility options by running the command image2disk --help. You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature. If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log /liveinstall.log.
Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running. Software version 10.x introduced the ability to run multiple modules based on platform. The number and type of modules that can be run simultaneously is strictly enforced through licensing. For more information, see SOL10288: BIG-IP software and platform support matrix. Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.
4 of 22
9/20/2011 5:20 PM
Upgrading from version 9.6.x or 10.x

When you upgrade from software version 9.6.x or 10.x, you can use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help, or the relevant chapters in the BIG-IP Systems: Getting Started Guide. Important: Upgrading a version 9.6.x platform to version 10.x also performs a BIOS upgrade. (You can find more information in the following Solution: SOL10633: BIOS update may be required before installing BIG-IP version 10.1.0 or later on the VIPRION platform.) If you also apply a version 10.x hotfix when you attempt the software upgrade, the operation fails to install the new BIOS. This can cause additional issues. For more information, see SOL10548: The BIOS of the VIPRION platform is not upgraded when installing BIG-IP version 10.0.x and a hotfix in a single step and SOL10016: A VIPRION kernel panic occurs following an upgrade to BIG-IP version 10.x.
Upgrading from version 9.3.x or 9.4.x

If you plan to install this version of the software onto a system running 9.3.x or 9.4.x, you must perform a one-time upgrade procedure to make your system ready for the new installation process. When you update from software version 9.3.x or 9.4.x to 10.x, you cannot use the Software Management screens in the Configuration utility. Instead, you must run the image2disk utility on the command line. For information about using the image2disk utility, see the BIG-IP Systems: Getting Started Guide.
Upgrading from versions earlier than 9.3.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x or from BIG-IP versions 9.0.x through 9.2.x. You must be running software version 9.3.x, 9.4.x, 9.6.x, or 10.x. For details about upgrading to those versions, see the release notes for the associated release. Important: Beginning with version 10.0.0 of the software, a redundant system configuration must contain failover peer management addresses for each unit. If you roll forward a redundant system configuration from 9.3.x or 9.4.x, the units start up in an offline state because each one needs a failover peer management address. To configure the failover peer management addresses, navigate to System > High Availability > Network Failover , and specify the management IP address of the peer unit in the Peer Management Address field. Then do the same on the other unit in the configuration. Once you specify both IP addresses, the system should operate as expected. For more information, see SOL9947: Change in Behavior: The Peer Management Address setting is required for BIG-IP version 10.x systems configured for network failover.
Fixes in 10.2.1
The current release includes the fixes and enhancements from previous releases and the fixes that were distributed in SOL12729: Overview of BIG-IP version 10.2.1 HF1 and SOL12778: Overview of BIG-IP version 10.2.1 HF2.
ID NUMBER ID 224391, CR135937 ID 224506 ID 224726 ID 224958 ID 225448, CR139406 ID 225618 ID 225747 ID 225930 DESCRIPTION The system now correctly parses iRule if commands that contain an escape character previously described as a suspended command following an escaped newline character. TCP connections on a FastL4 virtual server with mirroring enabled now have the handshake timeout set correctly. Clustered multi-processing CMP enabled forward listeners no longer map ephemeral ports created for passive FTP clients to the incorrect VLAN when VLAN-keyed connections are disabled. The CLIENTSSL_DATA event now fires correctly regardless of whether or not a pool or profile is configured. The system now correctly supports 4096-bit SSL keys to configure Server SSL profiles. Session Initiation Protocol SIP support is now more stable when using the iRule drop command. Enhancements have been made to the Traffic Management Microkernel TMM with respect to iRules and clustered multi-processing CMP. When the Client SSL profile is configured to require a certificate, the client would reject the serverHello message due to excessive data, and the system logged a message Apr 26 16:31:56 local/tmm1 info tmm1[5208]: 01260013:6: SSL Handshake failed for TCP from 10.10.7.163:20000 to 10.10.1.0:35937. This has been corrected and clients no longer reject the serverHello message. Previously, a pool member or a node that was previously set to Forced Offline was set to Enabled by a user, the pool member or node's state would be set to checking. Now, when a pool member or node is set to Enabled from the Forced Offline state, its status is set to Down until the associated health monitors bring it back up. On early 8400 and 8800 platforms, using the 10 Gig-E interfaces, frame sizes of 1514 and 1518 bytes no longer cause a connected switch to report frame check sequence FCS errors, due to a mismatch between the physical MTU and the reported MTU. FastL4 connections using SYN cookies and a profile with tcp generate isn set now work correctly. VIPRION systems correctly handle traffic after configuring a wildcard virtual server or a virtual server listening on UDP port 62720. The WMI and Real Server monitors are now compatible with route domains. BIND now responds correctly to DNS requests against IPv6 self IP addresses. Enhancements have been made to SSL client certificate handling in resumed sessions. Fragmented Datagram Transport Layer Security DTLS requests are now handled properly.
ID 225957
ID 226188
ID 226397 ID 226399, ID 248017, CR141404 ID 226531 ID 226783 ID 226818, ID 226920 ID 226969
5 of 22
9/20/2011 5:20 PM
ID NUMBER ID 226971 ID 227062 ID 247801 ID 324272 ID 324276 ID 324283 ID 324287 ID 324297 ID 324299, ID 324310 ID 324303 ID 324325 ID 324326 ID 324329 ID 324330 ID 324334 ID 324335
DESCRIPTION The SSL filter now properly responds with a full SSL handshake when an SSL connection is renegotiated with Firefox and Safari browsers. Diameter flows are now torn down more reliably. When the static ARP entry is added while a dynamic entry exists for the same address, the static ARP entry takes precedence, and you no longer see two ARP entries for the same address. Log messages for pool member status changes are no longer throttled, so that the system reports all pool member status changes. Statistics query performance for pool members and node addresses has been improved. The SNMP DCA monitor now sends the Community string properly to monitored nodes. The bgpd service no longer intermittently sends corrupted route update messages to peers. The High Speed Logging feature can now correctly log binary data. Memory configuration issues on the 3900, 6900, and 8900 platforms with Local Traffic Manager, Application Security Manager, and WebAccelerator system modules have been resolved. A memory leak and crash condition with SSL has been fixed. Performance improvements have been made to the FIPS driver to enhance performance on platforms with CMP Clustered Multi-Processing. The BIG-IP system now supports pipelining for configured HTTP/1.0 clients. Enhancements for Traffic Management Microkernel TMM stability now prevent a potential crash when an SSL renegotiation request is received after processing a shutdown event. HTTP requests that did not specify the HTTP version that is, HTTP version 0.9 requests were erroneously reported as having a bad http version violation. This has been corrected. An error with processing of packets smaller than 64 bytes and applying minimum size padding in hardware on platforms with HSB has been mitigated by switching to performing minimum size padding in software. When using the ACCESS::session data get and ACCESS::respond combination in an iRule on systems with clustered multi-processing CMP, the tmm service could have become unresponsive. This has been resolved. Clicking the Update button on the Network Failover screen in the browser-based Configuration utility no longer triggers a failover operation, which caused the active unit to switch to standby. This release fixes a kg_accept_krb5 function vulnerability tracked by the Common Vulnerabilities and Exposures CVE project, which assigned the ID CVE-2010-1321 to the problem. For more information about the vulnerability, see CVE-2010-1321. Memory allocation for WebAccelerator system can now be provisioned by administrators. The Generic HTTP virtual server application template has been updated to contain the correct syntax for the HTTP monitor. On platforms with Packet Velocity application-specific integrated circuit PVA, a restart of the pvad service no longer produces UDP path probes with bad checksum values, which caused the system to drop the packets. This issue has been resolved. Under certain conditions in which the mcpd service received a high volume of messages, a timer became accelerated and triggered an early scrub of the Link Aggregation Control Protocol LACP packet registry, which prevented forwarding of packets, and resulted in lacpd warning messages in the logs. This version of the software corrects this issue. This release fixes a GhostScript 8.70 and 8.64 parser function vulnerability tracked by the Common Vulnerabilities and Exposures CVE project, which assigned the ID CVE-2010-1869 to the problem. For more information about the vulnerability, see CVE-2010-1869. Specifying GMT0 as the time zone no longer prevents the browser-based Configuration utility from updating the system configuration. Users can now configure an SSL proxy between Enterprise Manager and a managed device. Users who are not administrators or superusers that is, users with the role of Manager can now import/export on partitions for which they have access permissions. Kerberos protocol transition now works with keep-alive settings. The mcpd process no longer restarts on secondary blades on the VIPRION system after resetting statistics on objects in administrative partitions other than the Common partition. SSL certificates and their chain of authority certificates may now be contained in the same file. Session tickets are now disabled for SSL sessions using COMPAT ciphers, which corrects an issue that occurred when session tickets were enabled. Route domain selection is now honored properly for web applications with servers in route domains other than the default. On 3400, 6400, 6800, 8400, and 8800 platforms, that is, platforms with Packet Velocity application-specific integrated circuit PVA, the system now correctly sends ICMP Unreachable - Fragmentation Needed packets to FastL4 virtual servers set for PVA assist. Inherited Client SSL profile attributes changed on the parent are no longer out of sync between the primary and secondary blades on a VIPRION system. The mcpd process no longer leaks memory when changes are made to node monitors in non-common partitions. IPv6 autoconfiguration now works across VLAN groups. Full hardware acceleration is more accurately applied on 6800 platforms. Traffic Management Microkernel TMM now responds correctly when the virtual server references an iRule with the HTTP::header sanitize command. Improvements have been made to SSL offloading when processing requests with malformed SSL application data. The pvad service now properly marks nodes as up to allow for full Packet Velocity application-specific integrated circuit PVA acceleration. When attempting to configure Web Cache Communication Protocol WCCP between a BIG-IP system and a Cisco Nexus 7000 switch using the Layer-2 routing method, the Cisco switch would log errors stating that the WCCP packet length was invalid. This has been corrected, and WCCP in Layer-2 routing mode now functions properly between BIG-IP systems and the Cisco Nexus 7000.
ID 324337, ID 337159 ID 324345
ID 324348 ID 324355 ID 324361
ID 324362
ID 324363
ID 324364 ID 324366 ID 324368 ID 324372 ID 335621, CR140560 ID 336848 ID 337378 ID 337382 ID 338062
ID 338148 ID 338708 ID 338827 ID 338852 ID 339379 ID 339524 ID 339586 ID 339735
6 of 22
9/20/2011 5:20 PM
ID NUMBER ID 339744
DESCRIPTION This release corrects the condition that caused the Traffic Management Microkernel TMM core events that produced a ** SIGSEGV ** that included the following notices: notice fault addr: 0x68 and notice fault code: 0x1. The msktutil and domaintool utilities no longer crash when run by an unprivileged user, reporting the message glibc detected-msktutil: munmap_chunk: invalid pointer: 0xff920190. The output now correctly reports that the logged on user must be an administrator. The Configuration utility now correctly updates the /config/bigip_sys.conf file so that ConfigSync or configuration reload does not disable initial network failover configuration. Basic TCP monitors that are associated with a pool or pool member that is not listening on the monitored port, no longer erroneously mark a node up when it is actually down. This release corrects the condition on VIPRION platforms, in which setting the db variable vlan mac assignment to global resulted in some or all of the VLANs receiving a zero MAC assignment, which could cause no traffic to pass on a VLAN. You can now set db variable vlan mac assignment to global and there are no longer VLANs with MAC address of zero. The system now correctly handles a large number of self IP addresses or VLANs when starting up the ntpd process, and no longer halts with a segmentation violation or related crash. The system now correctly removes the trailing semicolon ; and whitespace when removing an HTTP cookie from HTTP header data. VLAN group Proxy Exclusion List now correctly loads on secondary blades in a VIPRION cluster. The system no longer incorrectly uses the CompactFlash card as a swap partition. Now, the system correctly uses a swap partition on the system hard drive. This release corrects a problem where ARP handling resulted in packet loss under certain packet-delay conditions. Use of the table keys -subtable iRule command no longer causes a memory leak. A defect in processing ActiveSync, clientless POST operations has been corrected.
ID 339847
ID 339955 ID 340407 ID 340651
ID 340696 ID 341217 ID 341404 ID 341414 ID 341655 ID 342010 ID 342357
Fixes in 10.2.0
The current release includes the fixes and enhancements from previous releases and the fixes that were distributed in SOL11853: Overview of BIG-IP version 10.2.0 HF1 with the exception of the following Change Requests (CRs): CR136629: The performance of queries for pool member and node address statistics. CR139372: The High Speed Logging feature and logging binary data. After you have installed the software, you can use any of the following configuration options to update your configuration. CR134037: Corrected fixed-ratio calculations to improve performance and accuracy. Receive Disable String (RECV drain string) monitor option: The Receive Disable String advanced configuration setting applies to HTTP, HTTPS, TCP, and UDP monitors. You can use a Receive String value together with a Receive Disable String value to match the value of a response from the origin web server and create one of three states for a pool member or node: Up (Enabled), Up (Disabled), or Down. When a pool member or node is Up (Enabled), a new connection can be made. When Up (Disabled), a new connection cannot be made, existing connections become depleted, and maintenance can be performed on the server. When Down, a new connection cannot be made, existing connections are immediately terminated, and maintenance can be performed on the server. Additionally, if you choose to set the Reverse setting to Yes, the Receive Disable String option becomes unavailable and the monitor marks the pool, pool member, or node Down when the test is successful.
RECEIVE STRING MATCHES Yes No No RECEIVE DISABLE STRING MATCHES No Yes No STATE OF POOL MEMBER OR NODE Up (Enabled) Up (Disabled) Down (Disabled)
Note: F5 Networks recommends using mutually exclusive values for Receive String and Receive Disable String. If a response matches both values, the monitor indicates the state as Up (Enabled). Configuring logging to RADIUS or TACACS+ accounting servers: This release introduces RADIUS and TACACS+ accounting support, where syslog messages that are written to the /var/log/audit log are sent in encrypted form to either a RADIUS (port 1813) or TACACS+ (port 49) accounting server. You can use the Traffic Management shell (tmsh) to configure the RADIUS or TACACS+ components. To configure the BIG-IP system for logging to RADIUS or TACACS+ accounting servers 1. In the browser-based Configuration utility, navigate to System > Logs > Options and select Enable from the bigpipe list in the Audit Logging section. 2. Using the tmsh utility on the command line, navigate to the /sys module. 3. Within the /sys module, modify the config.auditing.forward.destination component to use an IPv4 or IPv6 address for the destination. For example, to configure a destination IPv4 address of 192.168.10.1, use the following command: 4. tmsh modify sys db config.auditing.forward.destination value 192.168.10.1 5. Modify the config.auditing.forward.sharedsecret component to use a secret string. For example, to configure a
7 of 22
9/20/2011 5:20 PM
secret string called mysecret, use the following command: 6. tmsh modify sys db config.auditing.forward.sharedsecret value mysecret 7. Modify the config.auditing.forward.type component to use either radius or tacacs+. For example, to configure tacacs+, use the following command: 8. tmsh modify sys db config.auditing.forward.type value tacacs+ After you complete these steps to configure RADIUS or TACACS+ accounting support, the system automatically creates a log file in the destination specified. Note: If connectivity to the remote auditing server is lost, messages are not transmitted and there is no messageretransmission mechanism. You can still find those messages in the /var/log/audit log on the BIG-IP system, however. All messages are fully written to the log file on the BIG-IP system; however, on the accounting server, messages are truncated to 255 characters. When you set the variable type to radius or tacacs+ for config.auditing.forward.type, you must also specify a secret string for config.auditing.forward.sharedsecret. You must use port 1813 for logging to RADIUS accounting servers, and port 49 for logging to TACACS+ accounting servers. To disable logging to RADIUS or TACACS+ accounting servers 1. Navigate to the /sys module. 2. Within the /sys module, set the config.auditing.forward.type component to none using the following command: 3. tmsh modify sys db config.auditing.forward.type value none To customize messages from the audit log to the accounting servers 1. Modify the Tcl procedure called Transform in /etc/syslog-ng/audit_forwarder.tcl. (You must use the exact procedure name Transform.) 2. To have the change take effect, run the command bigstart restart syslog-ng at the tmsh command line. Note: This feature gives you total control over what is sent to the accounting server. However, although you can modify the script in any way to change what is sent to an accounting server, F5 Networks supports only the unmodified script. A Transform procedure for a customized message must return a transformed string. Default functionality for a customized message leaves the message unchanged when the Tcl procedure is omitted, the Tcl file does not exist, or an error occurs on evaluation. This procedure does not modify messages written to the /var/log/audit file. Tcl Transform procedure options for customized messages You can also use the following additional Tcl procedures. These procedures are mutually exclusive, so uncomment only the one you want to use and comment out the other one. To configure the /etc/syslog-ng/audit_forwarder.tcl script not to send variants of bigpipe show and bigpipe list commands, comment out the top procedure and uncomment the second procedure in the file. To modify the Tcl script to skip the first 16 characters, comment out the second procedure, and uncomment the third procedure. This eliminates the date and time portion of the message. Since the accounting server truncates messages to 256 characters, this might be useful to include more relevant data from longer messages.
Behavior changes in 10.2.1

ID NUMBER Commands for --instslot and --format in image2disk utility DESCRIPTION Beginning in BIG-IP version 10.2.1 and Enterprise Manager version 2.1.0, the image2disk utility --instslot and --format options are mutually exclusive. If you attempt to invoke the image2disk utility specifying both options, the system returns the following error message: Terminal error: You cannot specify the target location when using the format option. You can specify the --format option to perform the formatting and installation operation simultaneously on all platforms except the 1500 and 3400 platforms with 1 GB of memory. For more information, see SOL12561: Change in Behavior: The image2disk utility --instslot and --format options are now
8 of 22
9/20/2011 5:20 PM
ID NUMBER
DESCRIPTION mutually exclusive. For information about the 1500 and 3400 platforms, see SOL11396: Error message: Terminal error: System memory of 1 GiB is insufficient for 'format=volumes' with this product image; 1.5 GiB is required. In versions prior to 10.1.0, a null response from an HTTPS service with no receive string would be marked as UP. This behavior changed in version 10.1.0 to require at least one byte of data after SSL negotiation to be considered UP. For more information, see SOL10904: An HTTPS monitor incorrectly marks a node as UP when no data was sent in the server response.
ID 207411, CR120157
Behavior changes in 10.2.0

ID NUMBER CR109429-1 DESCRIPTION The browser-based Configuration utility increments the total requests statistic for virtual servers only when the virtual server uses an HTTP profile, or when the virtual server is a Performance (HTTP) type. CR110198, F5 Networks has changed the default behavior for SSL profiles that do not have customized cipher lists. The CR127136, set of ciphers negotiable by default no longer includes DES-CBC-SHA and all MD5 cipher suites. You can CR134054-1 re-enable these ciphers by customizing the SSL profiles' ciphers attribute with the desired ciphers explicitly enabled and/or selecting the appropriate clientssl-insecure-compatible or serverssl-insecure-compatible profile from which to inherit default settings that include the deprecated ciphers. CR131461 In version 10.2.0 when you boot from a DVD, thumb drive, or Pre-boot Execution Environment (PXE) server, the system presents a menu. You can press Enter to initiate an installation operation. The system indicates that you can also use Ctrl+C to access the command line shell to perform additional installation operations. In version 10.2.0, however, when you use Ctrl+C at this point, the system leaves a boot partition mounted, which causes all subsequent installation operations to fail. For more information about the known issue and its workaround, see Manufacturing installation menu and Ctrl+C to enter Bash (CR138343). In previous releases, the system did not present the menu, but instead presented the command line shell immediately. CR135199 The BIG-IP products support an extensive range of SSL ciphers. You can find an overview of the SSL ciphers BIG-IP systems support in SOL8802: Overview of SSL ciphers supported in BIG-IP systems, and an updated list of all SSL ciphers supported on the BIG-IP product in SOL6808: SSL Ciphers supported on the BIG-IP 1500,1600, 3400, 3600, 3900, 6400, 6800, 6900, 8400, 8800, and 8900 platforms. CR135548-1 When you create a new TCP, HTTP, or HTTPS monitor in version 10.2.0, you must include \r\n at the end of a non-empty Send String, for example GET /\r\n instead of GET /. If you do not include \r\n at the end of the Send String, the TCP, HTTP, or HTTPS monitor fails. A 3-DNS Controller or BIG-IP system running version 4.x cannot communicate with BIG-IP systems configured Communication between BIG-IP or with version 10.1.0 or later. For more information, see SOL11106: Change in Behavior: iQuery communication 3-DNS version 4.x is not supported between BIG-IP or 3-DNS version 4.x and BIG-IP LTM or GTM version 10.1.0 or later. and version 10.1.0 or later VLAN failsafe In software versions 9.x, the system did not enforce a minimum value for the VLAN failsafe timeout value. timeout value Beginning in version 10.0.0, the minimum allowed VLAN failsafe timeout value is 10 seconds. Before you behavior change upgrade from version 9.x to version 10.x, F5 Networks recommends that you change your VLAN failsafe timeout value to 10 or greater in order to ensure a successful configuration load after the upgrade has been completed. For more information, see SOL7066: Overview of VLAN failsafe.
Known issues
ID NUMBER CR55926 DESCRIPTION If the active unit in a redundant system reboots, the standby unit goes active and handles any established connections that were mirrored. However, when the previously active box comes back up, it does not re-synchronize the state for the mirrored connections. This means that the mirrored connections are lost in a subsequent failure or a forced fail-back. This does not affect connections that end before the second restart and failover. Also, this does not apply to Fast L4 profiles. When, due to time-to-live (TTL) exceeded, the BIG-IP system drops IPv6 traffic being sent through a network CR79065, virtual server or SNAT, the BIG-IP system responds with a destination-unreachable ICMP6 message. The CR83552, ID BIG-IP system's IP address should be listed as the source in the ICMP response, and the client IP address 250921, ID 251174, ID 319551 should be listed as the destination. However, the BIG-IP system incorrectly reports the dropped IPv6 packet's destination address as the source address of the ICMP6 response. The result, from the client's perspective, is that BIG-IP system does not show up as a hop; the server is seen in place of the BIG-IP system. CR80191 In order to change the baud rate when you are using a serial terminal console server on the VIPRION platform, you must follow a specific sequence to change the baud rate in three places, or you can lose communication with the system. 1. On each blade in the system, run the following command: 2. bigpipe baud rate <your_baud_rate_value> 3. Make sure to complete this change on all blades in the system before proceeding to step 2. 4. Next, change the Serial Port Redirector (SPR) baud rate by pressing ESC( to access the SPR Command Menu. When the menu opens, select B -- Set baud rate, and select from the six settings displayed. 5. Finally, change the baud rate of your serial terminal server. 6. The syntax for completing this step varies depending on the terminal server you are using, so you should consult your serial terminal server documentation for more specific information. CR83207 CR80078-1, CR128607 If you replace a tri-speed copper small form-factor pluggable (SFP) module with a fiber SFP, you may have to reinsert the fiber SFP module a second time before it accurately reports link status. If you replace a copper (Cu) small form-factor pluggable (SFP) with a fiber SFP, the link might remain down, even when connected to an active peer. The workaround is to issue a bigstart restart bcm56xxd command.
9 of 22
9/20/2011 5:20 PM
ID NUMBER CR85137
DESCRIPTION If you run the b ntp servers delete command when no such Network Time Protocol (NTP) server exists in the configuration, the system adds the server. The workaround is to make sure the server exists before trying to delete it. If the user configuration set (UCS) file you roll forward at installation time contains a problem, subsequent system load operations can fail. If this happens, the remote users and administrators cannot log on to the system. To work around the situation, log on to the system as the root user or as the admin local user. The Multiple Spanning Tree Protocol (MSTP) specifies that the system handles spanning tree packets in accordance with the MSTP protocol. When you create a new MSTP configuration on the system, the new MSTP configuration name is not retained following a system reboot or after running the bigstart restart command. For more information, see SOL8212: The BIG-IP LTM does not retain the MSTP configuration name following a reboot. If you have duplicate names for SNATs in the bigip.conf file, the pvad service restarts and writes out a core file. To work around this situation, make sure each SNAT in the configuration has a unique name. When RAM cache calculates the amount of memory available or allowed, it should take CMP into account. In this release, RAM cache does not take CMP into account. Many load balancing methods are implemented so that the system divides the connection limit among running Traffic Management Microkernel (TMM) services. If you set the connection limit to low values, the results you see might not be what you expect. For example, some nodes might receive more connections than you expect, and other nodes that you expect to receive connections might not receive any. These apparent anomalies are discernible only with small numbers of connections, and disappear with large numbers of connections. When the pvad service queries a very large number of objects (for example, 2000 nodes), the pvad service might use as much as 27% of CPU. This condition is intermittent, and might have other requisites. There is no workaround. Occasionally, a system restart might result in the system posting to the console messages of the following type: sshd(pam_audit)[4559]: user=root(pqizzjl1l) tty=/def/pts/1 host=172.17.251.100 attempts=1 start="Tue Aug 5 17:25:09 2008" end="Tue Aug 5 17:27:54 2008". sshd(pam_audit)[4559]: 01070417:0: AUDIT - user root - RAW: sshd(pam_audit): user=root(pqizzjl1l) tty=/def/pts/1 host=172.17.251.100 attempts=1 start="Tue Aug 5 17:25:09 2008" end="Tue Aug 5 17:27:54 2008". These messages occur when the system shuts down logging to the syslog-ng file before all users who are logged on have logged off. Should this error occur, when the system comes back up, you can use the boot marker in the audit files to confirm that the system logged out the remaining users. Running the command b persist show on a cluster might return incomplete results in certain avoidable situations. To ensure complete results, leave the bigpipe shell read partition at all, and log on as a user who is authorized to view all partitions. The Status LED briefly shows green on power up. The LED should be blank or amber. Early during initialization, the software sets the LED color to amber, and finally to green once cluster quorum is reached. You can safely ignore the transient green LED on power up. When you are using Fast L4 profiles, make sure to set the PVA Acceleration setting to None if you also specify the Mimic setting for IP ToS to Client or IP ToS to Server. Otherwise, the system cannot perform the mimic functionality. When the bd process restarts, the system stops all internal connections. If the next event that arrives on a halted connection is an HTTP request, the attempt to disable the plugin in HTTP_REQUEST fails, which logs a Tcl error to the /var/log/ltm file. This is a benign error message that you can safely ignore. The b config check all command returns different results depending on whether you run the command on a chassis (such as a VIPRION system) or an appliance (such as a BIG-IP 6900). On a chassis, the system returns the message No reports have been received. On an appliance, the system returns a response similar to the following messages: DAEMON STATUS bcm56xxd Configuration OK at 14062d 21:07:29 Last error at 14062d 21:07:29 Message: Received remote heartbeat registration message: pid=8714, timeout=60 When you click the Clear Performance Data button in any view, the operation clears data for all historical statistics, not just the data for the specific view you are in. When you specify the cluster management IP address, the netmask defaults to /32, or 255.255.255.255. In order to use cluster member addresses, the netmask must be no more than /30, or 255.255.255.252. Always specify the netmask when specifying the cluster management IP address if you plan ever to use cluster member addresses. That way, the address always gets set correctly, and you can configure the cluster member addresses on the same network. The 10.x installer creates four volumes by default, which differs from the two partitions that the 9.3.x and 9.4.x installer created. When you are on the license summary general properties screen and you refresh the browser after you reactivate a license, the system prompts you to log on again. There is no workaround for this issue. If you install the 9.6.x version of the software on a volume that uses a nonstandard name (for example, HD.pc1 rather than HD1.1), you cannot access that volume using version 9.6.x of the software. To access volumes named in this manner, use version 10.x software. The system does not prevent you from deleting all volumes, including the active volume, using the b software desired command. Doing so causes the system to boot into another location. To prevent potential system access problems, do not use the command line to delete the active volume. Beginning with version 10.0.0, the system reports module memory mixed in with memory used by all processes. To determine actual memory usage, you must use standard Linux commands, such as ps, top, and other similar commands. On a VIPRION system with the active volume set above HD1.4, if you then add a blade that has 9.6.x installed and active, the system does not run the installation on the 9.6.x blade to bring it into the cluster. This occurs because 9.6.x is hardcoded to support volumes 1 through 4 and cannot dynamically create new volume sets. To work around this issue, make sure all blades you want to add are running 10.x, or use a volume set between 1 and 4. When you specify the host name for the b ntp servers add command, the system returns false positives when translating the host name to an IP address. The workaround is to add Network Time Protocol (NTP) servers using an IP address instead of a host name. If you use the high availability setup wizard and specify settings, when you click the Previous button, the system clears all the values you specified, so you must re-enter the values.
CR87863
CR90249, ID 227304
CR91719 CR92541 CR93185, CR116200
CR94039
CR96888
CR97188
CR97299-1
CR98536
CR100240
CR102064
CR102918 CR103199
CR103500 CR104124 CR104327, CR114895 CR104468, CR115056 CR104583, CR108667 CR104647
CR105032
CR105101
10 of 22
9/20/2011 5:20 PM
ID NUMBER CR105216 CR105234 CR105511
DESCRIPTION When you are logged on to a cluster management address, and you or another user subsequently promotes one of the secondary blades to the primary, you and the other user might need to log on again. When you have the dashboard window open, the browser session never times out. When you close the dashboard window, the timeout interval takes effect again. If you configure secondary self IP addresses for a vlan/domain, the system uses the wrong self IP address for monitoring. In a typical scenario, the system uses the IP address that you created first as the primary IP address for monitoring. However, IPv6 in the Linux kernel does not set a preferred source by default. Because Linux treats routing domains like it treats IPv6 addresses, the Linux kernel does not set a preferred source. There is no workaround for this issue. If you reset the Host on a platform that contains an SCCP after the system has completed initialization, the system attempts to PXE boot, making DHCP requests repeatedly and indefinitely. The workaround is to first use the SCCP Command Menu option 2 to put the SCCP into the proper state, and then reboot the system. You can also recover by powering the unit off and back on again. In a redundant system that has Local Traffic Manager provisioned on both units and Global Traffic Manager provisioned on only one unit, you must provision Global Traffic Manager on the second unit. Failure to do so risks Global Traffic Manager becoming unprovisioned or unconfigured after a ConfigSync operation. When you use the Software Management screens in the Configuration utility or the b software commands on the command line to create a volume on a system hard drive that is formatted using the partitioning scheme, the system appears to try to create the volume, but the operation fails. The system should alert you immediately that you cannot create a volume on a partitioned system hard drive. In general, the software does not support use of the volume management screens on systems that use the partitioning drive-formatting scheme. The system counts route domain health check traffic as part of IPv6 traffic statistic totals. If your configuration has a monitor on a pool in a routing domain, you will see an increase in IPv6 traffic. If you remove the monitor from the pool, the IPv6 statistics freeze (assuming there is no actual IPv6 traffic). There is no workaround for this issue. When you reboot a system from the serial console, the system reports the following message modprobe: modprobe: Can't locate module tun6to4... during the shutdown sequence. This message is benign, and you can safely ignore it. A display issue in the browser-based Configuration utility makes it appear as if users can modify user settings that they should not be able to access. For example, a user logs on using an account assigned a non-administrator role. When that user changes the password and clicks Update, the screen temporarily redisplays with available settings for file, partition, and shell access. The user can manipulate the controls, and select different settings. However, the system does not accept the change. This release supports only network failover for chassis-to-chassis failover on the VIPRION platform. Do not configure hardwired failover using any failover cable included with the VIPRION platform you received. The system requires a user to relogon after changing a password to the same password as the one previously configured. There is no workaround for this issue. Unlike in SSL profiles, the system does not validate keys and certificates used for SIP and HTTPS monitors. That means that you can specify non-matching or invalid keys and certificates. There is no checking on the command line or in the browser-based Configuration utility to make sure keys and certificates are valid and usable. If you use a SIP or HTTPS monitor on a server that requires authentication using a certificate signed by a certificate authority (CA), the monitor must use certificates signed by a CA that the server recognizes. Do not configure a monitor using certificates signed by an Intermediate CA because the monitor does not send such certificates to the server. On BIG-IP 8400 and 8800 platforms, IPv4 fragments of a large User Datagram Protocol (UDP) datagram will be incorrectly modified at offset 6 from the end of the IP header (the location that would be the UDP checksum if the fragment were a full UDP datagram) from 0xfff to 0x0000. Although there is no workaround for this issue, it is not a common case. The VIPRION platform may experience a kernel panic and reboot following an upgrade to BIG-IP version 10.0.0. This issue occurs if the system is running BIOS firmware earlier than build 461, and the VIPRION unit is upgraded to version 10.0.0 with the management interface connected to a subnet with live traffic. For more information and a workaround for this condition, see SOL10016: A VIPRION kernel panic occurs following an upgrade to BIG-IP version 10.0.0. This release does not support USB CD-ROM or DVD-ROM drives devices that exceed the high-power USB current specification of five unit loads (500mA) per port. Linux represents long VLAN names using the first 13 characters and an appended ~1. If you use the Linux system command ifconfig to retrieve the interface configuration of a VLAN with a name longer than 9 characters, the operation truncates the name to 8 or 9 characters. To work around this issue, use the ip addr show command to retrieve the VLAN using the IP address. Beginning with version 10.0.0 of the software, a redundant system configuration must contain failover peer management addresses for each unit. If you roll forward a redundant system configuration from 9.3.x or 9.4.x, the units start up in an offline state because each one needs a failover peer management address. Configure the failover peer management addresses on the System > High Availability > Network Failover menu. Specify the management IP address of the peer unit in the Peer Management Address field. Then do the same on the other unit in the redundant system. Once you specify both IP addresses, the system should operate as expected. In the browser-based Configuration utility, if you try to set the provisioning level to Dedicated on a module when another module already has the Dedicated provisioning level, the system allows the change and sets the provisioning level to None on all other modules. When you use the command line for the same operation, the system presents an error: When a Dedicated provision level is set, all other module's provision levels must be set to None. To accomplish the change, you can use the Configuration utility, or you can use the command line to set the provisioning level to None for all other modules, and then set the Dedicated provisioning level on the module you want to configure. To do so, use the tmsh utility to issue the following commands (substituting your module names for <module-A> and <module-B>): (tmos)# create transaction batch mode](tmos)# modify sys provision <module-A> level dedicated batch mode](tmos)# modify sys provision <module-B> level none batch mode](tmos)# submit transaction
CR105604
CR105627
CR105797, CR114073
CR106378
CR106750
CR106828
CR106830 CR107046 CR107415
CR107443
CR107852
CR107874
CR107883 CR107927, CR110084
CR108434
CR108728, CR113440
11 of 22
9/20/2011 5:20 PM
ID NUMBER CR108819
DESCRIPTION The BIG-IP 8800 platform supports a maximum of 30,000 monitors in a single configuration. If you create more than 30,000 monitors, the BIG-IP 8800 might halt in a switchboard-failsafe state when you load the configuration. When a user is logged on, if you use the b config install <ucs file>, b import <ucs file>, or b config sync commands, or when performing a ConfigSync operation in the Configuration utility to load a configuration that contains the same user, but with a different password, the system does not log off that user. After that user logs off, or when that user's session times out, that user must use the password from the new configuration to log on. On a system whose drives are formatted as volumes, on the Resource Provisioning screen in the Current Resource Allocation area, there is a section that displays Disk provisioning; if the drives are formatted as partitions, there is no Disk provisioning section. However, if you issue the b provision command on the command line, the results show a column for disk provisioning information. If you attempt to mirror virtual servers that have RAM Cache enabled, depending on the cache state, the system leaks the connection on the standby unit when the connection is closed on the active unit. If you have state mirroring enabled, when you upgrade one unit of a redundant system, the system post messages until both systems are running the same version of the software. tmm tmm[1917]: 01340001:3: HA Connection with peer 10.60.10.3:1028 established. There is no workaround for this condition. Both units in a redundant system must be running the same version of the software. After a b import default operation, the prompt is set to reboot, but the operation does not instigate the reboot operation on the primary blade, although it does on the secondary blade. This is intentional behavior: the operation causes a reboot on secondary blades, but the primary blade does not reboot automatically in this case. To activate the imported configuration, reboot the primary blade. Beginning with version 10.0.0, you no longer need the hotfix uninstall packages. Instead, you can use the b software commands to change the revision level of any 10.x image location to a higher or lower revision. For more information, see the man page for the b software command, available on the command line by typing man software. When a system timeout occurs, the system grays out the screen behind the timeout alert box. Although you can access the browser window scroll bars to view the contents of the grayed-out screen, none of the options are active. When you delete an interface that is configured for interface mirroring, the system halts mirroring on all other configured interfaces. To work around this issue, when you delete an interface-mirroring configuration, recreate the configuration using all interfaces. As an alternative, after deleting an interface, save the configuration and issue the command bigstart restart. The secondary blades in a chassis log messages using the user name mcpd-primary. That means that when the root user issues certain commands on the primary blade, such as one to disable a virtual server, the system logs messages similar to the following: Oct 21 13:29:39 slot4/prd-061 alert mcpd[2415]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'root'. Oct 21 13:29:39 slot3/prd-061 alert mcpd[11909]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'mcpd-primary'. Oct 21 13:29:39 slot1/prd-061 alert mcpd[27136]: 01070921:1: Virtual Server 'new_test_virtual_8255' on partition 'Common' disabled by user 'mcpd-primary'. These messages accurately represent the action taken and the origin of the command, and do not indicate an error condition. In version 10.0.0, when attaching a child class to a parent class, the system takes into account the rate of the parent class when verifying that the parent's rate ceiling is not exceeded. Now, the sum of a parent class' rate and child classes' rates cannot exceed the parent's rate ceiling. In previous releases, the system allowed the parent's rate to be, at most, equal to the rate ceiling, regardless of the rates of the child classes. This could have led to oversubscribing the configured rate ceiling in certain cases where traffic was assigned directly to a parent class. If you are rolling forward a configuration from a previous build, a quick workaround is to set the rates of all parent classes to 0bps by running the following command: bigpipe rate class <parent class name> rate 0bps. As a general rule, avoid assigning non-zero rates to parent rate classes. There is a new iRules feature that provides support for suspending a running iRule (for example, with the after command). If you are running an indefinite collect operation (that is, the iRule is running a ::collect command with no arguments), and in response to a CLIENT_DATA event the iRule processes the payload to a certain point and then suspends iRule operation, when iRule operation resumes and the iRule issues a ::release command, the operation might release more data than the iRule processed. Specifically, data that arrives when the iRule is suspended does not trigger an additional CLIENT_DATA event. Here is an example of how to ensure that an iRule releases only the data that it has already processed: before running any command that suspends a running iRule, have the iRule save the ::payload length in a variable. When iRule operation resumes, have the iRule issue a ::release $payload_length command. You can find extensive information about iRules on the Dev Central web site, available at http://devcentral.f5.com/. If you deprovision a module, the system does not remove the configuration attributes associated with the module. Some configuration data, such as endpoint attribute definitions for the WAN Optimization Module, might interfere with Local Traffic Manager tunnel operations. In this case, when the definitions for endpoint advertised route, endpoint local, and endpoint remote remain in the configuration after deprovisioning WAN Optimization Module, the Local Traffic Manager tunnel resets connections that were established when you had the module provisioned. As a workaround, remove the definitions from the bigip.conf files on both BIG-IP systems. Version 10.0.0 of the software introduced new ha actions that the upgrade process cannot easily map to previous version's ha actions for daemon heartbeats. If you changed the ha actions for a daemon heartbeat, the upgrade process returns the action to the default. After the upgrade installation finishes, you can configure the daemon heartbeat ha actions you want. (In the Configuration utility System > High Availability > Fail-safe screen.) When a user configured for one role is logged on to the browser-based Configuration utility, and you change that user's role to another type, also using the Configuration utility, the system logs off that user. When that user logs back on, the system writes to the catalina.out file error messages such as com.f5.mcp.io.McpIOException: java.io.EOFException: Error while reading message at. These messages are benign, and you can safely ignore them.
CR108965, CR114966
CR109131
CR109230-1 CR109301
CR109381
CR109472
CR109834
CR109917
CR110014
CR110269
CR110761, CR113485
CR110791
CR111495
CR111700
12 of 22
9/20/2011 5:20 PM
ID NUMBER CR112077
DESCRIPTION The system requires that you run the Setup utility in the browser-based Configuration utility, even if you have already configured the system using the command line. This occurs because there is a hard-coded requirement for the Setup utility to run at least once. You can prevent the Setup utility from running by running the following command: b db setup.run false. When you create a pool in one partition that includes a node from the Common partition, if the node has no associated screen name, when that node is referenced from a third partition, the system posts the error 01070726:3: A pool may only reference nodes in the same partition or the common partition (xyz_pool:1.1.1.1) and removes the node from the Common partition. The workaround is to add a screen name to the node. To do so, at the command line, issue a command similar to the following example: b node 1.1.1.1 { screen dontremove } The help frame crops the right edge of some of the formula definitions on the Performance statistics screen. As a workaround, you can click the Launch button to view the full text. The version 10.1.0 release contains the new OpenSSH client and server, which addresses the vulnerability Plaintext Recovery Attack Against SSH, reported as CPNI-957037. When an older client connects to the new server, however, a vulnerability exists. If you are still using old SSH clients, you should manually set those client's cipher list to only include CTR ciphers. To use only CTR ciphers for the OpenSSH client, the command line must include the following option: -c aes128-ctr,aes192-ctr,aes256-ctr. When you start or stop the tcpdump utility on a VIPRION system, the system logs messages similar to the following entries in the /var/log/ltm file: slot1/tmm warning pu[24652]: 01230114:4: port movement detected for 00:01:23:45:67:10, vlan tmm_bp - 0.0 to 0.1 These messages are benign, and you can safely ignore them. If you issue the commands b cluster all ha state or b cluster default ha state, the system always returns the result offline. This is because there is no cluster ha state to report. To get the state of a system, you can use the browser-based Configuration utility. The system displays the state at the top of every screen. Occasionally, when you create an installation repository on a USB thumb drive from the BIG-IP system, the operation fails while copying the repository files to the thumb drive. (The failure might also occur when reading or writing any large file to the thumb drive from the BIG-IP system.) When the failure occurs, the system reboots and writes a log entry similar to the following in the /var/log/ltm file: Dec 10 11:13:12 local/8900 notice overdog[2401]: 01140108:5: Overdog scheduling exceeded 1/2 timeout of 5 seconds (measured:8060 ms) The workaround is to create the installation repository on a USB thumb drive using a Linux workstation, as documented in the BIG-IP Systems: Getting Started Guide. In any case, do not perform the operation on a BIG-IP system that is actively in production to prevent the potential failure from affecting live traffic. On a system with a very large persistence table (millions of entries) running the command b persist show might cause the system to become unstable or fail over. To show an individual record, you can use the command b persist client <client_addr> show. The Templates and Wizards menu does not change even when templates are not available under the license. If you use wildcard characters to specify IP addresses in the b httpd allow command, the result is that the system forbids all access to the browser-based Configuration utility. The workaround is to use other forms of specifying IP addresses. For example, b httpd allow 10.10.*.* does not work; instead use a command similar to b httpd allow 10.10.0.0/255.255.0.0. If you are in a partition other than Common when you reactivate a license, the system automatically changes the partition to the Common partition. There is no workaround for this issue. Invoking a TCP::collect method from the SERVER_CONNECTED iRule event might cause associated connections to stall and timeout when running the tmm.debug daemon. This should not affect typical deployments since the tmm.default daemon behaves as expected in this configuration, and an administrator must explicitly configure the Traffic Management Microkernel (TMM) to use debug mode. Note that you should set TMM to debug mode only when requested to do so by an F5 Technical Support representative. The F5 Networks Technical Support representative will ensure that your system stays stabilized in this mode and will assist you in interpreting the debug output. Configuring a virtual server for multicast communications inside a route domain does not work. Do not configure a virtual server for multicast communications inside a route domain. When the license expires, if you are on the License Summary page on a partition other than Common, the system automatically returns you to the Common partition, but does not activate the Reactivate button. The workaround is to select a different partition and then reselect the Common partition. This should reset the Reactivate button to an active state. Do not use the b software add | delete commands on a partitioned system. Doing so results in the access errors on the partitions. For example, if you try to delete an existing partition using the b software delete command, the system posts a failed to delete volumeset error. In this case, run the command b software product none version none build none on the partition. This removes the installation from the partition, and you can install the software again. If you try to add a partition using the b software add command and see a failed to create volumeset error, in this case, run the command b software delete on the partition you tried to create. This removes the failed attempt from the Software Status table, so you can try your installation operation again. You should not use the SSL::respond method with a CLIENTSSL_CLIENTCERT iRule event. This can result in a handshake failure, because the CLIENTSSL_CLIENTCERT event can fire before the connection is ready for the transmission of user data. If you add a user, either explicitly or by restoring a user configuration set (UCS) file that contains the user, and that user has different access or role settings, the system reports an error similar to the following: Nov 6 09:02:08 slot4/p4-019 err mcpd[3533]: 0107082a:3: Disconnecting user yyy2 on change of user role data (partition:Common->PartitionOne). This is a benign message, and you can safely ignore it. The system does not honor the Maximum Transmission Unit (MTU) value for VLANs. To get the value to persist, delete the VLAN first, then recreate it with the settings you want. After the configuration is saved, the settings persist. Otherwise, the system uses the default MTU value of 1500. If you move blades between a chassis running software version 9.6.x and a chassis running 10.x, the 10.x system might report incorrect volume information about the blade that came from the 9.6.x chassis. F5 Networks does not recommend switching blades between chassis running differing versions of the software. There is an extremely rare chance that, if the high-availability mirroring connection fails and recovers, the result might be a new persistence record and an expired record using the same key to send their respective messages. For example, if a record comes in that would have matched an old one on the active system, it is possible that the old record's expiration action might arrive after the new record's update action. If the key
CR112120
CR112128 CR112411-2
CR112953
CR113055
CR113134-6
CR113322
CR113601 CR113812
CR113919 CR114167
CR114381 CR114766
CR115139, CR130414
CR115326, CR115328 CR115670
CR115736
CR115774
CR115916
13 of 22
9/20/2011 5:20 PM
ID NUMBER CR116108 CR116929
DESCRIPTION matching the old record expires, the standby system incorrectly deletes the corresponding new record. USB1.1 CD-ROM Drives are not supported on the BIG-IP 8900 platform. Because the CompactFlash media drive is not a valid installation target, the system should prevent you from selecting it. However, this version of the software allows you to target a CompactFlash drive. If you accidentally installed to the CompactFlash drive, the system posts a failed to install state for the CompactFlash drive. The workaround to return to the original state is to issue the command b software CF1.x product none version none build none and then issue the command bigstart restart lind on the command line. In this version of the software, you cannot use Global Traffic Manager to monitor or send traffic to any virtual servers that are in a route domain. Therefore, Global Traffic Manager is not supported to run on a Local Traffic Manager system that is using route domains. If you are using the ZebOS advanced routing modules, it is important to consider the following: Dynamic routing is supported on interfaces in the default route domain. The advanced routing modules cannot access interfaces, self IP and virtual addresses, and static routes in non-default route domains. A static route is considered as belonging to a non-default route domain if either the destination or the nexthop gateway address belongs to a route domain other than the default route domain. All routes learned by way of dynamic routing protocols are inserted into the routing table for the default route domain only. With respect to advertising routes, virtual addresses, or self IP addresses to other routers, the advanced routing modules advertise only those routes or addresses that are in the default route domain. As previously stated, the advanced routing modules are not aware of routes or addresses in other route domains.
CR117427
CR117428
CR117429 CR117430 CR117431 CR117480
CR115798
CR117359
CR117809
CR118049 CR119247-1
CR120321
CR120550
CR120190-2, CR127965-2
The route domains feature does not support IPv6-formatted IP addresses in this version of the software. Some command line diagnostic tools, such as curl and traceroute do not work with route domains. Custom monitors that are not IPv6 aware (for example, EAV (Extended Application Verification) monitors) do not work with route domains. There is the possibility of a failed version 9.4.7 installation when installing on a system that also contains version 10.x software. When the failure occurs, the last three lines in the /var/tmp/install/session.log file are: install.error: An installation error has occurred; code 130 install.debug: Session ended install.error: Critical failure; no fallback possible. To work around the issue, you can use the PXE or thumb-drive methods to install the software. The small form-factor pluggable (SFP) ports on BIG-IP 8900 platforms are 10Gbps-only ports. On a BIG-IP 8900 platform, a SFP plus can operate at 1Gbps speed in an SFP slot, but SFP modules do not operate at 1Gbps speeds in an SFP plus slot. This is a hardware constraint. Do not use the b sshd include parameter without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include parameter. If you use this parameter incorrectly, you put the functionality of the system at risk. If you run the grub_default -d command to view the boot configuration information of the grub.conf file, the initial arrow key press moves the menu selector highlight two spaces instead of one. After, the initial key press, the arrow keys operate normally when maneuvering (meaning that if you press the arrow keys once, the highlight moves one space in the arrow direction). Enterprise Manager software versions 1.2, 1.4, 1.6, and 1.7 do not support BIG-IP system software version 10.0.0. There is no workaround for this issue. When you swap a blade to the same slot in a different VIPRION chassis, the system uses VLAN MAC addresses based on the old chassis. The workaround is to avoid moving a blade to the same slot in another chassis. If necessary, shift blades around in the target chassis so that the incoming blade always goes into a slot that is different from the one it came out of. After installing, you might see a message similar to the following in the ltm log file. Apr 23 11:38:16 slot3/p4-019 err clusterd[2707]: 013a0004:3: Error deleting cluster mgmt addr, HAL error 7 This message is benign, and you can safely ignore it. This version of the software supports systems with multiple drives using the RAID disk management operations. We have not removed the sparedisk utility, which was included in version 10.0.1 to support operations on multi-drive systems. The workaround is to use the RAID features for these types of operations. You should use the sparedisk utility only on version 10.0.1 systems. For related issues, see the known issue for CR120550, CR127003, and CR138582 . Do not use the --nomoveconfig option with the image2disk command (or the db variable LiveInstall.MoveConfig set to disabled) for systems with existing installations of Application Security Manager. Doing so removes all content from the associated database. Instead, you should ensure that the configuration on the installation source matches the one on the installation destination. To do so, save the UCS configuration file on the location you want to preserve, and apply that configuration to the destination before beginning the installation operation. Here are the steps to perform. 1. Boot into the location containing the configuration and database you want to preserve. 2. To save the existing configuration and database, run the command bigpipe config save <your_ucs_file>. 3. Copy the .ucs file to a secure, remote location. 4. Boot into the location you want to update. 5. To move the configuration and database to the target installation location, run the command bigpipe config install <your_ucs_file>. 6. Install or upgrade the software using procedures described in the section Installing the software.
14 of 22
9/20/2011 5:20 PM
ID NUMBER CR120828
DESCRIPTION When you roll forward a 9.x user configuration set (UCS) file that is configured for Application Security Manager and Global Traffic Manager, provisioning for Global Traffic Manager is not enabled. To enable Global Traffic Manager using the browser-based Configuration utility, in the navigation pane, expand System, and click Resource Provisioning. In the Module Resource Provisioning section, select the provisioning level you want from the Global Traffic (GTM) and Link Controller (LC) drop-down lists. If you deprovision the WebAccelerator system, Application Security Manager, or Protocol Security Module, the system retains the mysql database volume. Because the database might contain important configuration data for the deprovisioned modules, you must determine whether or not to retain the mysql database volume. For information about locating and removing an unneeded mysql database volume, see the associated Solution in the AskF5 Knowledge Base. On 6900 and 8900 platforms, the RAID functionality supersedes the sparedisk utility, which was provided in version 10.0.1 to support operations on multi-drive systems. The 8950 and 11050 platforms do not support the sparedisk utility, although the utility is present on those platforms as well. In this version of the software, although you should not use the sparedisk utility for any operation, F5 Networks has not removed the utility. Running various commands (for example, making a disk active using the command sparedisk -m) can result in an unstable disk situation. Instead, you should use the RAID features for all multi-disk operations. You should use the sparedisk utility only on 6900 and 8900 platforms running version 10.0.1. The 8900 platform comes with a post-10.0.0 version of the software installed both hard drives. If you decide to downgrade to version 10.0.0, the software installs correctly. However, the version 10.0.0 software management scheme was not designed to work with a second hard drive. If you downgrade to version 10.0.0 on the second hard drive, do not operate on the second hard drive using the b software commands or the Software Management screens in the browser-based Configuration utility. If there are static Address Resolution Protocol (ARP) entries targeted to the management network in either the existing configuration or in the configuration being installed or used in a ConfigSync operation, the configuration may fail to load. To work around the issue, first delete any static ARP entries targeted at the management network and then complete the configuration load or ConfigSync operation. Depending on what processes run after restarting the system, you might see the following error message: warning process `<processname>' is using deprecated sysctl (syscall) net.ipv6.neigh.tmm0.base_reachable_time; Use net.ipv6.neigh.tmm0.base_reachable_time_ms instead This is a benign message, and you can safely ignore it. After deprovisioning modules, the system might run sluggishly or respond slowly to commands. The system returns to a normal operational state after approximately 1 minute if you leave the system to recover, or approximately three minutes if you run commands during this time. The slow response time occurs while the system recovers virtual memory after a deprovisioning operation. The iRule statistics counters inaccurately report an inflated number of iterations of an iRule when an iRule event suspends. There is no workaround for this issue. On platforms equipped with Packet Velocity application-specific integrated circuit (ASIC) version 10 (PVA10), specifically the BIG-IP 8400 and BIG-IP 8800 platforms, client-requested TCP maximum segment size (MSS) may not be honored if the PVA10 is in hardware syn-cookie mode. This can result in a larger-than-requested MSS being set with the back-end server, causing the server packets to be dropped before reaching the client. This problem occurs because of a problem in the PVA10 hardware. To avoid this problem, disable hardware syn cookies by setting the connection threshold to 0 (zero) by running the following command on the system command line: b db Pva.SynCookies.ConnectionThreshold = 0. If you run the tcpdump utility from a PB100 blade on a VIPRION chassis containing a mix of PB100 and PB200 blades, the process does not show packets from the PB200 blades. To work around this issue, run the tcpdump operation from the PB200 blade. Although you should not use the sparedisk utility in this version of the software (see known issue CR120550), the utility remains in the software. If you run the command sparedisk -m, the system marks an active disk as a spare disk without notice or warning. Changing the active disk to a spare can result in an unstable disk situation. The workaround is to use the RAID features for these types of operations. You should use the sparedisk utility only on version 10.0.1 systems. Every time you run a b load command on 1600, 6900, and 8900 platforms, the system posts a message similar to the following: local/tmm3 notice tmm3[19557]: 01010029:5: Clock advanced by 112 ticks. This message is a diagnostic message only, so you can safely ignore this message. As of version 10.1.0, the system no longer supports user accounts with custom home directories. If you upgrade a configuration containing user accounts with custom home directories, after reboot, the system becomes inoperative because it cannot load the configuration. You can prevent the issue before upgrading by running the following command to change the user's home directory, or you can run the following command after upgrading to recover from the error condition: tmsh modify auth user <name> home-dir /home/<name> When you run the image2disk utility from the Management Operating System (MOS) of a system, the process has no active configuration to use for installation, so the operation halts with an error: error: No configuration found in HD1.1 (location looks empty). Use '--nosaveconfig' if appropriate. To work around this issue, run the command again, and specify the --nosaveconfig option. When you use the Weighted Least Connections (Node) load balancing method, you must set a connection limit for each node prior to adding the pool member to the pool. In this release, you must use the following process to accomplish this. 1. Create a pool that uses the Weighted Least Connections (Node) load balancing method. 2. Explicitly create the node entries for the pool members on the Local Traffic > Nodes > Node List (create) screen. 3. For each node, specify a value other than 0 (zero) in the Connection Limit box. 4. Return to the pool configuration screen by clicking its link in the Local Traffic > Pools > Pool List . 5. Select the Members tab and add the pool members to the pool, using the same IP addresses as the nodes that you configured in the earlier step. If you fail to specify the connection limit for the node prior to adding the pool members, the system presents a configuration validation error.
CR120943
CR120550, CR127003, and CR138582
CR121134
CR122160
CR119132, CR125534, ID 222400 CR125790
CR125800 CR126842-1
CR126976
CR127003
CR127123
CR127332
CR127435
CR127754
15 of 22
9/20/2011 5:20 PM
ID NUMBER CR127803
DESCRIPTION When you view the Software Management List screen or the result of the b software desired show command, you might see the CF designation that represents the CompactFlash drive listed as a possible installation destination. 10.x installation is not supported on the CompactFlash drive, so do not select it as an installation target. This happens only on systems with drives using the partitioning formatting scheme. When a drive is replicating or being added or removed in the Management Operating System (MOS), the md operation outputs all its status to the terminal, which can make it difficult to perform recovery operations, such as removing or adding a drive. The workaround is to wait for the replication operation to complete before performing recovery operations. When you specify any method other than Round Robin for load balancing traffic from virtual servers configured with RADIUS, Diameter, or SIP profiles, you can see unexpected results, such as the system sending most of the traffic to only one pool member. To work around this issue, use the Round Robin load balancing method with virtual servers configured with RADIUS, Diameter, or SIP profiles. Provisioning statistics shows the size on only one physical disk. To find the size of your datastor on a multi-disk system, review the output of running the command b datastor list all. As a general rule, if you have two disks installed, the cache is always double the size indicated in the provisioning statistics. If you perform an operation that requires loading the configuration on a volume that has insufficient disk space to contain it, the operation fails at the module-provisioning step. Depending on the modules you provision and the space available, the failure might occur when rolling forward a configuration at installation, running bigpipe config install <config.ucs>, or provisioning modules in a command line operation. When the provisioning failure occurs, the system logs a message in the /var/log/ltm file: 01071008:3: Provisioning failed with error 1 - 'Disk limit exceeded. <nnn> MB are required to provision these modules, but only <nnn> MB are available.' To recover, free up sufficient disk space by removing unneeded volumes using the command: bigpipe software desired HDn.n delete, and then try the operation again. We have changed from using a Linux 2.4 kernel to a Linux 2.6 kernel. This has resulted in a difference in how Linux accounting reports CPU usage. Linux accounting shows CPU spikes even when the Traffic Management Microkernel (TMM) is lightly loaded. These spikes represent artifacts, and you can safely ignore them. The output of the b platform command incorrectly refers to the 3600 and 3900 platforms as a blade. Specifically, the output reads BLADE TEMPERATURE (slot/sensor) instead of CHASSIS TEMPERATURE. The error is cosmetic only. When the Configuration Utility restarts, the system writes the following messages to catalina.out: log4j:ERROR A "org.apache.log4j.ConsoleAppender" object is not assignable to a "org.apache.log4j.Appender" variable. log4j:ERROR The class "org.apache.log4j.Appender" was loaded by log4j:ERROR [org.apache.catalina.loader.StandardClassLoader@1359c1b] whereas object of type log4j:ERROR "org.apache.log4j.ConsoleAppender" was loaded by [WebappClassLoader These messages are benign, and you can safely ignore them. When you change the idle timeout in System :: Preferences, the system must restart the httpd process. This results in a set of error messages similar to the following example: err httpd[6246]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0 err httpd[6320]: [error] (9)Bad file descriptor: apr_socket_accept: (client socket) warning httpd[3064]: [warn] RSA server certificate CommonName (CN) `dhcp-137' does NOT match server name!? warning fcgi-[6376]: [warn] FastCGI: server "/usr/local/www/mcpq /mcpq" started (pid 6377) err httpd[6379]: [error] [client 127.0.0.1] Invalid method in request OPTIONS * HTTP/1.0 warning httpd[3064]: [warn] long lost child came home! (pid 6239) These messages occur primarily as a result of the process restart, and you can safely ignore them. Enabling the TCP option for MD5 signatures does not cause TCP connections without MD5 signatures to be rejected or ignored. Enabling MD5 signatures allows the MD5 signature to be validated when it is present. At system startup, you might see messages similar to the following: mdadm: Unrecognised md component device - /dev/mapper/vg--db--sda-mdm.app.wom.dat.datastor mdadm: Unrecognised md component device /dev/mapper/vg--db--sdb-mdm.app.wom.dat.datastor This occurs because datastor volumes are not intended to be combined into a redundant array. The disk management subsystem unintentionally tries to join them into an array, but fails. No adverse result occurs, and you can safely ignore these messages. When you enable Display Host Names when Possible in System :: Preferences, and then display objects whose addresses exist in a route domain other than 0, the address might display with the % notation on some screens in the browser-based Configuration utility. There is no workaround for this issue. There is no edit capability for the NTLM profile in the tmsh utility. There is no workaround for this issue. You cannot simply change the speed of an existing interface in a trunk, you must either delete all the interfaces and add them back at the new speed, or delete the trunk and recreate it. In the ltm.log file, you might see mcpd warning messages similar to the following: warning mcpd[3002]: 01070156:4: Could not remove file /config/bigip/auth/pam.d/tmm_ldap. Please remove this file manually. When you navigate to the specified directory, you do not find the files. These messages are incorrect, and you can safely ignore them. When the following series of events happen, the client system can perceive the BIG-IP system as unresponsive, and eventually the connection times out as a results of reaching the TCP timeout interval. This is the series of events. client1 sends a Capabilities-Exchange-Request (CER) command. server1 responds with a Capabilities-Exchange-Answer (CEA) command. client1 sends an Accounting-Request (ACR) command. The BIG-IP system sends the connection to server2 (that is, the BIG-IP system sends a CER to server2 first, before it sends an ACR). server2, however, responds with CEA result-code 5010 (that is, there are no common applications supported between the peers), so the BIG-IP system deletes the connection with server2. client1 continues to wait for a response to its ACR. The BIG-IP system has no response forclient1, however.
CR127971
CR128272
CR128600
CR128875
CR129216
CR129458
CR129674
CR129698
CR129710 CR129711
CR129786
CR129836 CR130427 CR130468
CR130582
16 of 22
9/20/2011 5:20 PM
ID NUMBER
DESCRIPTION Eventually, client1 connection may be closed because the connection reaches the TCP timeout.
CR130639
CR130662
CR130702
CR130720
CR130798
CR130844
CR130846
CR130902
CR131108, CR132835
CR131168
CR131188
CR131256 CR131317 CR131332
CR131343
CR131470
CR131475
RAMCACHE, IPV6, and SSL Compression were added by default to the base Local Traffic Manager license in the version 10.0.0 software release. The feature flags are enabled and the system reports them when you run the b version command. However, on the 1500, 3400, and 6400 platforms, the system displays these features in the Optional Modules section of the License screen in the browser-based Configuration utility. In a multi-drive system, if a drive fails or it suddenly removed from the unit, the system retains knowledge of the drive so you might see messages like: info: /dev/vg-db-sdb/mdm.dat.share: read failed after 0 of 4096 at 0: Input/output error err kernel: scsi 1:0:0:0: rejecting I/O to dead device. These occur on the screen if you are connected using a serial console, or in the kernel log file if you are through SSH. To completely eliminate these messages, you can reboot to clear the system's knowledge of the removed drive. When you have versions 10.0.x and 10.1.x simultaneously installed on a multi-drive system, booting from a 10.1.x to a 10.0.x location sometimes fails. This is due to a constraint in logical volume management (LVM) for the version 10.0.x software. To prevent this issue, reduce the number of installation locations before rebooting to versions earlier than 10.1.0. You should have only two HDn.n installation locations or one MDn.n installation location in addition to the pre-10.1.0 installation location. To remove installation locations, run the command bigpipe software desired HD1.n delete. There is a duplicate MODULE-COMPLIANCE section in the F5-BIGIP-COMMON-MIB.txt file. You can correct this error by editing the file to remove the duplicate entry. This might be difficult, since the /usr file system is read only, making it difficult to edit /usr/share files. However, you can still edit the file by changing the fstab file and rebooting the system. On a multi-drive system, if the LED is flashing when you remove a drive from the unit, the LED status does not turn green (as it should) when disk replication begins. If the LED is not flashing, the LED turns green immediately in the transition to replicating a drive. This is a cosmetic issue only, and has no effect on functionality. When you create a new profile or edit an existing profile using the all-properties option of the tmsh utility, unless you remove some options, all properties become custom; that is, profile properties no longer inherit parent settings. The workaround is to use the tmsh utility create and modify commands operations. When you do so, the system preserves the profile's properties inheritance. If you have WAN Optimization Module provisioned on multi-drive systems, and you use the command array --remove or tmsh modify sys raid array MD1 remove to remove a drive, the system removes all but the datastor volume on the removed drive. If you then try to add the drive back, the operation fails. To work around this issue, deprovision the WAN Optimization Module, and then run the command array --add or tmsh modify sys raid array MD1 add to add the drive back. Then you can provision WAN Optimization Module back to its original setting. If you are in the tmsh utility, you can run the bigpipe utility to view dynamic Address Resolution Protocol (ARP) entries for a different route domain. To do so, run the command run util bigpipe arp <args...> at the tmsh command line. The serial console baud rate of systems with Always-On Management (AOM) (1600, 3600, 3900, 6900, and 8900 platforms) can be corrupted if you install using a serial console baud rate other than 19200. When the corruption occurs, you see garbage characters on the serial console. To prevent this issue, change the baud rate to 19200 before installing. When reboot after installation is complete, you can set a different baud rate. In this release, when you use the LCD to change from a higher baud rate down to 19200, the host serial console can become garbled, while Always-On Management (AOM) displays correctly. To recover, reboot the system. Note that you can successfully change baud rates for the host from low to high using the LCD, and output is not garbled. When you complete a new installation, the Firefox browser may not recognize the SSL certificate. When this occurs, the browser-cased Configuration utility posts the message Please wait while this BIG-IP device reboots, shutting down device. This spins forever and never returns. This behavior is Firefox-browser specific, so when the certificate is no longer viewed as valid, the Firefox browser ignores subsequent HTTP requests. The issue happens only when doing a fresh install. A configuration you roll forward includes the device certificates, so this is not an issue. The Microsoft Internet Explorer browser posts an accept-certificate dialog box when you restart the system. The text-display mode for the switchboot utility supports a maximum of six volume locations. To boot to a location higher than volume six, you can use the switchboot -b option on the command line. If you encounter an installation operation that fails with a final error failed to install because of a process lock, retry the operation. When you import a single configuration file (SCF file) that contain VLANs of the same name but in different administrative partitions, the operation fails with a BIGpipe unknown operation error. To work around this issue, before installing an SCF file, run the b import default command. This returns the system to the default configuration, so subsequent configuration import operations should succeed as expected. The version of the image2disk utility that shipped with version 9.4.5 does not support the -format option. You can install a new version of the image2disk utility from a version 10.x ISO. First, to uninstall the version of the utility that shipped with 9.4.5, run the command rpm -e tm_install-2-1.0.96.0. The command removes the utility, but posts no message at completion. Then, to install a new version of the utility, run the command im /var/tmp /<iso_file>. For more information, see SOL10702: The image2disk utility that shipped with BIG-IP version 9.4.5 does not support the --format option. Enabling TCP MD5 authentication of TCP connections for BGP on VIPRION systems might result in extended time required for BGP sessions to be established. It may also cause BGP failure of the graceful restart after changing the primary location due to the timeout condition causing temporary loss of BGP peering and deletion of routes learned and advertised through BGP, and resulting in temporary traffic disruption. We do not recommend using TCP MD5 authentication for BGP on the VIPRION system. If you create VLANs in an administrative partition other than Common, but do not create a route domain in that partition, then the VLANs you create in that partition are automatically assigned to route domain 0. If you later change the default route domain of that partition, the VLAN stays in its existing route domain, unless the VLAN has a self IP address or virtual IP address assigned to it. In that case, the VLAN moves to the new default route domain.
17 of 22
9/20/2011 5:20 PM
ID NUMBER CR131544
DESCRIPTION If you restart the mcpd process and try to create a FIPS key, the operation occasionally fails with the message Key generation failed: error 11 - Would overwrite file To work around this, restart mcpd and try the operation again. On a system using Packet Velocity application-specific integrated circuit (ASIC) version 2 (PVA2) and version 10 (PVA10), specifically the 3400, 6400, 6800, 8400, and 8800 platforms, if you configure an inband monitor on a virtual server configured for Fast L4 traffic, the Traffic Management Microkernel (TMM) never receives the traffic necessary to mark pool members up or down. You can work around this issue by setting Fast L4 Profile option PVA Acceleration to Assisted on these platforms. If you have 10.1.x installed on a 8400 or 8800 platform and plan to downgrade to 9.4.x, you must net-boot, or boot from removable media. Using the direct installation method results in a failed operation, and the system hangs at logon time. Using an iRule command that suspends operation (for example, after, table, and persist), in a NAME_RESOLVED event causes the iRule to never resume. The workaround is to use the RESOLV::lookup command that suspends operation until resolution, and then returns the lookup result inline. You might see an intermittent blank top banner in the browser-based configuration utility after an upgrade or installation operation. This might be especially likely when you use Microsoft Internet Explorer version 7 on a VIPRION system, and you leave the browser window open between the end of installation and the completion of the reboot operation. In this case, when you log on, the top banner is blank. You can use the browser refresh operation (F5 or Ctrl + F5) to redisplay the banner correctly. The software does not support running small form-factor pluggable (SFP)+ on SFP ports on VIPRION systems that contain PB100 blades, even if the ports are running at 1 GB. Although the system does not prevent you from doing so, and you might find such a configuration functional, we do not support nor recommend running in this configuration. When you run the command b software desired to install the software, when you look at the output of bigpipe software status on the command line or looking at the progress bar in the Configuration utility, you might notice that progress suspends for approximately three minutes when the operation reaches 10% complete, and again for approximately 1 minute at 100%. These are part of the normal operation of the installation process, and you can safely ignore the suspended activity. If you use the nano command-line editor to edit a multi-line alias command, the operation fails unless you have enabled long line wrap in the nano editor. If the alias is only one line long, the operation works successfully. To enable long line wrap in nano press Esc + l (the lowercase letter "L," not the number "one.") For more help, see the help for the nano editor. You can also use the vi editor to modify multi-line alias commands. Do not issue the command modify cli admin-partitions while the system is completing a batch mode transaction. If you do, you might encounter a problem that you can remedy by pressing Ctrl + C. Otherwise, the operation eventually times out. You can review content returned when running the command help cli transaction for information about how to remove the admin-partitions command from the transaction. A b load operation fails when pool member are configured with port numbers 63, 66, 172, 211, 564, and 629. The workaround is to use numbers other than these for pool member port configuration. You can also disable the bigpipe utility from converting service names by running the command bigpipe db bigpipe.displayservicenames false. If you set the import save value to 1 and import a single configuration file (SCF), the import operation halts and does not resume. To work around this issue, set the import save value to 2 or more. When you change assignments of iRules to a virtual server, if the iRule has any commands that might suspend operation (for example, after, table, and persist), those pending commands might evoke a system restart when the newly assigned iRule goes into effect. On the 1500, 3400, 3410, 4100, 6400, 6800, 8400, and 8800 platforms, you cannot establish an outgoing connection from the SCCP using SCCP version 12.0.8.4.0, the version of the SCCP that ships with the 10.1.0 software. To work around this issue, use SCCP version 12.0.6.5.0, the version that ships with version 9.4.8 software. If you modify your password and shell access at the same time, the system does not register the password change. To work around this issue, modify the password and the shell access separately. When you use the domaintool utility to delete a domain when you are configuring Kerberos delegation, if that domain serves as the default, the system removes the domain but leaves it as the designated default. To work around this issue, change the default to a different domain before the delete operation. Certain packet-size related events can result in messages similar to the following: crit tmm4[5689]: 01010025:2: Device error: hsb internal error PIM_RX_PORT_0_ERRS address 0x0000103c status 0x004e0100 These messages are benign, and you can safely ignore them. The system does not include the .tmshrc file in a ConfigSync operation. That means that the each unit in a redundant system configuration has a different set of remote users. You can manually sync the two files by using a utility to copy the file from one system to another. This version of the software does not support monitoring of Microsoft SQL Server 2000 servers. You can create an external monitor that references an executable in the /usr/share/monitors directory. On a VIPRION system, when the system attempts to validate the monitor on a secondary blade (for example, when the primary blade loads a secondary blade), the system posts an error message similar to the following: emerg mcpd[2822]: 0107094e:0: File cache: fatal error (can't create backup file for (/usr/bin/monitors/builtins /SYSLOG_monitor), Read-only file system) (FileCache.cpp:1523) For the monitor to function properly and to prevent this error on VIPRION systems, copy any executable used by an external monitor to the /config /monitors directory. If you have previously run the image2disk utility to install the software, when you run the image2disk utility a subsequent time without specifying a --format style, the system posts the message: Terminal error: SVM (Software Volume Management) is available, and this is not a format request. Please use SVM. This occurs because the 10.0.1 and later software management scheme provides a more substantive set of installation methods: the Software Management screens in the browser-based Configuration utility, the command line use of tmsh install and b software commands, and support for automated and enterprise-level installation and upgrade management operations through Enterprise Manager and the F5 Management Pack using the iControl API. You should use the image2disk utility only for initial installation operations and for subsequent installation operations that also include formatting. Floating route domain self IP addresses do not respond to ping utility commands from the Linux host. If you need to access floating IP addresses using the ping utility, use an external source.
CR131555
CR131632
CR131760
CR131880
CR131999
CR132270
CR132382
CR132465
CR132482
R132580 CR132598
CR132691
CR132782 CR132909
CR132974
CR132979
CR132985 CR133035
CR133179
CR133844, ID 224073
18 of 22
9/20/2011 5:20 PM
ID NUMBER CR133981, CR135997
DESCRIPTION Currently shipping Federal Information Processing Standards (FIPS) hardware does not support 4096-bit keys. If you try to create a 4096-bit FIPS key, the system posts an error similar to the following: gencert generating 4096 bit FIPS key: error 18 - ERR_KEY_HANDLE_INVALID. This error indicates that the FIPS card cannot handle 4096 bit, in this context. If you try to use the converted key, the system restarts tmm and statsd services, posting emerg logger: Re-starting <service> messages and creating core files. The online help for SSL certificates lists an incorrect command for retrieving not-valid-before certificates. The correct command is openssl x509 -noout -text -in /config/httpd/conf/ssl.crt/server.crt. There is a pause negotiation mismatch in a trunk containing a mix of fiber and copper. To work around this issue, do not mix fiber and copper in the same trunk. The system does not prevent you from deleting a self IP address that an EtherIP tunnel uses, or from creating an EtherIP tunnel using a nonexistent IP addresses. Doing so, however, results in an inoperable tunnel. To ensure that an EtherIP tunnel operates as expected, do not delete any of the self IP addresses that are associated with VLAN "wan" and specified in the EtherIP tunnel object. The system does not support state mirroring with overlapping IP addresses. If you configure connection mirroring using route domain-compatible state mirror IP addresses, the system does not mirror the connections. When you are connected using the serial console to a multi-drive platform, you might see messages similar to the following: warning kernel: RAID1 conf printout and warning kernel: disk 0, wo:0, o:1, dev:dm-14. The messages are also logged in /var/log/kern.log file. These messages appear during the time a drive is rebuilding, and you can safely ignore them. Note that the messages appear only when you are directly connected by serial console. They do not appear when you are logged in using SSH. When you specify a custom ConfigSync user (that is, an account other than admin), if you have specified a maximum number of password failures, the ConfigSync account is subject to the password lockout after the specified number of failures. To work around this issue, use the admin account as the ConfigSync user, or reset the non-standard account that is locked out. The bcm56xxd service's small form-factor pluggable (SFP) plug check mechanism looks for module-detect signal changes every five seconds, and can miss a pluggable media type swap (that is, a swap from fiber SFP to copper SFP or SFP+) since the check does not look at pluggable media type changes. This can result in link failures, due to internal media settings that are still associated with a previously populated pluggable module. In addition, the Inter-Integrated Circuit (I2C) SFP plug check currently does not update the media option list after detecting module status changes and prior to publishing the information. Media options are otherwise updated/published on link-UP events. After deleting an object, if you change partitions or refresh the screen, the system presents an error message similar to the following: General database error retrieving information. This occurs because the system is trying to display the properties screen for the now-deleted object. To work around this issue, refrain from changing partitions or refreshing the browser until the system correctly registers the delete operation, by navigating to a different location or re-selecting the same location from the navigation menu. When using two Open Shortest Path First (OSPF) router processes with ZebOS, changes on one routing process deletes routes that still exist on the other. There is no workaround for this issue. VLAN groups are partitionable objects, so that a VLAN group created in one partition cannot be modified in another partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so results in issues for VLAN groups, so you should not attempt such a configuration. When you use the Wireshark program to view a packet from an EtherIP tunnel, the Wireshark program displays the EtherIP version as 0 rather than 3, as it should. This occurs because Wireshark evaluates the version based on the bottom four bits rather than the top. The Linux EtherIP implementation follows the same format used by coding developer David Kushi, which is correct according to RFC 3378 - EtherIP: Tunneling Ethernet Frames in IP Datagrams. Installing or upgrading a system that has a full disk can fail. A disk might be full for several reasons, for example: WAN Optimization Module is provisioned as Nominal, which does not allow the system to allocate enough space for the new Maintenance Operating System (MOS) or installation location There are too many installation locations configured Application Security Manager or WebAccelerator System is provisioned for multiple installation locations You are installing/upgrading to version 10.1.0 or later on a version 10.0.x or 9.x partition, which is too small to hold the version 10.1.0 or later image You are upgrading a 6900 or 6800 platform There are several workarounds, depending on the cause of the disk-full condition. One option is to back up your existing configuration and perform a clean installation, another is to remove unneeded boot locations, another is to deprovision WAN Optimization Module and then save and reboot before upgrading, and there are others. For more information, see SOL10636: Upgrading to BIG-IP version 10.1.0 fails with a 'Disk full' error message. Although syslog remote server now supports IPv6 addresses, it does not support IPv6-resolvable hostnames. To use syslog on a remote server, you must use the IPv6 address, and not the hostname that resolves to the IPv6 address. Pagination does not work properly in the browser-based Configuration utility when using the Status filter. The workaround is to look through all pages when using that filter in order to determine the number of objects with the selected status. Occasionally during system startup, you might see an error message similar to the following: err : Could not make connection with MCP, err 16908360 The error is benign, and you can safely ignore it. Occasionally during system startup, you might see multiple instances of error message similar to one of the following: err mcpd[3980]: 01070994:3: tmstat_request: tmstat_subscribe failed: No such file or directory. err mcpd[3682]: 01070994:3: tmstat_request: tmstat_subscribe failed: Unknown error 4126537205. After the system fully initializes, the message disappears and the system runs as expected, so you can safely ignore
CR134115 CR134321 CR134694
CR135422
CR135745
CR135992
CR136646
CR136763
CR136848 CR137220
CR137290
CR137376, CR138046, ID 342197
CR137447-1
CR137680
CR137868 CR137877, CR139101
19 of 22
9/20/2011 5:20 PM
ID NUMBER CR138146
DESCRIPTION this message. You might encounter an issue in which the NTP servers do not sync after a system reboot. You can recognize this by running the command ntpq -p to determine whether some of the NTP servers continue to have a refid of .INIT. You might find the issue more pronounced on the VIPRION platform because every blade is an NTP peer of every other blade. (Note that a refid of .INIT is normal for any system with no defined NTP server. F5 strongly recommends defining an NTP server.) This appears to occur only on networks accessible through VLANs, and does not occur with NTP servers serviced by the management port. The issue can be particularly problematic for IPv6 addresses because the system caches the unreachable destination information. To work around the issue, when tmm is up and servicing traffic, run the command bigstart restart ntpd to restart the ntpd process. If you halt an in-progress installation operation (for example, by pressing Ctrl + C in response to the manufacturing installation menu that appears when booting from a DVD, thumb drive, or Pre-boot Execution Environment (PXE) server) the system leaves a boot partition mounted, which causes all subsequent installation-related operations to fail. When this occurs, the system posts errors and messages similar to the following: info: Initializing partition table on disk: hda1 error: sfdisk failed; bc_ratio=504, total_KiB=8257032, total_cyl=16383 Can't save log permanently; no boot volume available. Log saved to /tmp/install.log To work around this issue, you can unmount the boot partition. To do so, run the following command, substituting the disk name listed in your error messages for /hda1: umount /dev/hda1. You can now proceed with other command-line installation tasks such as diskinit and image2disk operations. On the 11050 platform, if the system halts unexpectedly, or when you shut down the system using Always-On Management (AOM) menu option 3 (or other AOM shutdown options), the LCD does not reset. It simply freezes and shows whatever was on the LCD when the system went down. On other platforms, the LCD changes to show that the system is powered off or shutting down. HTTP Class profiles are prioritized alphabetically rather than in the order given. There is no workaround for this issue. On a system that is actively learning dynamic routes, if you run a b import default command, tmm asserts, and writes to the log file error messages similar to the following: 0x0050da4c in tmm_panic, 0x0050da81 in tmm_assert, 0x006fcdf3 in route_delete, and others. To work around this issue, do not run the b import default command while a system is actively learning dynamic routes. A Diameter origin-host attribute with 50 or more characters causes BIG-IP systems to fail on DeviceWatchdog-Request (DWR). The workaround is to use origin-host attributes of fewer than 50 characters. On first boot after initial installation on VIPRION systems, occasionally the system needs to reboot. In these cases, during the shutdown preceding reboot, you may see warnings from bigstart about getdb failing. In this context, these messages are harmless and may be ignored. The installer allows you to install version 9.x software onto 8950 (D107) or 11050 (E102) platforms; however, version 9.x software does not support the 8950 or 11050 platform. Installing 9.x software onto 8950 or 11050 platforms might result in a nonfunctional system, so do not install version 9.x software onto 8950 or 11050 platforms. Do not use the image2disk utility command --noarray option in conjunction with the --format=partitions option. Doing so can result in a nonfunctional system. Any command containing the --noarray option should always include the --format=volumes option. This essentially removes RAID and replaces it with a single disk that uses logical volume management (LVM). If you use the bigpipe or tmsh utilities to set the import save limit to 1 (one) (by using the tmsh command modify cli global-settings import-save 1 or the bigpipe command cli import save 1), the system appears to hang when you import a single configuration file (SCF). To work around this issue, set the import limit to a value greater than 1. The default value is 2. When a server is one hop away in a route domain configuration, after a bigstart restart operation, the BIG-IP system fails to communicate with that server. To enable communication, the system must first resolve the IP address for the gateway, so you can work around this issue by monitoring the gateway IP address. On a partitioned system, if a 9.x installation operation fails or halts for any reason, including being canceled by the customer, subsequent installation operations fail and post the following messages to the liveinstall.log file: info: /dev/sda5 is mounted; will not make a filesystem here! error: VolumeSet_rebuild_fs(sda, 1) failed Terminal error: Failed to install. See log file. To work around this issue, always reboot the system after a failed installation operation, and then try the operation again. Note that this occurs only with halted version 9.x installation operations. Halted version 10.x installation operations do not exhibit the issue. When you run the command tmsh list ltm pool <pool_name> all-properties, the system does not display the status property for the pool member, unless you have forced the pool member down, in which case the system shows a status of down. To work around this issue, run the command tmsh show ltm pool <pool_name> detail. You should not use the tmsh utility commands session monitor-enabled | disabled or the equivalent bigpipe utility commands session mon enabled | disabled; however, the system does not prevent you from doing so. This type of status should be controlled by the monitor option Receive Disable String. Running these commands overrides the actual state of the pool member or node, so that the system reports a disabled state regardless of whether the monitor sets the pool member or node into the disabled state. The state remains disabled until you run the b load command, which returns you to the correct state. If you meant to enable or disable the pool members or nodes, you can use the tmsh utility commands session enabled | disabled or the bigpipe utility commands session user enabled | disabled. On the 1500 and 3400 platforms with 1 GB of memory, you cannot simultaneously format and upgrade to version 10.2.x. If you run the image2disk command with the --format=volumes or --format=partitions option on a 1 GB 1500 and 3400 platform formatted for partitions, the installation operation halts with the following message: Terminal error: System memory of 1 GiB is insufficient for 'format=volumes' with this product image; 1.5 GiB is required This occurs because the system must move into memory all of the product sources so that the disk can be reformatted. This occurs only when formatting and upgrading to version 10.2.0 simultaneously. The workaround is to use a thumb drive or DVD USB drive as the installation source, or to use a PXE installation method. For more information, see SOL11396: Error message: Terminal error: System memory of 1 GiB is insufficient for 'format=volumes' with this product image; 1.5 GiB is required. Note that in all cases, when upgrading from 9.x, you must first run the im command against the 10.x.iso file to extract the 10.x installation utility. You can find specific instructions in Upgrading from earlier versions. The online help for pool member ratio states that the supported range is from 1 to 65535. The actual supported range is from 1 to 100.
CR138343
CR138348
CR138432 CR138442
CR138558 CR138780
CR139347
CR131945, CR139352
CR139534
CR139563
CR139588
CR139591
CR139668
CR139754
CR139782
20 of 22
9/20/2011 5:20 PM
ID NUMBER CR139786
DESCRIPTION If you use special characters in a pool name, the system posts an error message stating that only the following characters are allowed .*/-:_?=@,&. In fact, pool names only accept period (.), underscore (_), and hyphen (-). This release does not support using a command that suspends iRule processing (session, persist add/lookup /delete, table, after) in the AUTH_RESULT event in an iRule. There is no workaround for this issue. When you apply a version 10.x hotfix, the base software ISO image must be present in the /shared/images directory, along with the hotfix image. If there is no base software ISO image, no hotfix update operation begins, and the system presents a message similar to the following: waiting for image (BIG-IP 10.0.1 402.16). This message is misleading. The system is actually waiting for the base image. For example, for version 10.0.1, the base image is BIGIP-10.0.1.283.0.iso. To work around this issue, copy the base ISO image BIGIP-10. x.x.xxx.x.iso file to the /shared/images directory, and try the hotfix update again. On a back-end server that has a passive monitor assigned to it along with an active pool member or an active node monitor, when a monitor other than the passive monitor marks a pool member down, the system writes out a core file and posts the following message: notice panic: ../base/pool.c:3453: Assertion "Pool member is passive downed" failed. The workaround is to remove the passive monitor from the pool member. A BIG-IP system has limits to the number of objects that may be configured when the configuration contains virtual servers for which Packet Velocity ASIC (PVA) acceleration is required. If more than the specified maximum number of objects is configured, virtual servers that otherwise qualify for PVA acceleration are demoted to wire mode (no PVA acceleration). For more information about the maximum number of objects allowed for the PVA, refer to SOL11038: Configuration sizing and PVA acceleration. Although the system allows you to create a node whose name contains a leading digit, the bigpipe utility rejects service names with leading digits. This can cause bigip.conf to fail to load, including a bigip.conf file that you upgraded from version 9.x. For example, if you have a pool with a member named 3446, when you load the bigip.conf file, the system posts the error: BIGpipe parsing error: 012e0022:3: The requested value (10.0.0.1:3comfaxrpc }) is invalid (show | <pool member list> | none) [add | delete]) for 'members' in 'pool' To work around this issue, run the command b cli service number to have bigpipe use service numbers instead of names. When you specify Use Primary Connection Mirror Address as the ConfigSync Peer setting, and Network Mirroring is configured with IPv6 addresses, ConfigSync output contain following strings: [root@ltm-61:Active] config # b config sync Checking configuration on local system and peer system... Peer's IP address: 2222::2 Synchronizing Master Keys...Sync: No peer Address or invalid peer address Saving active configuration... To work around this issue, you can use IPv4 addresses, or you can select the ConfigSync Peer setting Specify IP Address and specify the IPv6 address manually. During hardware power-up, you might observe diagnostic output similar to the following messages: BoardInit0 HvmLoadStart CpuInit0 These messages represent diagnostic output from the BIOS that has no effect on the operation of the system. You can safely ignore these messages. You cannot simultaneously move to logical volume management (LVM) and install a hotfix. If you run the image2disk command with both the --hotfix and --format=volumes options, the system completes the hotfix installation, but does not format the drives. To work around this issue, format the system for volumes first, and then install the hotfix update. This version of the software does not support IPv6-formatted IP addresses on the management port. To work around this issue, you can use IPv4-formatted IP addresses for configuring the management port. When importing an ISO image into the Software Management screens in the Configuration utility, some browsers (for example, Microsoft Internet Explorer and Google Chrome), show /fakepath/ instead of the actual file path. This is expected behavior for HTML5-compatible browsers. You can work around this by adding the site to trusted sites. In addition, in Internet Explorer by setting the option Include local directory path when uploading files to a server in Internet Explorer Tools > Internet Option > Security > Custom level Security Settings - Internet Zone screen. When you create an opaque VLAN group before creating the route domain to assign it to, opaque mode does not work. To work around this issue, you can add the VLAN group to the route domain and then set its mode to opaque, or if you are already in this state, you can restart the tmm daemon. On the 1600, 3600, 3900, 6900, 8900, 8950, 11000, and 11050 platforms (more specifically, platforms with the Always-On Management (AOM) subsystem), you might see increasing chmand consumption of memory space. For more information, see SOL12941: The chmand process leaks memory on BIG-IP platforms containing the AOM subsystem. On a cluster, installing a User Configuration Set (.ucs) file containing dynamic routing fails to assign IP addresses to the ZebOS Network Services Module (NSM) interface. As a result, dynamic routing does not work. The workaround is to restart the tmrouted daemon by running the following command: clsh bigstart restart tmrouted.
CR140154 CR140238
ID 223787
ID 223959
ID 339850
ID 343150
ID 347605
ID 349340
ID 350888 ID 351874
ID 354467
ID 355152
ID 355294
Contacting F5 Networks
Phone:(206) 272-6888 Fax: (206) 272-6802 Web: http://support.f5.com Email: support@f5.com
For additional information, please visit http://www.f5.com.
Legal notices
Copyright 2009-2011, F5 Networks, Inc. All rights reserved. For a current list of F5's trademarks and service marks, click here. All other product and company names herein may be trademarks of their respective owners.
21 of 22
9/20/2011 5:20 PM
Was this resource helpful in solving your issue? Yes - this resource was helpful No - this resource was not helpful I dont know yet
NOTE: Please do not provide personal information.
Additional Comments (optional)
Please enter the words to the right:

Reload Audio Help
Submit
22 of 22
9/20/2011 5:20 PM

Big-Ip LTM and Tmos Version 10.2

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Big-Ip LTM and Tmos Version 10.2

Caricato da

Copyright:

Formati disponibili

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.

ASKF5 KNOWLEDGE BASE

Release Note: BIG-IP LTM and TMOS version 10.2.1

Updated Date: 09/16/2011 Summary:

Downloads BIG-IP iHealth WebSupport Licensing

User documentation for this release

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

EtherIP tunneling between data centers

XML content-based routing

Receive Disable String (RECV drain string) monitor option

Virtual Location monitor

TCP persist timeout configuration (CR75559-8)

User authentication lockout

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

Public Key Infrastructure/Common Access Card (PKI/CAC) support

Module integration into the Configuration utility

Support for two new platforms

Logging to RADIUS or TACACS+ accounting servers

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

Installing the software

Upgrading from earlier versions

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

Upgrading from version 9.6.x or 10.x

Upgrading from version 9.3.x or 9.4.x

Upgrading from versions earlier than 9.3.x

ID 226397 ID 226399, ID 248017, CR141404 ID 226531 ID 226783 ID 226818, ID 226920 ID 226969

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

ID 324337, ID 337159 ID 324345

ID 324348 ID 324355 ID 324361

ID 338148 ID 338708 ID 338827 ID 338852 ID 339379 ID 339524 ID 339586 ID 339735

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

ID 339955 ID 340407 ID 340651

ID 340696 ID 341217 ID 341404 ID 341414 ID 341655 ID 342010 ID 342357

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

Behavior changes in 10.2.1

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

Behavior changes in 10.2.0

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

CR91719 CR92541 CR93185, CR116200

CR103500 CR104124 CR104327, CR114895 CR104468, CR115056 CR104583, CR108667 CR104647

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

ID NUMBER CR105216 CR105234 CR105511

CR106830 CR107046 CR107415

CR107883 CR107927, CR110084

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

CR115326, CR115328 CR115670

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

ID NUMBER CR116108 CR116929

CR117429 CR117430 CR117431 CR117480

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

CR120550, CR127003, and CR138582

CR119132, CR125534, ID 222400 CR125790

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

CR129836 CR130427 CR130468

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

CR131256 CR131317 CR131332

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

AskF5 | Release Note: BIG-IP LTM and TMOS version 10.2.1

ID NUMBER CR133981, CR135997

CR134115 CR134321 CR134694

CR137376, CR138046, ID 342197