Applies To:
Show Versions
F5OS-A
- 1.1.0
F5OS-A Release Information
Version: 1.1.0
Build: 7645
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
| The blue background highlights fixes |
Known Issues in F5OS-A v1.1.x
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description |
| 987225-3 | CVE-2022-41780 | K81701735 | Container hardening |
| 1060905 | CVE-2020-10878 | K40508224 | Perl Vulnerability: CVE-2020-10878 |
Functional Change Fixes
None
F5OS-A Fixes
| ID Number | Severity | Links to More Info | Description |
| 1065589 | 1-Blocking | K3S service does not start after system downgrade.★ | |
| 1063781 | 1-Blocking | Duplicate broadcast/multicast packets are sent out a front panel interface. | |
| 1090089-1 | 2-Critical | NTP service does not work on rSeries appliances | |
| 1080421-1 | 2-Critical | BT1080421 | LACP does not transmit PDU's when creating a LAG |
| 1078633 | 2-Critical | Tenant to API gateway communication and unit-key will not work after key rotation | |
| 1064089 | 2-Critical | Traffic over shared VLANs does not work | |
| 1061149 | 2-Critical | Libvirt core is generated on system reboot | |
| 1012437-1 | 2-Critical | BT1012437 | Tenant virtual disk is deleted when the tenant running-state is set to "configured." |
| 991061-2 | 3-Major | BT991061 | Admin cannot edit the tenant config in Deployed state from GUI if the tenants are created via CLI; downgrading partition or rSeries appliance may leave device inoperative |
| 923609 | 3-Major | rSeries 5900 Error - Thermal fault detected in hardware | |
| 1097925 | 3-Major | Resolving CVEs on F5OS-A 1.1.0 | |
| 1084817-1 | 3-Major | BT1084817 | Container api-svc-gateway crashes due to certificate issues partition database |
| 1084581-1 | 3-Major | BT1084581 | Log files collected by QKView are truncated with the newest entries removed |
| 1083261 | 3-Major | Invalid DNS search path causes tenants to fail to start | |
| 1083077 | 3-Major | LACP trunks are not configured automatically in BIG-IP tenant running on F5OS chassis/appliances | |
| 1082529 | 3-Major | Delay in SSH login to Appliance management IP | |
| 1080417 | 3-Major | BT1080417 | List of running containers are not captured in host qkview |
| 1080109-1 | 3-Major | System reboot or link down/up transition causes packet loss. | |
| 1079697 | 3-Major | Incorrect link aggregation group (LAG) / trunk information passed to tenant. | |
| 1078149 | 3-Major | Unable to deploy one tenant when user attempts to deploy 28 tenants on r10800 | |
| 1077785 | 3-Major | STP errors messages reported in platform.log when global STP is enabled but STP parameters are not configured in interfaces | |
| 1074381 | 3-Major | Invalid error message in log when 40g transceiver is inserted | |
| 1073553 | 3-Major | Log rotation does not occur for k3s events. | |
| 1069529-2 | 3-Major | "Appliance Mode" UI control intermittently will revert your selection back to its configured state when enabling or disabling. | |
| 1069209-1 | 3-Major | LAG names starting with a digit | |
| 1067765-1 | 3-Major | BT1067765 | VELOS GUI occasionally shows stale content after upgrading★ |
| 1067177-2 | 3-Major | The 'show portgroups portgroup' command is slow when no optical transceivers are plugged into front panel ports. | |
| 1066869-1 | 3-Major | The r10000 and r5000 platforms may reuse the MAC address for both management and data plane. | |
| 1066817-1 | 3-Major | Change in the procedure of PXE installation for appliances. | |
| 1066365-1 | 3-Major | Message of the Day not working for admin user | |
| 1065085 | 3-Major | BT1065085 | MD5 cipher is allowed on RESTCONF port 8888 with FIPS-enabled license. |
| 1064525-1 | 3-Major | Interface counters are slow to update | |
| 1064305-2 | 3-Major | BT1064305 | Unable to import VELOS images from the F5 downloads site |
| 1064125-1 | 3-Major | Sw_rbcast container restarts on non-fatal errors | |
| 1062021-1 | 3-Major | Lacpd process continuously restarts after creating a LAG interface with a space.★ | |
| 1060193 | 3-Major | e2fsprogs vulnerability: CVE-2019-5188 | |
| 1057145 | 3-Major | Qkview capture with timeout does not stop capture after timeout | |
| 1057109 | 3-Major | CUPS Vulnerability: CVE-2017-18190 | |
| 1056705 | 3-Major | OpenLDAP Vulnerability: CVE-2020-25692 | |
| 1056137 | 3-Major | zsh Vulnerability: CVE-2019-20044 | |
| 1056129 | 3-Major | libcups vulnerabilities: CVE-2019-8696 CVE-2019-8675 | |
| 1046221-2 | 3-Major | SM2 cannot be used for creating self-signed certificates | |
| 1035589-1 | 3-Major | BT1035589 | Source address for TACACS+ server group configuration does not work |
| 1034093-2 | 3-Major | protobuf vulnerability: CVE-2021-3121 | |
| 1027009 | 3-Major | DNS servers attained through DHCP not reflected in confd | |
| 1061281-1 | 4-Minor | Snd_hda_intel 0000:00:1f.3: no codecs found. | |
| 1060537 | 4-Minor | Portgroup state set to empty strings when optic removed |
Cumulative fix details for F5OS-A v1.1.0 that are included in this release
991061-2 : Admin cannot edit the tenant config in Deployed state from GUI if the tenants are created via CLI; downgrading partition or rSeries appliance may leave device inoperative
Links to More Info: BT991061
Component: F5OS-A
Symptoms:
Trying to modify a tenant via the GUI or API may not work if the tenant was created via the CLI, and is deployed.
Attempting to downgrade an rSeries appliance from F5OS-A 1.1.0 or above to F5OS-A 1.0.x may fail if the device has any tenants deployed. This leaves the system inoperative, with errors similar to the following in /var/F5/system/log/confd.log:
<CRIT> 5-Jun-2022::03:17:21.056 appliance-1 confd[105]: - CDB: Upgrade failed: Upgrade transaction failed to validate: /f5-tenants:tenants/tenant{otters}/config/storage/size (value "90"): Storage size can be modified only if tenant is in Configured or Provisioned state.
Attempting to downgrade an F5OS-C partition from F5OS-C 1.3.0 or above to F5OS-C 1.2.1 or below may fail if the partition has any tenants deployed. The partition should continue running on the "from" target version.
Conditions:
Admin creates the tenant via CLI and subsequently edits the following tenant config when the running-state is set to Deployed:
-- Scale-up/Scale-down the tenant.
-- Add/Remove VLAN.
Impact:
Admin cannot scale up/scale down the cluster using the GUI if the tenant is initially deployed via CLI.
Downgrades of F5OS-A appliance or F5OS-C partition may fail or leave the system inoperative.
Workaround:
Use the CLI to scale-up/scale-down and add/remove the VLAN to the tenant.
When performing a downgrade, set the tenants to Provisioned first.
987225-3 : Container hardening
Links to More Info: K81701735
923609 : rSeries 5900 Error - Thermal fault detected in hardware
Component: F5OS-A
Symptoms:
An rSeries 5900 displays the following error message:
"WARNING: Thermal fault detected in hardware"
This issue occurs intermittently on reboot at normal operating temperature. It is a false alarm.
Conditions:
Reboot a device running at operating temperature.
Impact:
Produces alarm message after reboot on the LCD that indicates the device is or has exceeded operating temperature, even when it's operating within normal operating temperature ranges.
Workaround:
None
Fix:
BIOS update fixes faulty thermal threshold configuration code that was causing false thermal event upon reboot.
1097925 : Resolving CVEs on F5OS-A 1.1.0
Component: F5OS-A
Symptoms:
F5OS-A 1.1.0 is vulnerable to the CVEs mentioned in the bug.
CVE-2021-27219
CVE-2021-43527
CVE-2022-23852
CVE-2020-10531
CVE-2022-24407
CVE-2018-1000805
CVE-2021-44142
CVE-2020-12321
CVE-2020-24489
CVE-2021-42574
CVE-2020-8625
Impact:
F5OS-A 1.1.0 is vulnerable to the CVEs mentioned in the bug.
1090089-1 : NTP service does not work on rSeries appliances
Component: F5OS-A
Symptoms:
The NTP service does not work on rSeries appliances that run F5OS-A.
Running chronyc ntpdata returns "501 Not authorized"
Conditions:
-- rSeries appliance running F5OS-A
-- NTP configured
Impact:
NTP functionality does not work.
Workaround:
Change directory ownership to chrony using below command:
chown chrony:chrony /var/run/chrony
Fix:
Update ownership for "/var/run/chrony" directory and removed unwanted configuration from "chrony.conf".
1084817-1 : Container api-svc-gateway crashes due to certificate issues partition database
Links to More Info: BT1084817
Component: F5OS-A
Symptoms:
The api-svc-gateway container crashes when a bad self-signed certificate or key is published to partition database.
Conditions:
A corrupted certificate/key causes the issue.
Impact:
The api-svc-gateway service crashes.
Workaround:
Run the following command:
(config) # system database reset-to-default proceed
Fix:
In the scenario this happens, api-svc-gateway now:
* detects when it cannot set up an SSL connection using these credentials
* logs an error
* sets health status to unhealthy with appropriate error and severity
* tries to start a GRPC server with only insecure credentials
1084581-1 : Log files collected by QKView are truncated with the newest entries removed
Links to More Info: BT1084581
Component: F5OS-A
Symptoms:
If log files are exceedingly large, they may be truncated when collected by QKView from the 'bottom-up', meaning that the most recent log entries are clipped.
Conditions:
Log files exceed the maximum file size (default 500 MB) specified during QKView creation.
Impact:
Most recent log entries are clipped, making diagnosis difficult.
Workaround:
Collect the log files manually.
Fix:
QKView log files are now truncated 'top-down', preserving the most recent log entries.
1083261 : Invalid DNS search path causes tenants to fail to start
Component: F5OS-A
Symptoms:
Tenants fail to start, with kubevirt virt-launcher pods in a restart loop.
Conditions:
Configuring an invalid DNS search domain to the system.
Impact:
Tenants fail to start, stuck in a "Pending" state
Workaround:
Reconfigure the DNS search domain with valid values.
1083077 : LACP trunks are not configured automatically in BIG-IP tenant running on F5OS chassis/appliances
Component: F5OS-A
Symptoms:
When an LACP trunk is configured on an F5OS chassis/appliance and only the native VLAN is attached, the LACP trunk will not be automatically configured on the BIG-IP tenant.
Conditions:
This behavior is observed only when the LACP trunk is attached to a native VLAN.
Impact:
LACP trunk configuration will not be applied to the BIG-IP tenant automatically when only a native VLAN is attached to it on the platform.
Workaround:
Configure the LACP trunk in the BIG-IP tenant manually.
Fix:
LACP trunks are now configured automatically in BIG-IP tenant running on F5OS chassis/appliances, as expected.
1082529 : Delay in SSH login to Appliance management IP
Component: F5OS-A
Symptoms:
SSH to Appliance management IP takes time to login
Conditions:
This is an intermittent issue with no specific condition to encounter this issue.
Impact:
Delay in login to Appliance HW
Workaround:
None
Fix:
Fixed code to avoid login delays
1080421-1 : LACP does not transmit PDU's when creating a LAG
Links to More Info: BT1080421
Component: F5OS-A
Symptoms:
The LAG interface creation will not be successful and tx packet count in 'show lacp' will be zero.
Conditions:
This issue occurs due to a race condition while creating a LAG interface and is not reproducible every time.
Impact:
Link aggregation of the front panel ports will not work as expected.
Workaround:
1) clear newly added lag configurations
a) remove lacp interface
no lacp interfaces interface <lag-name>
b) remove interfaces from lag
no interfaces interface <interface> ethernet config aggregate-id
c) remove lag interface
no interfaces interface <lag-interface>
2) create Lag interface and add interfaces to the lag
Fix:
Fix code to remove the race condition and read lag-type as LACP
1080417 : List of running containers are not captured in host qkview
Links to More Info: BT1080417
Component: F5OS-A
Symptoms:
List of running containers are not captured in host qkview
Conditions:
Collect qkview and look for list of containers running on the system from qkview file.
Impact:
Unable to get the list of running containers from qkview
Workaround:
Administrator needs to run 'docker ps' command on the system and share the output with support.
Fix:
Qkview includes list of running containers on the system
1080109-1 : System reboot or link down/up transition causes packet loss.
Component: F5OS-A
Symptoms:
A reboot of the system or a link down/up transition can result in packet loss on the affected front-panel interface(s).
Conditions:
A link down->up transition on a front panel interface or interfaces. Either initiated from the peer side or a system reboot.
Impact:
LACP LAGs can fail to form. Ingress traffic is not received by the tenants.
Workaround:
Reboot the system.
Fix:
Change link down processing to not reset internal hardware state of front panel MACs.
1079697 : Incorrect link aggregation group (LAG) / trunk information passed to tenant.
Component: F5OS-A
Symptoms:
A BIG-IP tenant running on a VELOS system incorrectly reports all "ha-only" trunk objects as up, regardless of the actual status of the trunk.
BIG-IP tenants can also report incorrect status of trunks after the LAG type is changed from LACP to STATIC or vice-versa.
An interface name is displayed as empty when an interface is deleted from a LAG.
As a result of these, high availability (HA) group failover based on trunk status is unreliable and unusable.
Conditions:
-- LAGs configured on F5OS system.
-- Attempting to use high availability (HA) group failover based on trunk status inside BIG-IP tenant.
Impact:
HA group failover based on trunk status is unreliable and unusable for BIG-IP tenants running on an F5OS system.
Workaround:
After configuring a new LAG in the the F5OS partition or changing a LAG type from LACP to STATIC or from STATIC to LACP, reboot the traffic blades.
For rSeries devices, the entire device must be restarted.
After rebooting, the ha-group trunk entries should show the expected values when one or more members are missing from the aggregate link.
Fix:
This issue has been corrected.
1078633 : Tenant to API gateway communication and unit-key will not work after key rotation
Component: F5OS-A
Symptoms:
The system-api-svc-gateway fails to decrypt the unit key crashes, and is unable to communicate with the tenant.
Conditions:
A key migration or rotation is performed in confd: system aaa primary-key
Impact:
Communication between the API gateway and the tenant is disrupted.
Note: If no key-rotation was ever done, this issue does not occur.
Workaround:
To correct the current unit-key issue, invoke the config command:
system database reset-to-default proceed yes
To avoid the issue, disable key-rotation. To prevent key rotation, add the line '/tenants/tenant{%x}/config/unit-key' to the file in the confd-key-migration-mgr container:
/tenants/tenant{%x}/config/unit-key
To do so: ssh as root into the device and do the following:
# docker exec -it confd-key-migration-mgr bash
bash-4.2# echo "/tenants/platform-self-signed-cert/self-signed-key" >> /etc/confd-key-migration/appliance-secure-elem-manifest
bash-4.2# echo "/tenants/tenant{%x}/config/unit-key" >> /etc/confd-key-migration/appliance-secure-elem-manifest
bash-4.2# exit
# docker restart confd-key-migration-mgr
Fix:
The system now adds the line to the manifest file.
Because the unit-key does not get re-encrypted with the new key, after upgrading to a software version containing the fix, run the config command:
system database reset-to-default proceed yes
1078149 : Unable to deploy one tenant when user attempts to deploy 28 tenants on r10800
Component: F5OS-A
Symptoms:
The 28th tenant deployment fails when 28 tenants (each with 1 vCPU) are deployed.
The issue is seen only with an r10800 license.
27 tenants are deployed successfully but the 28th tenant deployment fails.
No issue when one tenant is deployed with 28 vCPUs
Conditions:
Issue is seen in the following conditions
-- System has R10800 license installed
-- You attempt to deploy 28 tenants
-- Each tenant has only 1 vCPU
Impact:
28th tenant is not deployed on r10800.
The max supported tenants on r10800 is 28
1077785 : STP errors messages reported in platform.log when global STP is enabled but STP parameters are not configured in interfaces
Component: F5OS-A
Symptoms:
The VELOS platform.log contains numerous STP error messages:
appliance-1 stpd[1]: priority="Err" version=1.0 msgid=0x6102000000000018 msg="Failed to write to cdb" FIELD="Adv Stp Interface name" ERRNO=8 ERRNOSTR="badly formatted or nonexistent path".
appliance-1 stpd[1]: priority="Err" version=1.0 msgid=0x6102000000000018 msg="Failed to write to cdb" FIELD="Adv Stp Interface port-num" ERRNO=8 ERRNOSTR="badly formatted or nonexistent path".
appliance-1 stpd[1]: priority="Err" version=1.0 msgid=0x6102000000000018 msg="Failed to write to cdb" FIELD="Adv Stp Interface port-state" ERRNO=8
Conditions:
The following is the correct sequence of STP configuration.
appliance-1(config)# stp global config enabled-protocol RSTP
appliance-1(config)# stp rstp interfaces interface 1.0 config cost 100;top
appliance-1(config)# stp interfaces interface 1.0 config edge-port EDGE_AUTO link-type P2P ;
appliance-1(config-interface-1.0)# exit
appliance-1(config)# commit;
If the command "stp rstp interfaces interface 1.0 config cost 100;top" is not run, the log messages will occur.
Impact:
VELOS platform.log size will grow at rate of 2MB per minute.
Workaround:
To stop these messages, configure the following:
stp rstp interfaces interface 1.0 config cost 100;top
Fix:
Multiple STP errors messages are no longer logged when not needed.
1074381 : Invalid error message in log when 40g transceiver is inserted
Component: F5OS-A
Symptoms:
An erroneous message is logged when a 40G optic is inserted.
appliance-1 fpgamgr[22]: priority="Err" version=1.0 msgid=0x303000000000013 msg="Unsupported SFP+/SFP28 Optic" portgroup=1.
Conditions:
40G optical transceiver inserted in VELOS or rSeries appliance
Impact:
A log message is logged at the Error level. It can be safely ignored.
Workaround:
None
Fix:
Errant message no longer appears.
1073553 : Log rotation does not occur for k3s events.
Component: F5OS-A
Symptoms:
the k3s_events.log file is not rotated.
Conditions:
K3s provisioning from the OMD is initiated.
Impact:
Most of the system memory is consumed by k3s_events.log and system starts responding slowly.
Workaround:
Manually empty the contents of /var/log/k3s_events.log file from the system.
1069529-2 : "Appliance Mode" UI control intermittently will revert your selection back to its configured state when enabling or disabling.
Component: F5OS-A
Symptoms:
On the SYSTEM SETTINGS/General screen for the rSeries appliance, the "Appliance Mode" Enable/Disable radio button choice will revert back to its configured state when you're attempting to change the configuration prior to saving it.
Conditions:
The Enable/Disable radio button for Appliance Mode will undo your preferred selection when the screen does a periodic poll in the background to refresh state information that is displayed on the SYSTEM SETTINGS/General screen.
Impact:
If you attempt to either enable or disable Appliance Mode and the screen does a periodic polling refresh at the moment you make your desired selection, your selection will be reverted back to the actual current configuration state for Appliance Mode.
Workaround:
The impact is intermittent and only occurs at the precise moment the screen is refreshing its state information --- typically a 10 second interval. Appliance Mode can still be enabled or disabled via the webUI as long as it is within the window the screen is not doing a periodic refresh. Additionally, Appliance Mode can be enabled or disabled from the command line interface (CLI).
Fix:
Periodic polling on the SYSTEM SETTINGS/General screen for rSeries appliances will be disabled or removed.
1069209-1 : LAG names starting with a digit
Component: F5OS-A
Symptoms:
Provisioning a VELOS tenant with a LAG name that begins with a digit can fail.
Conditions:
-- Configuring a LAG with a name that begins with a digit.
-- Provisioning a BIG-IP tenant
Impact:
VELOS tenant fails.
Workaround:
Do not configure LAG names that start with a digit.
Fix:
LAG names with digits are no longer allowed.
1067765-1 : VELOS GUI occasionally shows stale content after upgrading★
Links to More Info: BT1067765
Component: F5OS-A
Symptoms:
After upgrading VELOS and reloading a page, the GUI sometimes displays stale content in the browser cache.
Conditions:
After upgrading VELOS software upgrade and the browser cache settings are set to allow caching.
Impact:
Stale content is displayed.
Workaround:
Empty your browser cache and reload the page to display the latest content.
Fix:
This issue is fixed and the correct content is displayed after upgrading.
1067177-2 : The 'show portgroups portgroup' command is slow when no optical transceivers are plugged into front panel ports.
Component: F5OS-A
Symptoms:
The 'show portgroups portgroup' command is slow when no optical transceivers are plugged into front panel ports. This affects the CLI, GUI, and RESTCONF.
Conditions:
R5000 and r1000 platforms with sparsely populated or empty front panel ports.
Impact:
Slow response to portgroup information on unpopulated front panel ports. No functional impact - just slow reporting.
Workaround:
N/A
Fix:
N/A
1066869-1 : The r10000 and r5000 platforms may reuse the MAC address for both management and data plane.
Component: F5OS-A
Symptoms:
The MAC address assigned to the macvlan interface mgmt0-system may also be assigned to a dataplane object: a lag or a tenant.
Conditions:
More than 233 lags or tenants are configured on a r10000 or r5000 platforms.
Impact:
If the management interface mgmt0-system and the lag or tenant are on the same broadcast domain, both devices will have communication problems. Duplicate MACs going to different switches will be fine.
Workaround:
The MAC address that will be duplicated is 0xfc offset from the basemac. If a tenant or lag has been assigned basemac+0xfc remove the tenant or lag, reduce the number of lags + tenants to less than 252, then re-create the tenant or lag - checking to make sure the assigned MAC does not use offset 0xfc from the base MAC.
Fix:
The pool of available MAC addresses to be used for tenants or lags on r10000 and r5000 platforms has been reduced from 236 to 233 to ensure unique MACs are supplied for all interfaces, lags and tenants.
1066817-1 : Change in the procedure of PXE installation for appliances.
Component: F5OS-A
Symptoms:
There is a change in the procedure of PXE installation for appliances, defined at
https://techdocs.f5.com/en-us/f5os-a-1-0-0/f5-rseries-systems-installation-upgrade/title-install-upgrade-software.html#clean-install
Conditions:
After PXE install, the ISO needs to be copied to /var/export/chassis/import/iso folder before doing any other import activities.
Impact:
If this step is skipped, issues will occur with the software import and upgrade process.
Workaround:
None
Fix:
Fixed an issue with the documentation.
1066365-1 : Message of the Day not working for admin user
Component: F5OS-A
Symptoms:
Message of the Day (MOTD) is not displayed when the admin user logs in to BIG-IP Next.
Conditions:
Message of the day (MOTD) is configured on the BIG-IP Next.
Impact:
Admin users do not see the MOTD banner when they log in.
Workaround:
None
Fix:
MOTD is now displayed if configured.
1065589 : K3S service does not start after system downgrade.★
Component: F5OS-A
Symptoms:
During tenant deployment, the "compute" pod fails to come up.
Multiple kubehelper pods will be triggered.
Conditions:
This can occur after a downgrade.
Impact:
Tenant deployments fail.
Workaround:
1) manually delete the script /var/F5/system/apigw-tenant-helper.sh before the downgrade
2) If you forget to delete the script (step 1), recovery options are
a) remove the file and reboot the system
b) perform a bare metal install
Fix:
N/A
1065085 : MD5 cipher is allowed on RESTCONF port 8888 with FIPS-enabled license.
Links to More Info: BT1065085
Component: F5OS-A
Symptoms:
When a FIPS-enabled license is installed on the system, some MD5 ciphers are allowed on RESTCONF port 8888, when they should not be allowed.
Conditions:
The command "openssl s_client -connect <mgmt-ip>:8888 -cipher MD5" returns a valid certificate.
Impact:
MD5 SSLCipher continues to work on port 8888 on both system controller and chassis partition management IP addresses.
Workaround:
None
Fix:
Removed MD5 SSLCipherSuites from ssl.conf when a FIPS-enabled license is installed on the system.
1064525-1 : Interface counters are slow to update
Component: F5OS-A
Symptoms:
Interface counters do not immediately reflect traffic activity.
Conditions:
Normal user traffic
Impact:
Interface counters may not reflect the exact amount of traffic due to being slow to update.
Fix:
Increase counter polling frequency.
1064305-2 : Unable to import VELOS images from the F5 downloads site
Links to More Info: BT1064305
Component: F5OS-A
Symptoms:
Importing images from the F5 downloads site using the VELOS GUI fails.
Conditions:
-- Using direct links to the VELOS image on the F5 downloads site.
-- The URL contains a query string with parameters.
Impact:
The VELOS system fails to download the image from the F5 downloads site.
Workaround:
Use the confd CLI to download the file:
1. Using your web browser, navigate to the appropriate "Select a Download" screen for the file that you wish to download directly to the VELOS system
2. Copy the URL for the file
3. Use the file import command, ensuring that you put the remote-url value in quotation marks, for example:
syscon-1-active# file import remote-url "https://downloads07.f5.com/esd/download.sv?loc=downloads07.f5.com/downloads/53b686a5-d1cc-484d-af8b-5decd705d174/F5OS-C-1.2.2-12471.CONTROLLER.iso" local-file images/staging/
To check the download status, run the following command:
file transfer-status
Fix:
You can now import VELOS images from the F5 downloads site.
1064125-1 : Sw_rbcast container restarts on non-fatal errors
Component: F5OS-A
Symptoms:
VELOS logs indicate a disconnect and restart of the sw_rbcast container:
appliance-1 sw-rbcast[20]: priority="Notice" version=1.0 msgid=0x6903000000000003 msg="Software Rebroadcaster disconnected from Host DMA-Agent." error=3.
appliance-1 sw-rbcast[20]: priority="Info" version=1.0 msgid=0x6903000000000002 msg="Software Rebroadcaster connected to Host DMA-Agent".
Conditions:
High volume (> 200k packets/second) of broadcast traffic.
Impact:
None. The container restarts and continues to process traffic.
Workaround:
None
Fix:
Container no longer restarts for non-fatal errors.
1064089 : Traffic over shared VLANs does not work
Component: F5OS-A
Symptoms:
When two tenants share a VLAN, ARP replies from the tenants are not forwarded to the front-panel interfaces.
Conditions:
Two tenants sharing a VLAN
Impact:
Traffic does not work over shared VLANs
Fix:
Program service DAG entries into the ATSE-NSE logic.
1063781 : Duplicate broadcast/multicast packets are sent out a front panel interface.
Component: F5OS-A
Symptoms:
Clients may report 'duplicate response' due to multiple copies of the same broadcast/multicast packet.
Conditions:
Tenant generated broadcast/multicast traffic destined to a front-panel interface.
Impact:
No functional impact. Clients may report 'duplicate response' messages.
Fix:
Correct hardware programming to only send one copy of broadcast/multicast out a front-panel interface.
1062021-1 : Lacpd process continuously restarts after creating a LAG interface with a space.★
Component: F5OS-A
Symptoms:
Lacpd service restarts when the LAG name contains space.
The tenant wont get the LAG name and it will show a null value.
[root@localhost:Active:Standalone] config # tmsh list net trunk
net trunk "" {
cfg-mbr-count 2
distribution-hash src-dst-mac
id 0
interfaces {
1.0
2.0
}
stp disabled
type ha-only
working-mbr-count 2
}
Conditions:
LAG name contains a space.
Example : "lacp lag"
appliance-1(config)# interfaces interface "lacp lag" config type ieee8023adLag
Impact:
1. Lacpd service restarts.
2. BIG-IP tenant does not get the trunk name.
Note: In case of live upgrade from EA to GA release, any LAG created with a space in name will not work and you will need to either delete these or do a bare metal install before performing a live upgrade.
Workaround:
Don't create a LAG name that has space in the name.
Fix:
N/A
1061281-1 : Snd_hda_intel 0000:00:1f.3: no codecs found.
Component: F5OS-A
Symptoms:
During a reboot, error messages related to snd_hda_intel are logged:
"snd_hda_intel 0000:00:1f.3: no codecs found!"
Conditions:
This occurs during a reboot of an rSeries appliance.
Impact:
No functional impact, the error can be safely ignored.
Workaround:
N/A
Fix:
An erroneous error message has been suppressed.
1061149 : Libvirt core is generated on system reboot
Component: F5OS-A
Symptoms:
A flawed core file is generated on system reboot intermittently. But the tenant is actually healthy and functional after reboot.
Conditions:
Intermittently on system reboots.
Impact:
A libvirt core file is generated, but the tenant is actually healthy and functional.
Workaround:
None
Fix:
No impact on functionality. No user action is expected.
1060905 : Perl Vulnerability: CVE-2020-10878
Links to More Info: K40508224
1060537 : Portgroup state set to empty strings when optic removed
Component: F5OS-A
Symptoms:
When an optical transceiver is removed from a front panel port the portgroup state information in confd is set to empty strings
Conditions:
Physical removal of an optical transceiver in VELOS or rSeries
Impact:
Empty string is returned to REST call for portgroups/portgroup/state information when optic is removed.
Fix:
When an optical transceiver is removed from a front panel port the portgroup state is completely removed and will not show up in confd at all.
1060193 : e2fsprogs vulnerability: CVE-2019-5188
Component: F5OS-A
Symptoms:
A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
Conditions:
- A specially crafted ext4 directory
Impact:
- Code execution via e2fsck
Workaround:
N/A
Fix:
e2fsprogs updated to mitigate CVE-2019-5188
1057145 : Qkview capture with timeout does not stop capture after timeout
Component: F5OS-A
Symptoms:
Qkview capture does not stop when the timeout value expires.
Qkview ignores the timeout setting and proceeds with collection.
Conditions:
Timeout value is exceeded in the qkview capture command
Impact:
Qkview does not stop capture after the timeout expires
Workaround:
Invoke qkview cancel command to stop the capture manually after the timeout value.
`system diagnostics qkview cancel`
Fix:
Timeout is handled correctly to stop qkview capture after timeout.
1057109 : CUPS Vulnerability: CVE-2017-18190
Component: F5OS-A
Symptoms:
A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
Conditions:
- localhost.localdomain whitelist entry
- Unsafe DNS results for localhost.localdomain
Impact:
Remote attackers can execute IPP commands
Workaround:
N/A
Fix:
CUPS has been updated to mitigate CVE-2017-18190
1056705 : OpenLDAP Vulnerability: CVE-2020-25692
Component: F5OS-A
Symptoms:
This flaw allows a remote, unauthenticated attacker to crash the slapd process by sending a specially crafted request, causing a denial of service. The highest threat from this vulnerability is to system availability.
Conditions:
- LDAP request for renaming RDNs
Impact:
OpenLDAP slapd crashes on what seems to be a null-ptr-dereference after receiving a malicious TCP packet.
Workaround:
N/A
Fix:
OpenLDAP updated to mitigate CVE-2020-25692
1056137 : zsh Vulnerability: CVE-2019-20044
Component: F5OS-A
Symptoms:
A flaw was found in zsh. When unsetting the PRIVILEGED option, the shell sets its effective user and group IDs to match their respective real IDs
Conditions:
When the RUID and EUID were both non-zero, it is possible to regain the shell's former privileges.
Impact:
Insecure dropping of privileges when unsetting PRIVILEGED option
Workaround:
N/A
Fix:
Updated zsh to mitigate CVE-2019-20044
1056129 : libcups vulnerabilities: CVE-2019-8696 CVE-2019-8675
Component: F5OS-A
Symptoms:
A stack-buffer-overflow was found in libcups's asn1_* functions
Conditions:
- Certificate usage within libcups
Impact:
Stack buffer overflow
Workaround:
N/A
Fix:
libcups updated to mitigate CVE-2019-8696 CVE-2019-8675
1046221-2 : SM2 cannot be used for creating self-signed certificates
Component: F5OS-A
Symptoms:
When creating a self-signed certificate, VELOS returns an error.
The create self-signed certificate function allows for elliptic curves but does not work for 'SM2'.
Conditions:
When requesting a certificate using type ec, the curve name SM2 can be selected.
Impact:
Attempting to use SM2 curve name results in an error.
Workaround:
Outside confd you can create the SM2 key using:
/usr/bin/openssl ecparam -genkey -name SM2
The key can then be entered using system-aaa-tls-config-key and subsequently used to create a CSR.
The self-signed certificate would need to be done using openssl commands and entered manually if to be stored.
Fix:
The SM2 curve name can now be used like all the other ec curve names.
1035589-1 : Source address for TACACS+ server group configuration does not work
Links to More Info: BT1035589
Component: F5OS-A
Symptoms:
Attempting to set the source-address for a TACACS+ server group configuration might fail or does not work as expected.
Conditions:
Attempt to configure source-address for TACACS+ server group.
Impact:
No functional impact, as the source-address isn't used.
Workaround:
The source-address is not used by the TACACS+ client. Do not configure source-address.
Fix:
The source-address config element is now removed for TACACS+ server-group configuration.
1034093-2 : protobuf vulnerability: CVE-2021-3121
Component: F5OS-A
Symptoms:
A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects.
Conditions:
- Unmarshalling protobuf objects
Impact:
This flaw allows a remote attacker to send crafted protobuf messages, causing panic and resulting in a denial of service. The highest threat from this vulnerability is to availability.
Workaround:
N/A
Fix:
Protobuf updated to mitigate CVE-2021-3121
1027009 : DNS servers attained through DHCP not reflected in confd
Component: F5OS-A
Symptoms:
When DHCP is enabled on the management interface, DNS servers are attained by DHCP server. The 'show system dns' command in confd does not show the DNS entries fetched by the DHCP server.
Conditions:
Enable DHCP on the management interface from confd
Impact:
DNS server IPs fetched dynamically by the DHCP server are not displayed by confd
Workaround:
None
Fix:
Fixed code to update confd with DNS server IP addresses when DHCP is enabled on the management interface
1012437-1 : Tenant virtual disk is deleted when the tenant running-state is set to "configured."
Links to More Info: BT1012437
Component: F5OS-A
Symptoms:
A VELOS tenant's virtual-disk is deleted when the tenant running-state is set back to "configured" after having been "deployed." This behavior differs from vCMP.
It is recommended that you set the tenant running-state to "provisioned" in order to stop the running tenant.
Conditions:
Tenant running-state changed from "deployed" to "configured."
Impact:
Virtual disk is deleted, resulting in loss of tenant configuration.
Workaround:
Fixed. No workaround needed.
Fix:
The system no longer deletes the virtual disk when the state is changed from deployed to configured.
Known Issues in F5OS-A v1.1.x
F5OS-A Issues
| ID Number | Severity | Links to More Info | Description |
| 1123685-1 | 1-Blocking | Occasionally Selinux modules are getting corrupted when the system reboots | |
| 1123121-3 | 1-Blocking | Occasional issue with tenant deployment after live upgrade on r2xxx/r4xxx series platforms | |
| 1117649-1 | 1-Blocking | rSeries Appliance inoperable after powering down from Linux while configured for Appliance mode | |
| 1117277 | 1-Blocking | Occasional issue observed when tenant deployed on r2xxx/r4xxx series | |
| 1117237 | 1-Blocking | FPGA bit files are not updated to the latest version after a live upgrade | |
| 1112141-1 | 1-Blocking | 10G/25G/40G burst support in rSeries appliance | |
| 1099437-2 | 1-Blocking | Nic-manager core file | |
| 1083061-1 | 1-Blocking | Loading saved config to BIG-IP fails if host modifications are made after "tmsh save sys config" | |
| 1184917-1 | 2-Critical | On rSeries, the MAC masquerade feature is only supported on BIG-IP tenants 15.1.6 and later | |
| 1121889 | 2-Critical | ConfD encryption key can lock up the TPM module | |
| 1121793 | 2-Critical | System goes into inoperative state when downgraded from 1.1.1 to 1.0.1 without moving the tenant to configured state | |
| 1117621 | 2-Critical | After an appliance upgrade from 1.0.1 to 1.1.1, a tenant in Provisioned state may show inconsistent CLI status★ | |
| 1114485-2 | 2-Critical | K3s cluster goes to unhealthy state when system is rebooted after changing hostname. | |
| 1086381-2 | 2-Critical | Tenant deployment failing with error - "failed to set netlink MAC address: resource temporarily unavailable" | |
| 1084549-1 | 2-Critical | VLAN sharing isn't allowed on r2000 and r4000 systems | |
| 1117417-1 | 3-Major | Database config restore failed on rSeries appliance | |
| 1116869-2 | 3-Major | Tcpdump on F5OS does not capture packets of certain sizes | |
| 1112533-3 | 3-Major | Status LED color always stays amber | |
| 1103001-2 | 3-Major | Tenants fail to come up after a live upgrade from pre-1.1.0 version to 1.1.0 on the r4xxx appliances★ | |
| 1101365-2 | 3-Major | Delay in tenant deployment with tenant image corruption error | |
| 1100305 | 3-Major | Tcpdump capture of packets with interface-based filtering fails on r5000 and r10000 appliances | |
| 1091941 | 3-Major | Tenant running instance status shows some error/warning events in confd | |
| 1086749 | 3-Major | Interface speeds are not reported correctly when linked at a slower speed | |
| 1083921-1 | 3-Major | VLAN name change is not allowed once a tenant is launched | |
| 1083561 | 3-Major | Tenant running instance status shows some error/warning events in confd | |
| 1082513-1 | 3-Major | LACP waitOnAlertFd Errors | |
| 1080437-1 | 3-Major | VerifyDmesg test failure | |
| 1063649-1 | 3-Major | Changing the system date to be older than the installation date is not supported. | |
| 1122941-1 | 4-Minor | Port-profile changes when tenants are in the deployed state |
Known Issue details for F5OS-A v1.1.x
1184917-1 : On rSeries, the MAC masquerade feature is only supported on BIG-IP tenants 15.1.6 and later
Component: F5OS-A
Symptoms:
The MAC masquerade feature is only supported on BIG-IP tenant versions 15.1.6 and later. Using the feature in an HA pair can cause traffic to fail over incorrectly between the pair.
Conditions:
MAC masquerade is used on rSeries with BIG-IP tenant versions other than 15.1.6 and later.
Impact:
Traffic may be degraded on a failover between an HA pair.
Workaround:
Upgrade BIG-IP tenant version to 15.1.6 or later.
1123685-1 : Occasionally Selinux modules are getting corrupted when the system reboots
Component: F5OS-A
Symptoms:
In rSeries appliances, if Selinux modules are corrupted
-> Virt-handler pod crashes continuously.
-> Tenant will be in pending state.
-> Semodule file size is 0 in dir "/etc/selinux/targeted/active/modules/400/"
Conditions:
If interruption happens during Selinux modules building on system bootup, the interruption can be an abrupt power off.
Impact:
-> Virt-handler pod is crashing continuously.
-> Tenant functionality is impacted.
Workaround:
None.
1123121-3 : Occasional issue with tenant deployment after live upgrade on r2xxx/r4xxx series platforms
Component: F5OS-A
Symptoms:
Interface drivers are not created, leading to tenant deployment failure after a live upgrade on r2xxx/r4xxx series platforms.
Conditions:
-- Live upgrade from F5OS version 1.1.0 to F5OS version 1.1.1.
-- Using r2xxx/r4xxx series platforms.
Impact:
Tenant deployment fails occasionally.
Workaround:
Reboot the device and try the upgrade again.
1122941-1 : Port-profile changes when tenants are in the deployed state
Component: F5OS-A
Symptoms:
Port-profile changes are not being blocked when tenants are in the deployed state.
Conditions:
Changing port-profile on a system with a tenant in the running-state is deployed.
Impact:
Tenants may not come up after the system reboots.
Workaround:
For each tenant in the deployed state, move the tenant running state to provisioned and back to deployed.
Then the tenant will then come up and function properly.
1121889 : ConfD encryption key can lock up the TPM module
Component: F5OS-A
Symptoms:
Due to an error that happens rarely in the HAL layer, the encryption key mechanism can misinterpret such an error as a valid identifier for the system. This causes the TPM to lock up, using that identifier, but then the actual identifier no longer unlocks the TPM.
Conditions:
This happens rarely but when it does, the system-manager cannot read the encryption keys and will not start ConfD.
This will manifest itself as unable to start up the configuration by attempting to become admin.
Impact:
The system is unusable. Installing a new ISO does not help.
The TPM must be cleared to become unlocked. Once the TPM is cleared, a new key is generated so existing encryptions need to be re-encrypted. This is will require that the ConfD system database be reset to default.
Workaround:
The workaround is to do the following:
# docker exec system_platform-mgr tpm2_takeownership -c
# docker restart system_manager
# su admin
# config
# (config) system database reset-to-default proceed yes
# exit; exit
# docker restart system_api_svc_gateway
1121793 : System goes into inoperative state when downgraded from 1.1.1 to 1.0.1 without moving the tenant to configured state
Component: F5OS-A
Symptoms:
The system goes into an inoperative state when it is downgraded from F5OS-A version 1.1.1 to F5OS-A version 1.0.1 without first moving the version 1.1.1 tenant to a configured state
Conditions:
When downgraded from 1.1.1 to 1.0.1 without moving the 1.1.1 tenant to the configured state
Impact:
System becomes inoperative.
Workaround:
1. rm /var/F5/system/confd/*.cdb
2. reboot
Note: This removes all the system configuration.
1117649-1 : rSeries Appliance inoperable after powering down from Linux while configured for Appliance mode
Component: F5OS-A
Symptoms:
If the rSeries device is powered down from Linux (for example, using 'halt -p', 'poweroff', or 'shutdown -h now') while in Appliance mode, the device becomes permanently disabled.
In this state, nothing external can be done to power on the Linux host, for example, cycling power, accessing the LCD Power on option, or pressing the Power button.
Trying to access the AOM menu from the serial console reports the following message:
AOM Command Menu - disabled for security purposes.
Conditions:
-- Appliance mode is enabled (this is the state the 'appliance-setup-wizard' sets when it runs to completion).
-- The host is powered down (for example, using 'halt -p', 'poweroff', or 'shutdown -h now')
Impact:
The AOM command menu is not available to power on the host. A power cycle of the appliance does not power on the host.
The disabled appliance must be replaced.
Workaround:
***Important!***
If the BIG-IP rSeries appliance is configured for Appliance mode, do not power off the device using commands such as 'halt -p', 'poweroff', or 'shutdown -h now'.
Instead, run 'halt' and then remove power from the system (for example, unplug, remove power brick, remove power from rack).
Note: If you have already encountered this issue, contact F5 Support :: https://www.f5.com/services/support to request an RMA. For more information, refer to K12882: Overview of the F5 RMA process :: https://support.f5.com/csp/article/K12882 .
1117621 : After an appliance upgrade from 1.0.1 to 1.1.1, a tenant in Provisioned state may show inconsistent CLI status★
Component: F5OS-A
Symptoms:
After an appliance upgrade from 1.0.1 to 1.1.1, if the running-state of a tenant is configured in the Provisioned state, the operational status of the tenant may oscillate between "Ready to deploy" and "Allocating resources to the tenant is in progress" state in the partition CLI status.
Conditions:
A race condition exists after an appliance upgrade from 1.0.1 to 1.1.1, that may display an inaccurate tenant operational state when the tenant is configured as Provisioned.
Impact:
The tenant state constantly changes.
Workaround:
Configure the running-state of the tenant to Deployed.
1117417-1 : Database config restore failed on rSeries appliance
Component: F5OS-A
Symptoms:
System database config-restore will fail when there is mismatch in the system images between when the backup is taken and the current images present on the system.
Conditions:
The current system images that are present on the system (show system image) do not match the list of images that are stored in the backup file.
Impact:
Config restore fails.
Workaround:
Edit the configuration backup file and delete the <image> stanza, from:
<image xmlns="http://f5.com/yang/system/image">
to
</image>
1117277 : Occasional issue observed when tenant deployed on r2xxx/r4xxx series
Component: F5OS-A
Symptoms:
The r2xxx/r4xxx appliance interface drivers are not created in time and lead to tenant deployment failure after the PXE boot, live upgrade, reboot, and port profile change.
Conditions:
Live upgrade from any version to v1.1.1 and PXE and on reboot and on port profile change.
Impact:
Occasionally tenant deployment fails to come up.
Workaround:
None
1117237 : FPGA bit files are not updated to the latest version after a live upgrade
Component: F5OS-A
Symptoms:
FPGA bit files are not updated to the latest version after a live upgrade.
Conditions:
Live upgrade to an ISO file.
Impact:
Unexpected behavior with tenant and traffic.
Workaround:
Run the following commands from the bash prompt:
1. /bin/systemctl stop appliance_orchestration_manager_container.service
2. /bin/systemctl stop platform-services-deployment.service
3. reboot
Once the system is rebooted, the correct bit files will be installed.
1116869-2 : Tcpdump on F5OS does not capture packets of certain sizes
Component: F5OS-A
Symptoms:
When using tcpdump on the F5OS host, packets of certain sizes may not be captured via tcpdump.
Conditions:
Tcpdump packets less than 1501 bytes and greater than 1483 bytes as well as several other ranges are affected by this issue.
Impact:
Tcpdumps may be incomplete.
1114485-2 : K3s cluster goes to unhealthy state when system is rebooted after changing hostname.
Component: F5OS-A
Symptoms:
When the system hostname is changed and the system is rebooted, all or some of the following symptoms may be encountered:
-- System-related pods in K3s are stuck in a failure state.
-- The K3s cluster shows more than one node.
-- OMD continuously cores.
Conditions:
The system is rebooted after the hostname is configured in confd.
Impact:
-- K3s cluster goes into an unhealthy state.
-- Tenant functionality is impacted.
Workaround:
None
1112533-3 : Status LED color always stays amber
Component: F5OS-A
Symptoms:
The status LED is always amber.
Conditions:
This occurs during normal operation when the status LED should be green.
Impact:
Status LED may not change to green when system is operational.
Workaround:
None
1112141-1 : 10G/25G/40G burst support in rSeries appliance
Component: F5OS-A
Symptoms:
When a burst of traffic at 100Gb/s is sent to a 10G/25G/40G port, the burst size supported by the rSeries appliance depends on the buffer size. Once the buffer is full, packets are dropped.
Conditions:
-- Use of 10G/25G/40G ports.
-- A 100Gb/s burst of traffic occurs.
Impact:
This results in loss of egress packets.
Workaround:
None
1103001-2 : Tenants fail to come up after a live upgrade from pre-1.1.0 version to 1.1.0 on the r4xxx appliances★
Component: F5OS-A
Symptoms:
When a live upgrade is attempted from a pre-1.1.0 release to a 1.1.0 release on the r4xxx series of appliances, the tenants will not come up after the live upgrade.
The symptoms that will be seen are:
ICE driver may not load ( "lsmod | grep -i ice" will not show a line with 'ice' ), no VFs will be created, tenant deployment will fail.
Conditions:
-- An F5OS upgrade is performed on an r4xxx series appliance to version 1.1.0
-- The appliance was running pre-1.1.0 software
-- A license is installed
-- Tenants are attempted to be deployed
Impact:
Tenant deployment fails after live upgrade as the ICE driver is not loaded.
Workaround:
After the live upgrade, check that the tenant is failing to deploy.
Check that "lsmod | grep -i ice" does not show a line with 'ice'
reboot the system
Now rerun lsmod again. This should show the ice module line.
1101365-2 : Delay in tenant deployment with tenant image corruption error
Component: F5OS-A
Symptoms:
The system posts an intermediate error message:
Tenant image corrupted - Update the tenant config with proper image.
This error auto-recovers within 20 seconds.
Conditions:
Observed intermittently while bringing up the tenant.
Impact:
There is a delay in tenant deployment with an intermediate error on the CLI console.
Workaround:
None
1100305 : Tcpdump capture of packets with interface-based filtering fails on r5000 and r10000 appliances
Component: F5OS-A
Symptoms:
On r5000 and r10000, running a tcpdump as follows:
appliance-1# system diagnostics tcpdump -nni 1.0
to filter packets traversing interface 1.0 only, will fail.
The error seen will be "errbuf ERROR:Interface configuration failed. Please retry tcpdump: pcap_loop: Interface configuration failed. Please retry."
and the client will terminate.
Retrying the client will not help, contrary to the message.
Conditions:
Tcpdump capture is started on an r5000 and r10000 device and the option to filter packets based on an interface ("-i" option) is chosen.
Impact:
Tcpdump cannot work in the interface filtering mode.
It will operate in the other modes; only the interface filtering option causes it to be unable to start.
Workaround:
1) Start a tcpdump capture with no interface filter
"system diagnostics tcpdump" or
"system diagnostics tcpdump -nni 0.0"
Packets will be captured from all interfaces, and further (non-interface) filters can be used to narrow down capture
For example:
"system diagnostics tcpdump host 1.1.1.1 and port 80" or
"system diagnostics tcpdump vlan 200"
2) Restart the tcpdump container. This would make the -i option available again.
1099437-2 : Nic-manager core file
Component: F5OS-A
Symptoms:
During a power down sequence the l2-agent may generate a core file. The system comes back up without any issue.
Conditions:
System power loss.
Impact:
Core file is generated.
Workaround:
None
1091941 : Tenant running instance status shows some error/warning events in confd
Component: F5OS-A
Symptoms:
Some error/warning events intermittently occur that are related to 'k3s events stale in cluster' inside confd. But the tenant is actually healthy and functional.
Conditions:
Intermittently on system reboots. Tenant Status might not updated in Confd.
Impact:
The tenant status is incorrect, but the tenant is actually healthy & functional.
Workaround:
None
1086749 : Interface speeds are not reported correctly when linked at a slower speed
Component: F5OS-A
Symptoms:
RSeries 2xxx/4xxx interfaces support linking at certain speeds slower than the portgroup speed, but the interface speed is reported as higher.
For example:
-- A portgroup in 25G mode accepts a 10G SFP and link at 10G. The interface speed is reported as 25G.
-- A portgroup in 25G mode can link at 1G. The interface speed is reported as 25G.
-- A portgroup in 10G mode can link at 1G. The interface speed is reported as 10G.
Conditions:
This occurs when using an SFP that only supports a slower speed, or when connecting a 10G copper port to a 1G capable device.
Impact:
The interface speed reported in the webUI/CLI is higher than the actual link speed.
Workaround:
You can determine the actual link speed using ethtool, for example:
-- For port 1.0, use ethtool x557_1.
-- For port 5.0, use ethtool sfp_5.
1086381-2 : Tenant deployment failing with error - "failed to set netlink MAC address: resource temporarily unavailable"
Component: F5OS-A
Symptoms:
Tenant deployment fails with an error -
Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "<id>": [default/virt-launcher-bigiptenant1-1-2ghl7:sriov-net5-bigiptenant1]: error adding container to network "sriov-net5-bigiptenant1": failed to set up pod interface "net9" from the device "sfp_6": failed to set netlink MAC address to 14:a9:d0:02:1a:0f: resource temporarily unavailable
Conditions:
Previous tenant teardown did not clean up the virtual function (VF) mac address and reset the VF interface.
Impact:
Tenant deployment fails.
Workaround:
Identify the VF number in the PF which has the mac address issue then reset the mac address manually using ip command.
Ex:
ip link set sfp_8 vf 1 mac 00:00:00:00:0d:01
1084549-1 : VLAN sharing isn't allowed on r2000 and r4000 systems
Component: F5OS-A
Symptoms:
This is a product limitation in F5OS-A 1.1.0 on r2000 and r4000 based systems.
These platforms are unable to use the same VLAN for two different tenants, but the F5OS-A software does not prevent you from configuring them.
Conditions:
Assigning an identical VLAN to two different tenants.
Impact:
Same VLAN traffic will not be shared between multiple tenants.
Workaround:
None
1083921-1 : VLAN name change is not allowed once a tenant is launched
Component: F5OS-A
Symptoms:
When you change the VLAN name on a rseries (R2x00 or R4x00) Appliance, the BIG-IP tenant does not honor the name change.
Conditions:
-- One or more tenants are running on a rSeries (R4x00 or R2x00) platform.
-- A VLAN name is changed for a VLAN that is in use by a running tenant.
Impact:
Changing the VLAN name after a tenant is launched and reassigning that VLAN removes the interface in TMM.
Workaround:
Set the VLAN name to the initial name that the tenant used when it was launched. Or, if you need to change the name of the VLAN, delete the tenant and redeploy.
1083561 : Tenant running instance status shows some error/warning events in confd
Component: F5OS-A
Symptoms:
Some error/warning events intermittently occur that are related to "failed to sync cache" inside ConfD. But the tenant is actually healthy and functional.
Conditions:
Intermittently on system reboots. Tenant status might show error messages in ConfD.
Impact:
No impact, tenant is actually healthy and functional.
Workaround:
None
1083061-1 : Loading saved config to BIG-IP fails if host modifications are made after "tmsh save sys config"
Component: F5OS-A
Symptoms:
The configuration load fails with an error similar to the following:
01070257:3: Requested VLAN member (1.5) is currently a trunk member
Unexpected Error: Loading configuration process failed.
Conditions:
-- rSeries 4x00 or R2x00 platform
-- Configuration is backed up using tmsh
-- A change is made to one or more VLANs, interfaces, trunks, or type of VLANs on the host
-- The BIG-IP system loads the configuration
Impact:
Configuration load fails.
Workaround:
On a failure while loading sys config, open the affected configuration file, fix the object that was changed manually, and retry loading the sys config.
For example, if the load sys config at mcpd complains about "vlan member 1.x" is not found on vlan-xyz then open /config/bigip_xxx.conf file and update the vlan-xyz with vlan-member 1.x and retry the config load.
1082513-1 : LACP waitOnAlertFd Errors
Component: F5OS-A
Symptoms:
The system posts error messages in the platform.log:
LacpdHeartBeatsClient::run() waitOnAlertFd Error!
Conditions:
This occurs at startup, reboot, and upgrade.
Impact:
There is no functional impact; you can safely ignore these messages.
Workaround:
None
1080437-1 : VerifyDmesg test failure
Component: F5OS-A
Symptoms:
An error message is seen as dmesg output:
Failed to allocate irq -2147483648: -107
Conditions:
The error message is seen sometimes when restarting/rebooting device is complete.
Impact:
The error message does not impact any functionality as after the allocation of irq for SMBUS is failed, it would switch to polling mode.
Workaround:
NA
1063649-1 : Changing the system date to be older than the installation date is not supported.
Component: F5OS-A
Symptoms:
All system self-signed certificates are generated using the installation system date. Changing the date to an older date than the installation date can cause instability.
Conditions:
Setting the system date to be older than the installation date on an rSeries appliance.
Impact:
System goes to unstable state.
Workaround:
N/A
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
