Known Issues

System messages say it will reboot after the firmware update but the system does not actually reboot.

Note

: If you try to reboot while the update is in progress, the reboot fails and logs a message indicating that the system is going down for reboot. It does not reboot, however.

Messages displayed:

-- Failed to start reboot.target: Transaction contains conflicting jobs 'stop' and 'start' for systemd-reboot.service. Probably contradicting requirement dependencies configured.

-- See system logs and 'systemctl status reboot.target' for details.

-- Broadcast message from root@localhost on ttyS0 (Tue 2020-01-28 10:18:33 PST):

The system is going down for reboot NOW!"

-- Firmware is being updated.

-- User initiates a system reboot.

The system prevents rebooting while the firmware upgrade is in progress, but an erroneous message is logged indicating that a reboot will occur.

PCIe correctable errors may be infrequently reported on VELOS BX110 blades due to the Train Cold - Run Hot (TCRH) Compensation Feature being triggered in response to platform temperature changes. This feature utilizes a PCIe PHY layer reset to optimizes performance and data integrity as operating conditions change. Examples of the different types of correctable errors that may be reported include any of the following:

Bad DLLP
Bad TLP
Replay timer timeout (RTTO)

-- Train Cold - Run Hot (TCRH) Compensation Feature triggered in response to platform temperature changes.

-- VELOS BX110 blades.

The Train Cold - Run Hot (TCRH) Compensation Feature is an expected behavior on the VELOS BX110 blade and these infrequent correctable errors have no system impact.

During boot, the system logs a message: i8042: No controller found

This occurs during system startup of a VELOS System Controller or Blade.

The message is benign, and you can safely ignore it.

'Error parsing PCC subspaces' appears on the console when the system boots.

Viewing the console on boot.

The message is benign and can be ignored.

During boot, the system controllers may display the message [FAILED] Failed to start origin-node.service.

The system is booting up.

An error is logged, but there are no known negative impacts to system operation. The origin-node service is dependent on the docker daemon and other dependent services. In the background, the origin-node service automatically starts when the dependent services are up and running.

PWR-0366-XX 3000W AC power supply used in VELOS CX410 series chassis reports a 'PSU <n> other communication fault event' in the log when the power supply is hot plugged (Hot plug: disconnecting/applying power to a PSU connection).

This fault indicates that there is a problem with the communication between the primary and secondary PSU DSP devices inside the PSU. This usually happens when the PSU is connected to 12V bus and the AC power cord has been removed. In this situation, the secondary-side DSP is powered from the 12V bus through a peer supply, while the primary-side is not powered because AC is removed.

Eventually, the lack of communication triggers a STATUS_CML.COMM_FAULT and records the message in the log. This is a latching fault that can turn-off 12Vout, meaning that, in PMBus, this fault remains asserted even if internally the fault is already removed.

When you issue a 'bigstart stop' command in a tenant running on the VELOS platform, the management port becomes unreachable.

-- Log into the tenant using an ssh connection to the management IP address.

-- Issue the command:

bigstart stop

Cannot ssh or ping the tenant management IP address.

When you run the qkview command with the capture, cancel, list, delete, and status subcommands, they produce readable text output. The list and status commands, while readable, produce output that is in JSON format.

-- Run qkview command with subcommands.

Output for qkview command is not consistent.

The tenant management MAC addresses do not originate from the chassis-wide management pool. They are software-generated MAC addresses. Though unlikely, this randomly allocated MAC address might collide with an existing MAC address in the tenant management network. This can result in unexpected and erratic network behavior for the tenant and for the external entity that has the same MAC address.

-- Start up a tenant.

-- The system assigns a random management port.

-- The random management port has a MAC address that already exists in the network.

A tenant or external entity with the same MAC as the tenant could experience intermittent network issues on the management network, including tenant startup failure.

When you change an existing port group, e.g., from one 100G to 4 25G, STP still reports the old interfaces when you issue 'show stp' from the CLI. Additionally, the new interface does not display in the CLI.

This occurs when making changes to the port group mode, e.g., from one 100G to 4 25G mode.

-- The old interfaces still display when running 'show stp' from the CLI.

-- The new interface does not display when running 'show stp' from the CLI.

-- You must manually remove the old interfaces and add the new interface via the CLI.

The show components component information does not include the firmware version information for the sirr or ssd.

Running the show components command.

The show components command does not report the firmware version information for the sirr or ssd data fields.

The 'show interfaces interface state operstatus' reports 'UP' for interfaces on System Controller when it is permanently down (i.e., powered off or removed).

-- Running the command: 'show interfaces interface state operstatus'.

-- A System Controller is removed or ceases to function.

Incorrect status is returned. This occurs because the interfaces operstatus cannot be updated by the down or missing System Controller.

If you issue a reset counters command, the in-discards counter is not reset to 0.

Issue 'reset counters interfaces <interface>' or 'reset counters all' commands.

Counter is not reset to 0.

When a USB device is present in the blade, the velos.log contains a large number of errors from platform-hal related to the USB device and attempts to detect it.

USB device is present in the blade.

Numerous unnecessary messages appear in the log.

During startup, the VELOS system logs a message:

BAR 7: failed to assign.

This occurs when Intel X553 Ethernet is initialized during system startup of a VELOS blade.

The messages is benign and you can safely ignore it.

After system startup, dmesg shows the following messages:

[ 1.306207] ERST: Error Record Serialization Table (ERST) support is initialized.

[ 18.503404] uds: kvdo0:dedupeQ: verifyBufferedData got unexpected data: UDS Error: Corrupt saved component (1030)

Viewing messages after system startup.

ERST is not an error. It means ERST is initialized and although 'E' stands for 'error', the log message is not an error message. The kvdo0:dedupeQ message occurs when the VDO volume is initialized. Since the volume has only been initialized, there's nothing to corrupt. Both messages can be ignored.

The CLI command 'show system blade-power' displays the power requested and allocated to a blade. It does not show the power currently being drawn by the blade.

Blade is powered off via AOM commands.

The 'show system blade-power' command output does not change, so it is not a suitable method to determine the power status of blades in the system. There is no impact to the running system itself.

When appliance mode is enabled, access to the Advanced shell (bash) is removed, and the system root user cannot log in to the device by any means, including the serial console. When appliance mode is then disabled, Advanced shell access and root login are still disabled

-- Enable appliance mode for a tenant.

-- Disable appliance mode for a tenant.

Cannot access the Advanced shell or log in as root user when appliance mode is disabled. This is intended functionality.

CPU and memory utilization data is blank after bootup for both system controllers when viewed on the CLI, under the following:

show components component * cpu state cpu-utilization
show components component * state memory

This may happen intermittently if the internal subnet is set to a non-default value.

You cannot reliably view CPU and memory utilization through the CLI.

If the standby system controller is removed, the CLI command 'show components component' information is not updated to reflect its removal.

-- Standby system controller is removed.

-- Running the CLI command 'show components component'.

No operational impact other than the data is stale. If another controller is installed, the data is updated to reflect the new controller.

Status LED may be left in the off state after an LCD test.

Issue occurs after the LCD test is executed.

Status LED may not reflect actual state of the system after an LCD test.

Several switch-related events sometimes occur when a blade is rebooted. These events are generated if the switch port to which the blade is connected reports an FEC Uncorrected Error, and posts error messages similar to the following:

-- NOTICE 'Switch Port in fault state'.

The errors usually clear soon after the blade boots up.

This occurs upon system startup.

The system generates a few unwanted events. If the blade boots successfully and networking is functioning normally, you can safely ignore the 'Switch Port in fault state' events.

Qkview collection is distributed, and there is a main process for collecting qkview information from peer devices. The main qkview process (running on the active system controller) or the partition manager, spawns processes to collect from its peers. Peers are not aware of whether the main qkview operation has been canceled.

A qkview is canceled, and then immediately restarted.

Partial qkview collection. When a qkview is canceled on the main collection system, the peers are not aware of this, and continue to collect. The peer qkviews may not be collected if the peers are still processing the last qkview request.

If an admin configures a tenant with a name that is longer than 49 characters, tenant deployment fails.

Partition created and enabled on VELOS hardware for admin to login and create a tenant configuration.

Configured tenant fails to schedule on the VELOS cluster due to Red Hat OpenShift name length restrictions, i.e., if the tenant name has more than 49 characters, the server rejects the deployment request

The CLI includes the TACACS_ALL authentication option, but this option has no functionality.

This is encountered while configuring authentication using the following command: system aaa authentication config authentication-method

TACACS_ALL is presented, but this option does nothing.

The 'show image' report can conflate subtable output into a single, long set of columns. In some instances, the report begins to stagger row output. Although the information presented is accurate, the format is suboptimal.

Very wide screen widths cause table conflation to take place for the 'show image' report.

Some rows (right-hand side of report) wrap around to the next line, making the report more difficult to interpret.

No interfaces are listed in the partition management screen under Network Settings > Port Groups, Interfaces, or LAGs.

Conditions under which this occurs are not entirely known. It has been seen after multiple reset-to-defaults commands are issued.

System does not function properly.

When creating a partition using the CLI, and trying to validate the changes with 'commit check', a validation error occurs: partitions 'partition part1 uuid' is not configured.

-- Create a partition using the CLI.

-- Attempt to validate the changes using 'commit check'.

The 'commit check' operation rejects this config change. This error is misleading, indicating that you need to specify a uuid value.

Note

: Not only is uuid irrelevant, it is not possible for you to specify it.

When restoring a previously saved system database, the filename is not tab-expandable. There is no way to get a list of the existing system database backup filenames, other than by using CLI filesystem operations.

-- Run 'system database config-backup name' to restore a previously saved system database using the CLI.

-- Attempt to tab-expand the filename portion of the command.

You must exit to the bash shell, or use the file operations to find the backup filename and try the operation again.

If the qkview filename contains a space, the system uses only first word for the qkview filename.

Using filenames with spaces in them while generating a qkview.

Only the first word is used in the generated qkview filename.

The system does not display the current date/time and timezone in the GUI, which can make it difficult to review alerts or logs without knowing/remembering how the system is configured. The system does not provide a mechanism to update the system clock directly, without NTP.

Attempting to view or set system time and date via the GUI.

You cannot view or set system time and date through the GUI.

The GUI stops working without any warning or error if an ed25519 crt/key is imported.

Import an ed25519 crt/key.

GUI stops working. In the system controller log you see errors:

-- controller-1 /usr/bin/authd[7]: priority="Err" version=1.0 msgid=0x3901000000000026 msg="OpenSSL PEM_read_bio_PrivateKey failed read key" file="server.key".

-- controller-1 /usr/bin/authd[7]: priority="Err" version=1.0 msgid=0x3901000000000022 msg="OpenSSL X509_PUBKEY_get failed to get key."

It is possible to assign the same management IP address to multiple partitions.

This is encountered when creating new partitions using the CLI. You can duplicate the management IP address without getting an error.

Creating a duplicate management IP address can cause management traffic disruption.

When the CLI is used to clear the configured IPv4 address, the system reports the prefix length as 32 bits

-- Clearing the configured IPv4 address.

-- Viewing the prefix information the system reports.

CLI shows prefix length of 32. There is no functional impact. When an IPv4 address and prefix is set again, the proper prefix length is reported.

When the standby system controller is removed, the CLI data is not updated to reflect its removal. The empty state field is one of several bits of data that is not correct.

-- After removal of standby system controller.

-- Viewing state information in the CLI.

No operational impact; just stale/incorrect CLI data about the state of the removed system controller.

Qkviews are started and collected on the active controller/partition. If a failover happens while a qkview is in progress, that qkview operation is aborted, and the file deleted.

1. Start a qkview on the active device.

2. Failover the active to standby.

The qkview collection stops and no file is created.

The top command defaults to 80 characters, if run outside of a console, as it is in qkview. When top is executed in this fashion, the -w parameter must be used, in order to specify output width.

Run qkview.

Output of top command is truncated at 80 characters. Some contents of the top command may be missing in qkview files.

The CLI presents configuration options for IPv6, but the IPv6 functionality is not supported in this release and does not function properly.

-- Viewing the CLI configuration options.

-- Attempt to configure the IPv6 options.

IPv6 configuration does not work.

A number of system controller operations related to images suffer from an approximately 5-second delay. This includes CLI commands such as 'show image partition' and 'show image controller', but there is also a delay when using tab-completion to view suggested completions for such commands. The delay appears to be mostly constant, independent of the number of partitions in the system. The delay is always present for these commands.

Using CLI commands related to images.

In addition to the 5-second delays experienced directly on the CLI, there is likely similar impact to related GUI functionality, such as the partition management page. These delays do not appear to negatively impact any functionality.

Inside the F5OS CLI, the Delete key behaves in the same way as the backspace key. Instead of deleting the next character (the character to the right of the cursor), pressing Delete removes the previous character (the character to the left of the cursor).

Using the F5OS CLI.

'Delete' key does not function in expected fashion.

Tcpdump may show the packets in an out-of-order fashion if it is run from a partition that spans multiple blades. The order refers to the timeline of these packets appearing on the network links outside the system, e.g., a TCP SYN may come from the client to the system, and the system may have responded with a SYN-ACK to the outside client. The capture may show the SYN-ACK packet first and then the SYN.

Other than inferring from knowledge of the protocol what these packets represent, there is no real way to mitigate in the multiple-port aggregation scenario.

Note

: A tcpdump run from inside a BIG-IP tenant shows the correct order.

-- This may be encountered where there is an LACP-aggregated link that spans two ports on two different blades.

-- It has also been seen less frequently as out-of-order between ingress (outside-to-host) and egress (host-to-outside) packets.

Tcpdump captures show the order of the packets differently from when they really happened, leading to possible misinterpretation of events.

The CLI commands to configure DNS and NTP require specifying addresses twice. For example, specifying a DNS server:

config 
system dns servers server 10.10.10.10 config address 10.10.10.10
commit

Configuring a DNS or NTP server using the CLI commands.

There is no operational impact; however, it is preferable to enter the IP address only once.

After a system controller failover, the PSU information may not be populated in the command: show components component.

Active system controller fails over to the standby.

PSU data is not listed. There is no operational impact to the system.

When using the webUI to create a new user on the System Controller, you click the Save and Close button and the user is created but an error is displayed:

Server Error(s)

Something went wrong. Check the web browser console for more details or contact technical support for assistance.

Using the webUI to create a new user account.

The user is created but an error is displayed.

The partition 'system database config-backup' command overwrites an existing backup file.

Running the partition 'system database config-backup' command.

If a config backup exists, the operation silently overwrites it.

The top-level software for F5OS comprises two ISO images: one for partition/blades, and one for the system controller. These must both be installed, separately.

You have the option of downloading a .tar file containing both .iso files. However, the .tar archive is not itself directly importable on the running system, and the download stalls.

-- Download the F5OS software in a bundled .tar archive.

-- Attempt to import the bundle for use on the system.

Import operation does not complete. You must perform manual steps to import F5OS the .tar software file.

In many cases, software imports (such as chassis partition or system controller ISO imports) can take up to 30 minutes to complete and synchronize across both system controllers.

This is encountered when importing F5OS platform software for VELOS.

It may take a long time for the import to complete and synchronize.

A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Interface config tpid leaf is exposed but it is not supported.

-- In CLI config mode, the system presents tpid as a possible config option.

-- In CLI show mode, tpid is shown as oper data.

Interface config tpid leaf is exposed but it is not supported.

Multiple dnsmasq vulnerabilities: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687 A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies so that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

When logging in to a partition as the 'root' user, login is denied and displays the message 'password expired'. Root is not allowed to log into partitions, so the error message is misleading.

User may not understand why root access is denied.

The OpenShift cluster will appear offline to the user.

Occurs occasionally when the active system controller is physically removed.

No access to the OpenShift cluster. The OpenShift cluster appears offline.

When the admin removes nodes from tenant configuration and upgrades the system controller software, the tenant status comes up with an error state.

Admin removes nodes from the tenant configuration using either of the following commands:

no tenants tenant <name> config nodes

tenants tenant <name> config nodes [ ]

This has no effect on system functionality. The system is simply reporting an incorrect state of the tenant.

After setting the primary key, the system reports the following message:

-- Response Info: Key migration is initiated. Use 'show system primary-key state status' to get status.

This is the wrong command.

-- This is encountered when running the following command:

system aaa primary key set

The prompt for the set command is misleading.

Tenant validations are not working when a tenant is created using the CLI and subsequently edited in the GUI.

Admin creates the tenant via CLI and subsequently edits the following tenant config when the running-state is set to Deployed:

-- Scale-up/Scale-down the tenant.

-- Add/Remove VLAN.

Admin cannot scale up/scale down the cluster using the GUI if the tenant is initially deployed via CLI.

When the BIOS on a blade is freshly updated and the blade is booted, there may be a 'TPM Randomization failed' message observed in the log output. This message occurs only once (if at all) and is then followed by a successful boot of the system. This is caused by the TPM randomization step of the boot not being completed. The next boot of the system, initiated by the BIOS when this condition is encountered, allows the TPM randomization to complete. For security purposes, the system does not boot to the OS until TPM randomization has successfully completed.

This particular instance of this message may occur after a fresh BIOS update to the system. If the initial boot after a BIOS install is interrupted, the subsequent boot may display this message in the log. The BIOS then causes the blade to reboot, allowing the TPM randomization step to complete.

There is no impact to the functionality of the system. The message is for informational purposes only in this situation. If the TPM randomization step of the BIOS execution is not able to complete successfully, the BIOS causes the blade to reboot until the TPM randomization is successful.

Note

: If the system continually fails to boot due to this issue, you may have a hardware issue that requires F5 response to correct.

The F5OS partition CLI correctly displays the tenant management MAC address that matches what the tenant reports via 'ifconfig mgmt'. However, 'tmsh show sys mac-address' shows a different value. (vCMP guests also exhibit this behavior.)

This is encountered on F5OS tenants.

No functional impact known; just reports incorrect data.

If you create a tenant and set the running-state to deployed, (do not wait for full startup), immediately change the running-state to provisioned (do not wait for state change), immediately change tenant config such as vCPU/memory/VLANs/etc, and then immediately change back to deployed, the tenant starts up fine but may not come up with the right resources/config.

This occurs when the tenant running-state changes with no wait time in between state changes.

The tenant starts up with inaccurate resources (e.g., vCPU/memory/VLANs/mgmt-ip).

If the system controller is powered off from the Linux bash shell using 'shutdown -P' or an equivalent command, there is no method available in Always-On Management (AOM) menu, or any other method, to remotely power back on the system controller.

Once the system controller is powered off, it can be powered on only by either reseating the system controller or performing a full chassis power cycle.

The system controller is powered off using a bash command.

You are unable to remotely power on a system controller after it has been powered off.

If a system controller reboots in the middle of importing platform software, the import does not automatically restart on the next boot. Additionally, it is not possible to overwrite it via a new file transfer to try again.

-- Valid F5OS software has begun importing on a system controller, but the import is not complete yet.

-- A reboot is issued by either the admin user or the software.

The software is not imported.

Traffic on the previously active system controller is lost, so effectively half of the traffic is lost.

Occurs if the active system controller is not functioning properly. Here are some examples:

-- The system controller is physically non-functional (no electrical activity, etc.).

-- System software results in system controller failures for a long time.

Traffic on the previously active system controller is lost.

A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.

A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability

It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce a heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine.

A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

An out of bounds read flaw was discovered in libssh2 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a denial of service or read data in the client memory.

libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.

A credentials-exposure flaw was found in python-requests, where if a request with authentication is redirected (302) from an HTTPS endpoint to an HTTP endpoint on the same host, the Authorization header is not stripped and the credentials can be read in plain text. A man-in-the-middle attacker could exploit this flaw to obtain a user's valid credentials.

If the chassis-id is changed from the default of 1 in the 'system network' configuration on the system controller, the cluster does not reinstall correctly once the change takes effect.

Chassis-id is changed from default of 1 to any other value.

Cluster does not re-install correctly, which means tenants cannot be launched on the system.

When changing the chassis internal network prefix range (RFC6598 to/from RFC1918), blades require an additional manual reboot to fully implement the change in prefix.

Chassis internal network prefix is changed.

Configuration of a new network prefix requires additional manual step.

When the standby system controller is rebooted, the user's management session may freeze for 10-15 seconds.

The standby system controller is rebooted

The management session is frozen briefly, then resumes normal operation.

After powering on or rebooting one or more blades in a partition, blades can fail to establish data plane connectivity between each other across the backplane, resulting in complete loss of traffic in between blades.

Symptoms may include an inability for multi-blade tenants to cluster, or traffic received by one blade being unable to route that traffic to another blade, among other possibilities.

You can identify the problem more specifically by inspecting the tmstat 'vqf_cfg' table in the partition_fpga container. On each blade perform the following:

docker exec -it partition_fpga tmctl -d blade -w 120 vqf_cfg

If the 'active_blades' column does not have the same value for all assigned and enabled blades within a partition, and are otherwise expected to be running with good states, then this issue has likely been encountered.

-- A blade is booted for the first time, or rebooted.

Loss of data plane traffic in between blades within a partition.

An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.

The system controller is unable to communicate with one or more of the running blades. The 'show cluster' command indicates one or more blades are Not Ready even though the blade or blades are fully booted. The other system controller may show similar misreporting of blades, but on different blades.

During switchd startup, an issue occurs and switchd will not provide the required switch configuration, resulting in a management port and internal chassis network outage.

-- The problem can manifest any time SwitchD starts/restarts. It is most likely to occur during installation or live update of the system controller software.

The problem persists until the system controller on which the condition occurs is rebooted.

The orchestration_manager daemon may intermittently core on reboot of the system controller. This will leave a core file on the system controller.

-- Reboot of the active or standby system controller.

Creates a core file. Does not affect operation of the system.

A flaw was found in Nettle, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results.

This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threats to this vulnerability are to confidentiality, integrity, and system availability.

The blade logs use PDT (Seattle) timezone whereas other logs are in the customers' local timezone (that is, on a properly configured BIG-IP system) and some controller logs are in UTC.

Examine various logs across the chassis and notice that they use inconsistent timezones.

Consistent timezones across chassis logs would facilitate troubleshooting.

When attempting to pxeboot blades or chassis controllers, it will fail with a timeout.

There are two known possible explanations for this. One is that the steps to configure pxeboot have not been performed. The other is that the services provided by the image-server container have stopped working properly.

pxeboot will fail.

When running "system database config-restore" on the chassis partition CLI, the fdb and vlan-listeners tables are erroneously restored. These tables can contain stale data that interferes with datapath configuration.

This issue occurs when running "system database config-restore" on the partition CLI.

The datapath to tenants may not work until the tenants are re-deployed.

The Platform layer continuously rejects control plane messages from a Classic BIG-IP tenant. This causes the tenant to be stuck on startup, and never fully start.

This issue can happen if a tenant is deleted and then rapidly recreated with the same name in a chassis partition.

The tenant never completes the start up process, and is inaccessible.