Supplemental Document : F5OS-A 1.0.0 Fixes and Known Issues Release Notes

Applies To:

Show Versions Show Versions

F5OS-A

  • 1.0.0
Updated Date: 04/20/2023

F5OS-A Release Information

Version: 1.0.0
Build: 11432

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Known Issues in F5OS-A v1.0.x

Vulnerability Fixes

ID Number CVE Links to More Info Description
998305 CVE-2021-23840 K24624116 CVE-2021-23840: OpenSSL vulnerability
       


Functional Change Fixes

ID Number Severity Links to More Info Description
1016629-1 3-Major BT1016629 System allows creation of VLAN names that are too long
1016621-1 3-Major K64400840, BT1016621 VLAN name validation changes
1016509-1 3-Major BT1016509 System allows creation of duplicate VLAN names
1001865-1 3-Major   No platform trunk information passed to tenant


F5OS-A Fixes

ID Number Severity Links to More Info Description
1055189 2-Critical   Optical transceiver tuning values for OPT-0048 updated to reduce errors
1038877-1 2-Critical   Last-change value does not display date of password change
1027929-1 2-Critical BT1027929 Adding a VLAN to a LAG that is already configured on a tenant may not configure the VLAN correctly.
1008585-3 2-Critical BT1008585 L2 Table corruption results in a traffic loss.
997821-1 3-Major   Bi-directional optics part is not recognized and interface remains in the down state.
984721-1 3-Major   CLI commands for DNS and NTP could be simplified
1062021 3-Major   Lacpd process continuously restarts after creating a LAG interface with a space.
1060405-1 3-Major   Management-address is incorrectly displayed in lldp neighbor information
1057009 3-Major   Malformed LLDPDU exchanged between platform and switch leads Cisco to ignore LLDP neighbor info.
1032697-1 3-Major   File delete operation throws an improper message
1028873-1 3-Major   Colon character is not allowed in the password.
1027837-1 3-Major   Media type of optics with part number OPT-0047 reports as unknown.
1015497-2 3-Major BT1015497 In rare cases, the blade software can disconnect from the system controller and never recover.
1014009-2 3-Major BT1014009 Blade out of memory condition when using a large number of VLANs.
1009685-3 3-Major   1.2.1 platform software cannot be imported on Controller OS versions below 1.2.0
1058757-1 4-Minor   Optical transceiver OPT-0043 reports unknown as media type
1052629 4-Minor   Port group media string updated

 

Cumulative fix details for F5OS-A v1.0.0 that are included in this release

998305 : CVE-2021-23840: OpenSSL vulnerability

Links to More Info: K24624116


997821-1 : Bi-directional optics part is not recognized and interface remains in the down state.

Component: F5OS-A

Symptoms:
Interface remains in down state even with optics and fiber inserted, and the optics type is not identified

Conditions:
Bi-Directional optics is present in the system

Impact:
Interface will not be operational

Workaround:
None

Fix:
Bi-Directional optics type should be recognized and interface should be operational


984721-1 : CLI commands for DNS and NTP could be simplified

Component: F5OS-A

Symptoms:
The CLI commands to configure DNS and NTP require specifying addresses twice.

For example, specifying a DNS server:
 config
 system dns servers server 10.10.10.10 config address 10.10.10.10
 commit

Conditions:
Configuring a DNS or NTP server using the CLI commands.

Impact:
There is no operational impact; however, it is preferable to enter the IP address only once.

Workaround:
None. You have to specify the IP address twice.


1062021 : Lacpd process continuously restarts after creating a LAG interface with a space.

Component: F5OS-A

Symptoms:
Lacpd service restarts when the LAG name contains space.

The tenant wont get the LAG name and it will show a null value.
[root@localhost:Active:Standalone] config # tmsh list net trunk
net trunk "" {
    cfg-mbr-count 2
    distribution-hash src-dst-mac
    id 0
    interfaces {
        1.0
        2.0
    }
    stp disabled
    type ha-only
    working-mbr-count 2
}

Conditions:
LAG name contains a space.
Example : "lacp lag"
appliance-1(config)# interfaces interface "lacp lag" config type ieee8023adLag

Impact:
1. Lacpd service restarts.
2. BIG-IP tenant does not get the trunk name.


Note : In case of live upgrade from EA to GA release, any LAG created with a space in name will not work and you will need to either delete these or do a bare metal install before performing a live upgrade.

Workaround:
Don't create a LAG name which has space in the name.


1060405-1 : Management-address is incorrectly displayed in lldp neighbor information

Component: F5OS-A

Symptoms:
The 'show lldp' command displays the management-address of the neighbor incorrectly.

Conditions:
-- lldp enabled
-- Run the 'show lldp' command

Impact:
Management-address of the neighbor is shown incorrectly. It is the display issue, there is no functional impact.

Workaround:
None


1058757-1 : Optical transceiver OPT-0043 reports unknown as media type

Component: F5OS-A

Symptoms:
"show portgroups" reports unknown for the media type for an OPT-0043

Conditions:
OPT-0043 transceiver plugged into a system

Impact:
Cosmetic - this has no functional impact. The media field is not used by any software, it is reported as information for the user.

Workaround:
None

Fix:
OPT-0043 now reports media type as "40G BiDi"


1057009 : Malformed LLDPDU exchanged between platform and switch leads Cisco to ignore LLDP neighbor info.

Component: F5OS-A

Symptoms:
Cisco switch is not able to identify a neighbor, even though lldp is enabled.
-- Run the command "show lldp neighbor" so you can see the neighbor information on the switch.
-- The Arista switch is able to decode the malformed PDU's but tcpdump pcap shows a malformed packet.

Conditions:
-- Cisco switch is connected to hardware.
-- LLDPDU's are tracked on tcpdump on an Arista switch instead of just checking "show neighbor information"

Impact:
Cisco switch does not display the lldp neighbor information. This information is useful to see connected devices and the port information for the connection.

If captured using tcpdump, the malformed packet can be seen on the Arista switch.

Workaround:
Configure only mandatory threshold value limits(chassis-id, port-id and ttl) for lldp.

Config#lldp interfaces interface 1.0 config name 1.0 tlvmap chassis-id,port-id,ttl

Fix:
N/A


 

1055189 : Optical transceiver tuning values for OPT-0048 updated to reduce errors

Component: F5OS-A

Symptoms:
OPT-0048 may show intermittent errors

Conditions:
OPT-0048 optical transceiver inserted into r10000 or r5000 appliance

Impact:
intermittent optical transceiver errors

Workaround:
None


1052629 : Port group media string updated

Component: F5OS-A

Symptoms:
The media strings displayed by "show portgroup portgroup state media" do not all correspond to the SFF-8024 standard. Some media strings contain underscores (_) instead of dashes(-)

Conditions:
OPT-0053-01 or OPT-0054-01 optical transceivers inserted in the front panel interfaces.

Impact:
Cosmetic - media string contain dashes instead of underscores

Workaround:
None needed, this is display only information

Fix:
Media strings for port groups now correspond to SFF-8024 and no longer contain underscores.


1038877-1 : Last-change value does not display date of password change

Component: F5OS-A

Symptoms:
Last-change value is shown as days since 1970-01-01, which will reflect something like: 18970, it should be in date format, like: 2021-12-09,while running confd cmd: "show system aaa authentication users user"

Conditions:
When running confd cmd: "show system aaa authentication users user"

Impact:
Invalid value of last-change is displayed in "show system aaa authentication users

Workaround:
None


1032697-1 : File delete operation throws an improper message

Component: F5OS-A

Symptoms:
A file delete operation has a confusing error message:

syscon-1-active# file delete file-name log/host/ansible.log

Only /mnt/var/confd/configs/ /var/shared/ configs/ diags/shared/ paths are allowed for Delete file operation on Controller
ConfD.

Conditions:
Attempting a file delete operation from a directory which does not have delete permission

Impact:
The error message lists the actual paths along with the virtual paths on which delete is supported.

Workaround:
None

Fix:
On file delete operation, it only list virtual paths


1028873-1 : Colon character is not allowed in the password.

Component: F5OS-A

Symptoms:
Password change fails when the password has colon character

Conditions:
Colon character in the password

Impact:
Password change fails.

Fix:
Handle colon in the password properly


1027929-1 : Adding a VLAN to a LAG that is already configured on a tenant may not configure the VLAN correctly.

Links to More Info: BT1027929

Component: F5OS-A

Symptoms:
Traffic egressing the VELOS system does not reach the external destination.

Conditions:
A VLAN is configured on a tenant and the VLAN is added to a LAG which does not have members from all blades in the partition.

Impact:
Traffic is disrupted.

Workaround:
Remove VLANs from the tenant, then add them to the lag, then re-add them to the tenant.

Fix:
When a VLAN is added to a LAG, program the host VLAN table
for blades that do not contain LAG members.


1027837-1 : Media type of optics with part number OPT-0047 reports as unknown.

Component: F5OS-A

Symptoms:
Optics media types is displayed as unknown

Conditions:
Optics with part number OPT-0047 is present in the system

Impact:
Media type will not be known

Workaround:
NA

Fix:
Media type should be reported as 100G PAM4 BiDi


1016629-1 : System allows creation of VLAN names that are too long

Links to More Info: BT1016629

Component: F5OS-A

Symptoms:
The /vlans/vlan/config/name value is a free format string. Creating long VLAN names can violate common naming rules.

Conditions:
Creating VLANs whose names are longer than 56 characters (encountered at the /vlans/vlan/config/name endpoint).

Impact:
The F5OS software does not prevent you from creating VLAN names that are too long, however, the BIG-IP system cannot use them.

Note: When this issue is fixed, VLAN names in configurations and scripts will no longer behave as expected. Before upgrading, make sure to follow the instructions in Behavior Change to ensure your upgrade succeeds.

Workaround:
Create shorter VLAN names.

Fix:
VLAN names now have the following constraints:

- May start with an alphabetic character (Aa-Zz).
- Cannot exceed 56 characters in length.
- May contain alpha-numeric characters, periods (.), hyphens (-), and underscores (_).
- Must be unique among VLANs.

!Important! Before upgrading:

-- Ensure that all VLAN names meet these constraints.

-- Update any scripts that create VLANs whose names violate these constraints.

Behavior Change:
VLAN names now have the following constraints:

- May start with an alphabetic character (Aa-Zz).
- Cannot exceed 56 characters in length.
- May contain alpha-numeric characters, periods (.), hyphens (-), and underscores (_).
- Must be unique among VLANs.

Important upgrade information:

Before upgrading:

-- Ensure that all VLAN names meet these constraints.

-- Update any scripts that create VLANs whose names violate these constraints.

-- Configurations from previous versions containing /vlans/vlan/config/name strings that do not meet the new validation rules will fail to load after upgrade.

-- Configuration scripts with /vlans/vlan/config/name strings that do not meet the new validation rules will fail after upgrade.


1016621-1 : VLAN name validation changes

Links to More Info: K64400840, BT1016621

Component: F5OS-A

Symptoms:
Previously, the /vlans/vlan/config/name was a free-format string.

Now, the name has the following constraints:
-- May start with just a letter
-- Cannot exceed 56 characters in length
-- May contain alpha characters, numbers from 0 through 9, period (.), hyphen (-), and underscore (_)
-- Must be unique among VLAN names

Conditions:
When you configure /vlans/vlan/config/name leaf, which is an optional leaf.

Impact:
Previous configuration with /vlans/vlan/config/name strings that do not meet the new validation rules will not load.

Previous configuration scripts with /vlans/vlan/config/name strings that do not meet the new validation rules will fail.

Workaround:
Before upgrading (ideally) or after upgrading and before saving the configuration or exercising scripts, adjust all /vlans/vlan/config/names so they meet the validation requirements.

Fix:
Additional validations were added to VLAN names. You must adjust existing configuration's /vlans/vlan/config/name strings and scripts to meet the new validation rules.

Behavior Change:
Previously, the /vlans/vlan/config/name was a free-format string.

Now, the name has the following constraints:
-- May start with just a letter
-- Cannot exceed 56 characters in length
-- May contain alpha characters, numbers from 0 through 9, period (.), hyphen (-), and underscore (_)
-- Must be unique among VLAN names


1016509-1 : System allows creation of duplicate VLAN names

Links to More Info: BT1016509

Component: F5OS-A

Symptoms:
The /vlans/vlan/config/name value is a free format string and allows duplicate names to be created.

Conditions:
Creating a VLAN using a name that already exists (encountered at the /vlans/vlan/config/name endpoint).

Impact:
Duplicate VLANs are created without error. Which VLAN the system uses is not predictable.

Workaround:
Ensure VLAN names are unique.

Fix:
VLAN names now have the following constraints:

- May start with an alphabetic character (Aa-Zz).
- Cannot exceed 56 characters in length.
- May contain alpha-numeric characters, periods (.), hyphens (-), and underscores (_).
- Must be unique among VLANs.

!Important! Before upgrading:

-- Ensure that all VLAN names meet these constraints.

-- Update any scripts that create VLANs whose names violate these constraints.

Behavior Change:
VLAN names now have the following constraints:

- May start with an alphabetic character (Aa-Zz).
- Cannot exceed 56 characters in length.
- May contain alpha-numeric characters, periods (.), hyphens (-), and underscores (_).
- Must be unique among VLANs.

Important upgrade information:

Before upgrading:

-- Ensure that all VLAN names meet these constraints.

-- Update any scripts that create VLANs whose names violate these constraints.

-- Configurations from previous versions containing /vlans/vlan/config/name strings that do not meet the new validation rules will fail to load after upgrade.

-- Configuration scripts with /vlans/vlan/config/name strings that do not meet the new validation rules will fail after upgrade.


1015497-2 : In rare cases, the blade software can disconnect from the system controller and never recover.

Links to More Info: BT1015497

Component: F5OS-A

Symptoms:
In very rare scenarios, blade software components may be unable to communicate with the database on the system controller. LACP and STP daemons hang at startup, and it could cause other issues in a partition.

Conditions:
The issue can occur when both system controllers are rebooted at once.

Impact:
The LACP, LLDP, and STP daemons may be indefinitely unusable. It is suspected there could be other impacts depending on which blade software component is affected, though no other issue has been observed.

Workaround:
1. Reboot the affected blade.
2. Disable then re-enable the affected partition.

Fix:
The affected blade software component can now detect the connection issue and will re-establish the connection to the system controller's database.


1014009-2 : Blade out of memory condition when using a large number of VLANs.

Links to More Info: BT1014009

Component: F5OS-A

Symptoms:
If a tenant or tenants are assigned a large number of vlans, an out of memory condition can be triggered on the blade after several days.

Conditions:
A large number of vlans is assigned to a single tenant.

Impact:
Tenants may die and new tenants may fail to launch on the affected blade.

Workaround:
Reduce the number of vlans assigned to a single tenant.


1009685-3 : 1.2.1 platform software cannot be imported on Controller OS versions below 1.2.0

Component: F5OS-A

Symptoms:
It is not possible to import 1.2.1 platform software (Controller or Partition OS, services, or ISOs) on Controller OS versions lower than 1.2.0.

Conditions:
1. Running a version of Controller OS <1.2.0
2. Try to import 1.2.1 platform software.

Impact:
You are unable to import platform software version 1.2.1 if the Controller OS version is lower than version 1.2.0.

Fix:
It is now possible to import platform software version 1.2.1 while running version 1.1.4 of the Controller OS (but still not prior 1.1.X releases).


1008585-3 : L2 Table corruption results in a traffic loss.

Links to More Info: BT1008585

Component: F5OS-A

Symptoms:
The Layer 2 (L2) table on a blade can become corrupted under certain conditions. When this happens, traffic to the affected destination (either a tenant or a external interface) do not flow properly.

Conditions:
-- VELOS system with more than one blade installed.
-- A packet for a tenant associated with one blade arrives on a different blade that is encountering the L2 table corruption.

Impact:
Traffic loss to a tenant or the front-panel interfaces. This may include partial or full packet loss to the tenant.

Workaround:
None

Fix:
FPGA Manager now detects the corruption so incorrect entries are not written to the L2 table. This prevents traffic loss from occurring.


1001865-1 : No platform trunk information passed to tenant

Component: F5OS-A

Symptoms:
Trunk information is not being published to BIG-IP tenants for use in high availability (HA) group definitions.

Conditions:
When defining high availability (HA) groups.

Impact:
No trunk or trunk member information is reported. This reduces the usefulness of information used to compare the relative health of high availability (HA) peers and potentially initiating a tenant failover, depending on that output.

Workaround:
None

Fix:
Trunk information is now synchronized between the VELOS system and tenants, enhancing the tenant high availability (HA) health check.

Behavior Change:
Trunk information is now synchronized between the VELOS system and tenants, which increases the usefulness of information used to compare the relative health of high availability (HA) peers and potentially initiating a tenant failover, depending on that output.



Known Issues in F5OS-A v1.0.x


F5OS-A Issues

ID Number Severity Links to More Info Description
1065589 1-Blocking   K3S service does not start after system downgrade
1063137 2-Critical BT1063137 The tenant management IP and console is intermittently not accessible.
1054021-1 2-Critical   Tcpdump on VELOS chassis blade or rSeries appliance cores when line-dma agent layer below it fails
1067177-1 3-Major   The 'show portgroups portgroup' command is slow when no optical transceivers are plugged into front panel ports
1065337-1 3-Major BT1065337 Platform software imports can appear successful even if OStree import fails
1063649 3-Major   Changing the system date to be older than the installation date is not supported.
1061757-1 3-Major   VLAN Listener for a VLAN shared between tenants may not upgrade properly
1059885 3-Major   When a VLAN list is entered in the CLI then the entire list is replaced.
1056453-1 3-Major   Tenant datapath will not work if the Tenant is named stpd.
1042785 3-Major BT1042785 Configuring spanning tree (stp) while disabled may display incorrect state
1061281 4-Minor   Snd_hda_intel 0000:00:1f.3: no codecs found

 

Known Issue details for F5OS-A v1.0.x

1067177-1 : The 'show portgroups portgroup' command is slow when no optical transceivers are plugged into front panel ports

Component: F5OS-A

Symptoms:
The 'show portgroups portgroup' command is slow when no optical transceivers are plugged into front panel ports. This affects the CLI, GUI, and RESTCONF.

Conditions:
R5000 and r1000 platforms with sparsely populated or empty front panel ports

Impact:
Slow response to portgroup information on unpopulated front panel ports. No functional impact - just slow reporting.


1065589 : K3S service does not start after system downgrade

Component: F5OS-A

Symptoms:
During tenant deployment, the "compute" pod fails to come up.
Multiple kubehelper pods will be triggered.

Conditions:
This can occur after a downgrade.

Impact:
Tenant deployments fail.

Workaround:
1) manually delete the script /var/F5/system/apigw-tenant-helper.sh before the downgrade
2) If you forget to delete the script (step 1), recovery options are
  a) remove the file and reboot the system
  b) perform a bare metal install


1065337-1 : Platform software imports can appear successful even if OStree import fails

Links to More Info: BT1065337

Component: F5OS-A

Symptoms:
If the import of OStree data from an .iso or .os platform image fails, it is still possible for the overall import operation to be marked as "successful".

Conditions:
OStree import during .iso or .os platform image import fails.

Impact:
Misleading import state is reported, which can result in unexpected upgrade failures when trying to use the imported software.

Workaround:
Remove the affected software and then re-import it.


1063649 : Changing the system date to be older than the installation date is not supported.

Component: F5OS-A

Symptoms:
All system self-signed certificates are generated using the installation system date. Changing the date to an older date than the installation date can cause instability.

Conditions:
Setting the system date to be older than the installation date on an rSeries appliance.

Impact:
System goes to unstable state.


1063137 : The tenant management IP and console is intermittently not accessible.

Links to More Info: BT1063137

Component: F5OS-A

Symptoms:
The tenant management IP and console is intermittently not accessible after live upgrades.

Conditions:
This occurs during live upgrade of an rSeries appliance.

Impact:
Intermittently tenant management IP and console is not accessible.

Workaround:
Change tenant state to provisioned and back to deployed state.


1061757-1 : VLAN Listener for a VLAN shared between tenants may not upgrade properly

Component: F5OS-A

Symptoms:
After upgrading from 1.1.4 to a 1.2 release when there are tenants configured that share VLANs, the VLAN listener is not properly upgraded.

Conditions:
Tenants sharing VLANs in a configuration that is upgraded from 1.1.4 to 1.2.x.

Impact:
Traffic will not pass correctly.

Workaround:
Remove the VLAN from the interface(s) and then add it back (no changes to the tenant are necessary).

This re-creates the vlan-listener with the correct VTC value.


1061281 : Snd_hda_intel 0000:00:1f.3: no codecs found

Component: F5OS-A

Symptoms:
During a reboot, error messages related to snd_hda_intel are logged:

"snd_hda_intel 0000:00:1f.3: no codecs found!"

Conditions:
This occurs during a reboot of an rSeries appliance.

Impact:
No functional impact, the error can be safely ignored.

Workaround:
None


1059885 : When a VLAN list is entered in the CLI then the entire list is replaced.

Component: F5OS-A

Symptoms:
When entering a VLAN list using the confd CLI, the current configuration is replaced with the new list.

Conditions:
Using the confd CLI to assign interfaces to a list of VLANs. For example:

appliance-1(config)# interfaces interface 2.0 ethernet switched-vlan config trunk-vlans [ 200 300 400 500 600 ]
appliance-1(config-interface-2.0)# commit
Commit complete.
appliance-1(config-interface-2.0)# end
appliance-1# show vlans
VLAN
ID INTERFACE
-----------------
200 2.0
300 2.0
400 2.0
500 2.0
600 2.0

appliance-1(config)# interfaces interface 2.0 ethernet switched-vlan config trunk-vlans [ 900 1000 ]
appliance-1(config-interface-2.0)# commit
Commit complete.
appliance-1(config-interface-2.0)# end
appliance-1# show vlans
VLAN
ID INTERFACE
-----------------
200
300
400
500
600
900 2.0
1000 2.0

Impact:
Interfaces are assigned only to the list of VLANs specified, even if they were already assigned to existing VLANs.

Workaround:
The correct way to delete a single VLAN is to not use the list ("[]") syntax:
appliance-1# config
Entering configuration mode terminal
appliance-1(config)# interfaces interface 2.0 ethernet switched-vlan config trunk-vlans [ 200 300 400 500 600 ]
appliance-1(config-interface-2.0)# commit
Commit complete.
appliance-1(config-interface-2.0)# top
appliance-1(config)# no interfaces interface 2.0 ethernet switched-vlan config trunk-vlans
Possible completions:
  200 300 400 500 600 [ <cr>
appliance-1(config)# no interfaces interface 2.0 ethernet switched-vlan config trunk-vlans 400
appliance-1(config)# commit
Commit complete.
appliance-1(config)# end
appliance-1# show vlans
VLAN
ID INTERFACE
-----------------
200 2.0
300 2.0
400
500 2.0
600 2.0
900
1000


1056453-1 : Tenant datapath will not work if the Tenant is named stpd.

Component: F5OS-A

Symptoms:
If a tenant is created with the name stpd, there will be a conflict with a system component. The datapath will not function correctly.

Conditions:
A tenant is created with the name "stpd"

Impact:
The datapath for the tenant will not function.

Workaround:
Change the name of the tenant.


1054021-1 : Tcpdump on VELOS chassis blade or rSeries appliance cores when line-dma agent layer below it fails

Component: F5OS-A

Symptoms:
Line-dma agent is the underlying layer of tcpdump in the VELOS/rSeries family of chassis and appliance products
When it is not running, or if it cores or is otherwise not available and a client wants a tcpdump capture, tcpdump may core.

Conditions:
-- line-dma-agent is not functional at start, or at some later point in time during the tcpdump capture
-- a client requests a tcpdump capture

Impact:
Packet capture will be affected and will not work


1042785 : Configuring spanning tree (stp) while disabled may display incorrect state

Links to More Info: BT1042785

Component: F5OS-A

Symptoms:
While stp is disabled, configuring a field such as MSTP max-hop causes the the enabled-protocol to display an incorrect value.

Conditions:
Delete enabled-protocol configuration field.
Delete another stp configuration field such as MSTP max-hop

Impact:
The stp enabled-protocol display is incorrect.

Workaround:
To mitigate, do not configure stp while not enabled.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************