Supplemental Document : F5OS-A 1.1.0 Fixes and Known Issues Release Notes

Applies To:

Show Versions Show Versions

F5OS-A

  • 1.1.0
Updated Date: 12/06/2022

F5OS-A Release Information

Version: 1.1.0
Build: 7645

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Known Issues in F5OS-A v1.1.x

Vulnerability Fixes

ID Number CVE Links to More Info Description
987225-3 CVE-2022-41780 K81701735 Container hardening
1060905 CVE-2020-10878 K40508224 Perl Vulnerability: CVE-2020-10878


Functional Change Fixes

None


F5OS-A Fixes

ID Number Severity Links to More Info Description
1065589 1-Blocking   K3S service does not start after system downgrade.
1063781 1-Blocking   Duplicate broadcast/multicast packets are sent out a front panel interface.
1090089-1 2-Critical   NTP service does not work on rSeries appliances
1080421-1 2-Critical BT1080421 LACP does not transmit PDU's when creating a LAG
1078633 2-Critical   Tenant to API gateway communication and unit-key will not work after key rotation
1064089 2-Critical   Traffic over shared VLANs does not work
1061149 2-Critical   Libvirt core is generated on system reboot
1012437-1 2-Critical BT1012437 Tenant virtual disk is deleted when the tenant running-state is set to "configured."
991061-2 3-Major BT991061 Admin cannot edit the tenant config in Deployed state from GUI if the tenants are created via CLI; downgrading partition or rSeries appliance may leave device inoperative
923609 3-Major   rSeries 5900 Error - Thermal fault detected in hardware
1097925 3-Major   Resolving CVEs on F5OS-A 1.1.0
1084817-1 3-Major BT1084817 Container api-svc-gateway crashes due to certificate issues partition database
1084581-1 3-Major BT1084581 Log files collected by QKView are truncated with the newest entries removed
1083261 3-Major   Invalid DNS search path causes tenants to fail to start
1083077 3-Major   LACP trunks are not configured automatically in BIG-IP tenant running on F5OS chassis/appliances
1082529 3-Major   Delay in SSH login to Appliance management IP
1080417 3-Major BT1080417 List of running containers are not captured in host qkview
1080109-1 3-Major   System reboot or link down/up transition causes packet loss.
1079697 3-Major   Incorrect link aggregation group (LAG) / trunk information passed to tenant.
1078149 3-Major   Unable to deploy one tenant when user attempts to deploy 28 tenants on r10800
1077785 3-Major   STP errors messages reported in platform.log when global STP is enabled but STP parameters are not configured in interfaces
1074381 3-Major   Invalid error message in log when 40g transceiver is inserted
1073553 3-Major   Log rotation does not occur for k3s events.
1069529-2 3-Major   "Appliance Mode" UI control intermittently will revert your selection back to its configured state when enabling or disabling.
1069209-1 3-Major   LAG names starting with a digit
1067765-1 3-Major BT1067765 VELOS GUI occasionally shows stale content after upgrading
1067177-2 3-Major   The 'show portgroups portgroup' command is slow when no optical transceivers are plugged into front panel ports.
1066869-1 3-Major   The r10000 and r5000 platforms may reuse the MAC address for both management and data plane.
1066817-1 3-Major   Change in the procedure of PXE installation for appliances.
1066365-1 3-Major   Message of the Day not working for admin user
1065085 3-Major BT1065085 MD5 cipher is allowed on RESTCONF port 8888 with FIPS-enabled license.
1064525-1 3-Major   Interface counters are slow to update
1064305-2 3-Major BT1064305 Unable to import VELOS images from the F5 downloads site
1064125-1 3-Major   Sw_rbcast container restarts on non-fatal errors
1062021-1 3-Major   Lacpd process continuously restarts after creating a LAG interface with a space.
1060193 3-Major   e2fsprogs vulnerability: CVE-2019-5188
1057145 3-Major   Qkview capture with timeout does not stop capture after timeout
1057109 3-Major   CUPS Vulnerability: CVE-2017-18190
1056705 3-Major   OpenLDAP Vulnerability: CVE-2020-25692
1056137 3-Major   zsh Vulnerability: CVE-2019-20044
1056129 3-Major   libcups vulnerabilities: CVE-2019-8696 CVE-2019-8675
1046221-2 3-Major   SM2 cannot be used for creating self-signed certificates
1035589-1 3-Major BT1035589 Source address for TACACS+ server group configuration does not work
1034093-2 3-Major   protobuf vulnerability: CVE-2021-3121
1027009 3-Major   DNS servers attained through DHCP not reflected in confd
1061281-1 4-Minor   Snd_hda_intel 0000:00:1f.3: no codecs found.
1060537 4-Minor   Portgroup state set to empty strings when optic removed

 

Cumulative fix details for F5OS-A v1.1.0 that are included in this release

991061-2 : Admin cannot edit the tenant config in Deployed state from GUI if the tenants are created via CLI; downgrading partition or rSeries appliance may leave device inoperative

Links to More Info: BT991061

Component: F5OS-A

Symptoms:
Trying to modify a tenant via the GUI or API may not work if the tenant was created via the CLI, and is deployed.

Attempting to downgrade an rSeries appliance from F5OS-A 1.1.0 or above to F5OS-A 1.0.x may fail if the device has any tenants deployed. This leaves the system inoperative, with errors similar to the following in /var/F5/system/log/confd.log:

<CRIT> 5-Jun-2022::03:17:21.056 appliance-1 confd[105]: - CDB: Upgrade failed: Upgrade transaction failed to validate: /f5-tenants:tenants/tenant{otters}/config/storage/size (value "90"): Storage size can be modified only if tenant is in Configured or Provisioned state.

Attempting to downgrade an F5OS-C partition from F5OS-C 1.3.0 or above to F5OS-C 1.2.1 or below may fail if the partition has any tenants deployed. The partition should continue running on the "from" target version.

Conditions:
Admin creates the tenant via CLI and subsequently edits the following tenant config when the running-state is set to Deployed:

-- Scale-up/Scale-down the tenant.
-- Add/Remove VLAN.

Impact:
Admin cannot scale up/scale down the cluster using the GUI if the tenant is initially deployed via CLI.

Downgrades of F5OS-A appliance or F5OS-C partition may fail or leave the system inoperative.

Workaround:
Use the CLI to scale-up/scale-down and add/remove the VLAN to the tenant.

When performing a downgrade, set the tenants to Provisioned first.


987225-3 : Container hardening

Links to More Info: K81701735


923609 : rSeries 5900 Error - Thermal fault detected in hardware

Component: F5OS-A

Symptoms:
An rSeries 5900 displays the following error message:

"WARNING: Thermal fault detected in hardware"

This issue occurs intermittently on reboot at normal operating temperature. It is a false alarm.

Conditions:
Reboot a device running at operating temperature.

Impact:
Produces alarm message after reboot on the LCD that indicates the device is or has exceeded operating temperature, even when it's operating within normal operating temperature ranges.

Workaround:
None

Fix:
BIOS update fixes faulty thermal threshold configuration code that was causing false thermal event upon reboot.


1097925 : Resolving CVEs on F5OS-A 1.1.0

Component: F5OS-A

Symptoms:
F5OS-A 1.1.0 is vulnerable to the CVEs mentioned in the bug.
CVE-2021-27219
CVE-2021-43527
CVE-2022-23852
CVE-2020-10531
CVE-2022-24407
CVE-2018-1000805
CVE-2021-44142
CVE-2020-12321
CVE-2020-24489
CVE-2021-42574
CVE-2020-8625

Impact:
F5OS-A 1.1.0 is vulnerable to the CVEs mentioned in the bug.


1090089-1 : NTP service does not work on rSeries appliances

Component: F5OS-A

Symptoms:
The NTP service does not work on rSeries appliances that run F5OS-A.

Running chronyc ntpdata returns "501 Not authorized"

Conditions:
-- rSeries appliance running F5OS-A
-- NTP configured

Impact:
NTP functionality does not work.

Workaround:
Change directory ownership to chrony using below command:

chown chrony:chrony /var/run/chrony

Fix:
Update ownership for "/var/run/chrony" directory and removed unwanted configuration from "chrony.conf".


1084817-1 : Container api-svc-gateway crashes due to certificate issues partition database

Links to More Info: BT1084817

Component: F5OS-A

Symptoms:
The api-svc-gateway container crashes when a bad self-signed certificate or key is published to partition database.

Conditions:
A corrupted certificate/key causes the issue.

Impact:
The api-svc-gateway service crashes.

Workaround:
Run the following command:

(config) # system database reset-to-default proceed

Fix:
In the scenario this happens, api-svc-gateway now:

 * detects when it cannot set up an SSL connection using these credentials
 * logs an error
 * sets health status to unhealthy with appropriate error and severity
 * tries to start a GRPC server with only insecure credentials


1084581-1 : Log files collected by QKView are truncated with the newest entries removed

Links to More Info: BT1084581

Component: F5OS-A

Symptoms:
If log files are exceedingly large, they may be truncated when collected by QKView from the 'bottom-up', meaning that the most recent log entries are clipped.

Conditions:
Log files exceed the maximum file size (default 500 MB) specified during QKView creation.

Impact:
Most recent log entries are clipped, making diagnosis difficult.

Workaround:
Collect the log files manually.

Fix:
QKView log files are now truncated 'top-down', preserving the most recent log entries.


1083261 : Invalid DNS search path causes tenants to fail to start

Component: F5OS-A

Symptoms:
Tenants fail to start, with kubevirt virt-launcher pods in a restart loop.

Conditions:
Configuring an invalid DNS search domain to the system.

Impact:
Tenants fail to start, stuck in a "Pending" state

Workaround:
Reconfigure the DNS search domain with valid values.


1083077 : LACP trunks are not configured automatically in BIG-IP tenant running on F5OS chassis/appliances

Component: F5OS-A

Symptoms:
When an LACP trunk is configured on an F5OS chassis/appliance and only the native VLAN is attached, the LACP trunk will not be automatically configured on the BIG-IP tenant.

Conditions:
This behavior is observed only when the LACP trunk is attached to a native VLAN.

Impact:
LACP trunk configuration will not be applied to the BIG-IP tenant automatically when only a native VLAN is attached to it on the platform.

Workaround:
Configure the LACP trunk in the BIG-IP tenant manually.

Fix:
LACP trunks are now configured automatically in BIG-IP tenant running on F5OS chassis/appliances, as expected.


1082529 : Delay in SSH login to Appliance management IP

Component: F5OS-A

Symptoms:
SSH to Appliance management IP takes time to login

Conditions:
This is an intermittent issue with no specific condition to encounter this issue.

Impact:
Delay in login to Appliance HW

Workaround:
None

Fix:
Fixed code to avoid login delays


1080421-1 : LACP does not transmit PDU's when creating a LAG

Links to More Info: BT1080421

Component: F5OS-A

Symptoms:
The LAG interface creation will not be successful and tx packet count in 'show lacp' will be zero.

Conditions:
This issue occurs due to a race condition while creating a LAG interface and is not reproducible every time.

Impact:
Link aggregation of the front panel ports will not work as expected.

Workaround:
1) clear newly added lag configurations
   a) remove lacp interface
      no lacp interfaces interface <lag-name>
   b) remove interfaces from lag
      no interfaces interface <interface> ethernet config aggregate-id
   c) remove lag interface
      no interfaces interface <lag-interface>
2) create Lag interface and add interfaces to the lag

Fix:
Fix code to remove the race condition and read lag-type as LACP


1080417 : List of running containers are not captured in host qkview

Links to More Info: BT1080417

Component: F5OS-A

Symptoms:
List of running containers are not captured in host qkview

Conditions:
Collect qkview and look for list of containers running on the system from qkview file.

Impact:
Unable to get the list of running containers from qkview

Workaround:
Administrator needs to run 'docker ps' command on the system and share the output with support.

Fix:
Qkview includes list of running containers on the system


1080109-1 : System reboot or link down/up transition causes packet loss.

Component: F5OS-A

Symptoms:
A reboot of the system or a link down/up transition can result in packet loss on the affected front-panel interface(s).

Conditions:
A link down->up transition on a front panel interface or interfaces. Either initiated from the peer side or a system reboot.

Impact:
LACP LAGs can fail to form. Ingress traffic is not received by the tenants.

Workaround:
Reboot the system.

Fix:
Change link down processing to not reset internal hardware state of front panel MACs.


1079697 : Incorrect link aggregation group (LAG) / trunk information passed to tenant.

Component: F5OS-A

Symptoms:
A BIG-IP tenant running on a VELOS system incorrectly reports all "ha-only" trunk objects as up, regardless of the actual status of the trunk.

BIG-IP tenants can also report incorrect status of trunks after the LAG type is changed from LACP to STATIC or vice-versa.

An interface name is displayed as empty when an interface is deleted from a LAG.

As a result of these, high availability (HA) group failover based on trunk status is unreliable and unusable.

Conditions:
-- LAGs configured on F5OS system.
-- Attempting to use high availability (HA) group failover based on trunk status inside BIG-IP tenant.

Impact:
HA group failover based on trunk status is unreliable and unusable for BIG-IP tenants running on an F5OS system.

Workaround:
After configuring a new LAG in the the F5OS partition or changing a LAG type from LACP to STATIC or from STATIC to LACP, reboot the traffic blades.

For rSeries devices, the entire device must be restarted.

After rebooting, the ha-group trunk entries should show the expected values when one or more members are missing from the aggregate link.

Fix:
This issue has been corrected.


1078633 : Tenant to API gateway communication and unit-key will not work after key rotation

Component: F5OS-A

Symptoms:
The system-api-svc-gateway fails to decrypt the unit key crashes, and is unable to communicate with the tenant.

Conditions:
A key migration or rotation is performed in confd: system aaa primary-key

Impact:
Communication between the API gateway and the tenant is disrupted.

Note: If no key-rotation was ever done, this issue does not occur.

Workaround:
To correct the current unit-key issue, invoke the config command:
system database reset-to-default proceed yes


To avoid the issue, disable key-rotation. To prevent key rotation, add the line '/tenants/tenant{%x}/config/unit-key' to the file in the confd-key-migration-mgr container:
/tenants/tenant{%x}/config/unit-key

To do so: ssh as root into the device and do the following:

# docker exec -it confd-key-migration-mgr bash
bash-4.2# echo "/tenants/platform-self-signed-cert/self-signed-key" >> /etc/confd-key-migration/appliance-secure-elem-manifest
bash-4.2# echo "/tenants/tenant{%x}/config/unit-key" >> /etc/confd-key-migration/appliance-secure-elem-manifest
bash-4.2# exit
# docker restart confd-key-migration-mgr

Fix:
The system now adds the line to the manifest file.

Because the unit-key does not get re-encrypted with the new key, after upgrading to a software version containing the fix, run the config command:
system database reset-to-default proceed yes


1078149 : Unable to deploy one tenant when user attempts to deploy 28 tenants on r10800

Component: F5OS-A

Symptoms:
The 28th tenant deployment fails when 28 tenants (each with 1 vCPU) are deployed.
The issue is seen only with an r10800 license.
27 tenants are deployed successfully but the 28th tenant deployment fails.
No issue when one tenant is deployed with 28 vCPUs

Conditions:
Issue is seen in the following conditions

-- System has R10800 license installed
-- You attempt to deploy 28 tenants
-- Each tenant has only 1 vCPU

Impact:
28th tenant is not deployed on r10800.
The max supported tenants on r10800 is 28


1077785 : STP errors messages reported in platform.log when global STP is enabled but STP parameters are not configured in interfaces

Component: F5OS-A

Symptoms:
The VELOS platform.log contains numerous STP error messages:

appliance-1 stpd[1]: priority="Err" version=1.0 msgid=0x6102000000000018 msg="Failed to write to cdb" FIELD="Adv Stp Interface name" ERRNO=8 ERRNOSTR="badly formatted or nonexistent path".
appliance-1 stpd[1]: priority="Err" version=1.0 msgid=0x6102000000000018 msg="Failed to write to cdb" FIELD="Adv Stp Interface port-num" ERRNO=8 ERRNOSTR="badly formatted or nonexistent path".
appliance-1 stpd[1]: priority="Err" version=1.0 msgid=0x6102000000000018 msg="Failed to write to cdb" FIELD="Adv Stp Interface port-state" ERRNO=8

Conditions:
The following is the correct sequence of STP configuration.

appliance-1(config)# stp global config enabled-protocol RSTP
appliance-1(config)# stp rstp interfaces interface 1.0 config cost 100;top
appliance-1(config)# stp interfaces interface 1.0 config edge-port EDGE_AUTO link-type P2P ;
appliance-1(config-interface-1.0)# exit
appliance-1(config)# commit;

If the command "stp rstp interfaces interface 1.0 config cost 100;top" is not run, the log messages will occur.

Impact:
VELOS platform.log size will grow at rate of 2MB per minute.

Workaround:
To stop these messages, configure the following:

stp rstp interfaces interface 1.0 config cost 100;top

Fix:
Multiple STP errors messages are no longer logged when not needed.


1074381 : Invalid error message in log when 40g transceiver is inserted

Component: F5OS-A

Symptoms:
An erroneous message is logged when a 40G optic is inserted.

appliance-1 fpgamgr[22]: priority="Err" version=1.0 msgid=0x303000000000013 msg="Unsupported SFP+/SFP28 Optic" portgroup=1.

Conditions:
40G optical transceiver inserted in VELOS or rSeries appliance

Impact:
A log message is logged at the Error level. It can be safely ignored.

Workaround:
None

Fix:
Errant message no longer appears.


1073553 : Log rotation does not occur for k3s events.

Component: F5OS-A

Symptoms:
the k3s_events.log file is not rotated.

Conditions:
K3s provisioning from the OMD is initiated.

Impact:
Most of the system memory is consumed by k3s_events.log and system starts responding slowly.

Workaround:
Manually empty the contents of /var/log/k3s_events.log file from the system.


1069529-2 : "Appliance Mode" UI control intermittently will revert your selection back to its configured state when enabling or disabling.

Component: F5OS-A

Symptoms:
On the SYSTEM SETTINGS/General screen for the rSeries appliance, the "Appliance Mode" Enable/Disable radio button choice will revert back to its configured state when you're attempting to change the configuration prior to saving it.

Conditions:
The Enable/Disable radio button for Appliance Mode will undo your preferred selection when the screen does a periodic poll in the background to refresh state information that is displayed on the SYSTEM SETTINGS/General screen.

Impact:
If you attempt to either enable or disable Appliance Mode and the screen does a periodic polling refresh at the moment you make your desired selection, your selection will be reverted back to the actual current configuration state for Appliance Mode.

Workaround:
The impact is intermittent and only occurs at the precise moment the screen is refreshing its state information --- typically a 10 second interval. Appliance Mode can still be enabled or disabled via the webUI as long as it is within the window the screen is not doing a periodic refresh. Additionally, Appliance Mode can be enabled or disabled from the command line interface (CLI).

Fix:
Periodic polling on the SYSTEM SETTINGS/General screen for rSeries appliances will be disabled or removed.


1069209-1 : LAG names starting with a digit

Component: F5OS-A

Symptoms:
Provisioning a VELOS tenant with a LAG name that begins with a digit can fail.

Conditions:
-- Configuring a LAG with a name that begins with a digit.
-- Provisioning a BIG-IP tenant

Impact:
VELOS tenant fails.

Workaround:
Do not configure LAG names that start with a digit.

Fix:
LAG names with digits are no longer allowed.


1067765-1 : VELOS GUI occasionally shows stale content after upgrading

Links to More Info: BT1067765

Component: F5OS-A

Symptoms:
After upgrading VELOS and reloading a page, the GUI sometimes displays stale content in the browser cache.

Conditions:
After upgrading VELOS software upgrade and the browser cache settings are set to allow caching.

Impact:
Stale content is displayed.

Workaround:
Empty your browser cache and reload the page to display the latest content.

Fix:
This issue is fixed and the correct content is displayed after upgrading.


1067177-2 : The 'show portgroups portgroup' command is slow when no optical transceivers are plugged into front panel ports.

Component: F5OS-A

Symptoms:
The 'show portgroups portgroup' command is slow when no optical transceivers are plugged into front panel ports. This affects the CLI, GUI, and RESTCONF.

Conditions:
R5000 and r1000 platforms with sparsely populated or empty front panel ports.

Impact:
Slow response to portgroup information on unpopulated front panel ports. No functional impact - just slow reporting.

Workaround:
N/A

Fix:
N/A


1066869-1 : The r10000 and r5000 platforms may reuse the MAC address for both management and data plane.

Component: F5OS-A

Symptoms:
The MAC address assigned to the macvlan interface mgmt0-system may also be assigned to a dataplane object: a lag or a tenant.

Conditions:
More than 233 lags or tenants are configured on a r10000 or r5000 platforms.

Impact:
If the management interface mgmt0-system and the lag or tenant are on the same broadcast domain, both devices will have communication problems. Duplicate MACs going to different switches will be fine.

Workaround:
The MAC address that will be duplicated is 0xfc offset from the basemac. If a tenant or lag has been assigned basemac+0xfc remove the tenant or lag, reduce the number of lags + tenants to less than 252, then re-create the tenant or lag - checking to make sure the assigned MAC does not use offset 0xfc from the base MAC.

Fix:
The pool of available MAC addresses to be used for tenants or lags on r10000 and r5000 platforms has been reduced from 236 to 233 to ensure unique MACs are supplied for all interfaces, lags and tenants.


1066817-1 : Change in the procedure of PXE installation for appliances.

Component: F5OS-A

Symptoms:
There is a change in the procedure of PXE installation for appliances, defined at

https://techdocs.f5.com/en-us/f5os-a-1-0-0/f5-rseries-systems-installation-upgrade/title-install-upgrade-software.html#clean-install

Conditions:
After PXE install, the ISO needs to be copied to /var/export/chassis/import/iso folder before doing any other import activities.

Impact:
If this step is skipped, issues will occur with the software import and upgrade process.

Workaround:
None

Fix:
Fixed an issue with the documentation.


1066365-1 : Message of the Day not working for admin user

Component: F5OS-A

Symptoms:
Message of the Day (MOTD) is not displayed when the admin user logs in to BIG-IP Next.

Conditions:
Message of the day (MOTD) is configured on the BIG-IP Next.

Impact:
Admin users do not see the MOTD banner when they log in.

Workaround:
None

Fix:
MOTD is now displayed if configured.


1065589 : K3S service does not start after system downgrade.

Component: F5OS-A

Symptoms:
During tenant deployment, the "compute" pod fails to come up.
Multiple kubehelper pods will be triggered.

Conditions:
This can occur after a downgrade.

Impact:
Tenant deployments fail.

Workaround:
1) manually delete the script /var/F5/system/apigw-tenant-helper.sh before the downgrade
2) If you forget to delete the script (step 1), recovery options are
  a) remove the file and reboot the system
  b) perform a bare metal install

Fix:
N/A


1065085 : MD5 cipher is allowed on RESTCONF port 8888 with FIPS-enabled license.

Links to More Info: BT1065085

Component: F5OS-A

Symptoms:
When a FIPS-enabled license is installed on the system, some MD5 ciphers are allowed on RESTCONF port 8888, when they should not be allowed.

Conditions:
The command "openssl s_client -connect <mgmt-ip>:8888 -cipher MD5" returns a valid certificate.

Impact:
MD5 SSLCipher continues to work on port 8888 on both system controller and chassis partition management IP addresses.

Workaround:
None

Fix:
Removed MD5 SSLCipherSuites from ssl.conf when a FIPS-enabled license is installed on the system.


1064525-1 : Interface counters are slow to update

Component: F5OS-A

Symptoms:
Interface counters do not immediately reflect traffic activity.

Conditions:
Normal user traffic

Impact:
Interface counters may not reflect the exact amount of traffic due to being slow to update.

Fix:
Increase counter polling frequency.


1064305-2 : Unable to import VELOS images from the F5 downloads site

Links to More Info: BT1064305

Component: F5OS-A

Symptoms:
Importing images from the F5 downloads site using the VELOS GUI fails.

Conditions:
-- Using direct links to the VELOS image on the F5 downloads site.
-- The URL contains a query string with parameters.

Impact:
The VELOS system fails to download the image from the F5 downloads site.

Workaround:
Use the confd CLI to download the file:

1. Using your web browser, navigate to the appropriate "Select a Download" screen for the file that you wish to download directly to the VELOS system

2. Copy the URL for the file

3. Use the file import command, ensuring that you put the remote-url value in quotation marks, for example:

syscon-1-active# file import remote-url "https://downloads07.f5.com/esd/download.sv?loc=downloads07.f5.com/downloads/53b686a5-d1cc-484d-af8b-5decd705d174/F5OS-C-1.2.2-12471.CONTROLLER.iso" local-file images/staging/

To check the download status, run the following command:
file transfer-status

Fix:
You can now import VELOS images from the F5 downloads site.


1064125-1 : Sw_rbcast container restarts on non-fatal errors

Component: F5OS-A

Symptoms:
VELOS logs indicate a disconnect and restart of the sw_rbcast container:

appliance-1 sw-rbcast[20]: priority="Notice" version=1.0 msgid=0x6903000000000003 msg="Software Rebroadcaster disconnected from Host DMA-Agent." error=3.
appliance-1 sw-rbcast[20]: priority="Info" version=1.0 msgid=0x6903000000000002 msg="Software Rebroadcaster connected to Host DMA-Agent".

Conditions:
High volume (> 200k packets/second) of broadcast traffic.

Impact:
None. The container restarts and continues to process traffic.

Workaround:
None

Fix:
Container no longer restarts for non-fatal errors.


1064089 : Traffic over shared VLANs does not work

Component: F5OS-A

Symptoms:
When two tenants share a VLAN, ARP replies from the tenants are not forwarded to the front-panel interfaces.

Conditions:
Two tenants sharing a VLAN

Impact:
Traffic does not work over shared VLANs

Fix:
Program service DAG entries into the ATSE-NSE logic.


1063781 : Duplicate broadcast/multicast packets are sent out a front panel interface.

Component: F5OS-A

Symptoms:
Clients may report 'duplicate response' due to multiple copies of the same broadcast/multicast packet.

Conditions:
Tenant generated broadcast/multicast traffic destined to a front-panel interface.

Impact:
No functional impact. Clients may report 'duplicate response' messages.

Fix:
Correct hardware programming to only send one copy of broadcast/multicast out a front-panel interface.


1062021-1 : Lacpd process continuously restarts after creating a LAG interface with a space.

Component: F5OS-A

Symptoms:
Lacpd service restarts when the LAG name contains space.

The tenant wont get the LAG name and it will show a null value.
[root@localhost:Active:Standalone] config # tmsh list net trunk
net trunk "" {
    cfg-mbr-count 2
    distribution-hash src-dst-mac
    id 0
    interfaces {
        1.0
        2.0
    }
    stp disabled
    type ha-only
    working-mbr-count 2
}

Conditions:
LAG name contains a space.
Example : "lacp lag"
appliance-1(config)# interfaces interface "lacp lag" config type ieee8023adLag

Impact:
1. Lacpd service restarts.
2. BIG-IP tenant does not get the trunk name.


Note: In case of live upgrade from EA to GA release, any LAG created with a space in name will not work and you will need to either delete these or do a bare metal install before performing a live upgrade.

Workaround:
Don't create a LAG name that has space in the name.

Fix:
N/A


1061281-1 : Snd_hda_intel 0000:00:1f.3: no codecs found.

Component: F5OS-A

Symptoms:
During a reboot, error messages related to snd_hda_intel are logged:

"snd_hda_intel 0000:00:1f.3: no codecs found!"

Conditions:
This occurs during a reboot of an rSeries appliance.

Impact:
No functional impact, the error can be safely ignored.

Workaround:
N/A

Fix:
An erroneous error message has been suppressed.


1061149 : Libvirt core is generated on system reboot

Component: F5OS-A

Symptoms:
A flawed core file is generated on system reboot intermittently. But the tenant is actually healthy and functional after reboot.

Conditions:
Intermittently on system reboots.

Impact:
A libvirt core file is generated, but the tenant is actually healthy and functional.

Workaround:
None

Fix:
No impact on functionality. No user action is expected.


1060905 : Perl Vulnerability: CVE-2020-10878

Links to More Info: K40508224


1060537 : Portgroup state set to empty strings when optic removed

Component: F5OS-A

Symptoms:
When an optical transceiver is removed from a front panel port the portgroup state information in confd is set to empty strings

Conditions:
Physical removal of an optical transceiver in VELOS or rSeries

Impact:
Empty string is returned to REST call for portgroups/portgroup/state information when optic is removed.

Fix:
When an optical transceiver is removed from a front panel port the portgroup state is completely removed and will not show up in confd at all.


1060193 : e2fsprogs vulnerability: CVE-2019-5188

Component: F5OS-A

Symptoms:
A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Conditions:
- A specially crafted ext4 directory

Impact:
- Code execution via e2fsck

Workaround:
N/A

Fix:
e2fsprogs updated to mitigate CVE-2019-5188


1057145 : Qkview capture with timeout does not stop capture after timeout

Component: F5OS-A

Symptoms:
Qkview capture does not stop when the timeout value expires.
Qkview ignores the timeout setting and proceeds with collection.

Conditions:
Timeout value is exceeded in the qkview capture command

Impact:
Qkview does not stop capture after the timeout expires

Workaround:
Invoke qkview cancel command to stop the capture manually after the timeout value.

`system diagnostics qkview cancel`

Fix:
Timeout is handled correctly to stop qkview capture after timeout.


1057109 : CUPS Vulnerability: CVE-2017-18190

Component: F5OS-A

Symptoms:
A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).

Conditions:
- localhost.localdomain whitelist entry
- Unsafe DNS results for localhost.localdomain

Impact:
Remote attackers can execute IPP commands

Workaround:
N/A

Fix:
CUPS has been updated to mitigate CVE-2017-18190


1056705 : OpenLDAP Vulnerability: CVE-2020-25692

Component: F5OS-A

Symptoms:
This flaw allows a remote, unauthenticated attacker to crash the slapd process by sending a specially crafted request, causing a denial of service. The highest threat from this vulnerability is to system availability.

Conditions:
- LDAP request for renaming RDNs

Impact:
OpenLDAP slapd crashes on what seems to be a null-ptr-dereference after receiving a malicious TCP packet.

Workaround:
N/A

Fix:
OpenLDAP updated to mitigate CVE-2020-25692


1056137 : zsh Vulnerability: CVE-2019-20044

Component: F5OS-A

Symptoms:
A flaw was found in zsh. When unsetting the PRIVILEGED option, the shell sets its effective user and group IDs to match their respective real IDs

Conditions:
When the RUID and EUID were both non-zero, it is possible to regain the shell's former privileges.

Impact:
Insecure dropping of privileges when unsetting PRIVILEGED option

Workaround:
N/A

Fix:
Updated zsh to mitigate CVE-2019-20044


1056129 : libcups vulnerabilities: CVE-2019-8696 CVE-2019-8675

Component: F5OS-A

Symptoms:
A stack-buffer-overflow was found in libcups's asn1_* functions

Conditions:
- Certificate usage within libcups

Impact:
Stack buffer overflow

Workaround:
N/A

Fix:
libcups updated to mitigate CVE-2019-8696 CVE-2019-8675


1046221-2 : SM2 cannot be used for creating self-signed certificates

Component: F5OS-A

Symptoms:
When creating a self-signed certificate, VELOS returns an error.

The create self-signed certificate function allows for elliptic curves but does not work for 'SM2'.

Conditions:
When requesting a certificate using type ec, the curve name SM2 can be selected.

Impact:
Attempting to use SM2 curve name results in an error.

Workaround:
Outside confd you can create the SM2 key using:
/usr/bin/openssl ecparam -genkey -name SM2

The key can then be entered using system-aaa-tls-config-key and subsequently used to create a CSR.

The self-signed certificate would need to be done using openssl commands and entered manually if to be stored.

Fix:
The SM2 curve name can now be used like all the other ec curve names.


1035589-1 : Source address for TACACS+ server group configuration does not work

Links to More Info: BT1035589

Component: F5OS-A

Symptoms:
Attempting to set the source-address for a TACACS+ server group configuration might fail or does not work as expected.

Conditions:
Attempt to configure source-address for TACACS+ server group.

Impact:
No functional impact, as the source-address isn't used.

Workaround:
The source-address is not used by the TACACS+ client. Do not configure source-address.

Fix:
The source-address config element is now removed for TACACS+ server-group configuration.


1034093-2 : protobuf vulnerability: CVE-2021-3121

Component: F5OS-A

Symptoms:
A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects.

Conditions:
- Unmarshalling protobuf objects

Impact:
This flaw allows a remote attacker to send crafted protobuf messages, causing panic and resulting in a denial of service. The highest threat from this vulnerability is to availability.

Workaround:
N/A

Fix:
Protobuf updated to mitigate CVE-2021-3121


1027009 : DNS servers attained through DHCP not reflected in confd

Component: F5OS-A

Symptoms:
When DHCP is enabled on the management interface, DNS servers are attained by DHCP server. The 'show system dns' command in confd does not show the DNS entries fetched by the DHCP server.

Conditions:
Enable DHCP on the management interface from confd

Impact:
DNS server IPs fetched dynamically by the DHCP server are not displayed by confd

Workaround:
None

Fix:
Fixed code to update confd with DNS server IP addresses when DHCP is enabled on the management interface


1012437-1 : Tenant virtual disk is deleted when the tenant running-state is set to "configured."

Links to More Info: BT1012437

Component: F5OS-A

Symptoms:
A VELOS tenant's virtual-disk is deleted when the tenant running-state is set back to "configured" after having been "deployed." This behavior differs from vCMP.

It is recommended that you set the tenant running-state to "provisioned" in order to stop the running tenant.

Conditions:
Tenant running-state changed from "deployed" to "configured."

Impact:
Virtual disk is deleted, resulting in loss of tenant configuration.

Workaround:
Fixed. No workaround needed.

Fix:
The system no longer deletes the virtual disk when the state is changed from deployed to configured.



Known Issues in F5OS-A v1.1.x


F5OS-A Issues

ID Number Severity Links to More Info Description
1123685-1 1-Blocking   Occasionally Selinux modules are getting corrupted when the system reboots
1123121-3 1-Blocking   Occasional issue with tenant deployment after live upgrade on r2xxx/r4xxx series platforms
1117649-1 1-Blocking   rSeries Appliance inoperable after powering down from Linux while configured for Appliance mode
1117277 1-Blocking   Occasional issue observed when tenant deployed on r2xxx/r4xxx series
1117237 1-Blocking   FPGA bit files are not updated to the latest version after a live upgrade
1112141-1 1-Blocking   10G/25G/40G burst support in rSeries appliance
1099437-2 1-Blocking   Nic-manager core file
1083061-1 1-Blocking   Loading saved config to BIG-IP fails if host modifications are made after "tmsh save sys config"
1184917-1 2-Critical   On rSeries, the MAC masquerade feature is only supported on BIG-IP tenants 15.1.6 and later
1121889 2-Critical   ConfD encryption key can lock up the TPM module
1121793 2-Critical   System goes into inoperative state when downgraded from 1.1.1 to 1.0.1 without moving the tenant to configured state
1117621 2-Critical   After an appliance upgrade from 1.0.1 to 1.1.1, a tenant in Provisioned state may show inconsistent CLI status
1114485-2 2-Critical   K3s cluster goes to unhealthy state when system is rebooted after changing hostname.
1086381-2 2-Critical   Tenant deployment failing with error - "failed to set netlink MAC address: resource temporarily unavailable"
1084549-1 2-Critical   VLAN sharing isn't allowed on r2000 and r4000 systems
1117417-1 3-Major   Database config restore failed on rSeries appliance
1116869-2 3-Major   Tcpdump on F5OS does not capture packets of certain sizes
1112533-3 3-Major   Status LED color always stays amber
1103001-2 3-Major   Tenants fail to come up after a live upgrade from pre-1.1.0 version to 1.1.0 on the r4xxx appliances
1101365-2 3-Major   Delay in tenant deployment with tenant image corruption error
1100305 3-Major   Tcpdump capture of packets with interface-based filtering fails on r5000 and r10000 appliances
1091941 3-Major   Tenant running instance status shows some error/warning events in confd
1086749 3-Major   Interface speeds are not reported correctly when linked at a slower speed
1083921-1 3-Major   VLAN name change is not allowed once a tenant is launched
1083561 3-Major   Tenant running instance status shows some error/warning events in confd
1082513-1 3-Major   LACP waitOnAlertFd Errors
1080437-1 3-Major   VerifyDmesg test failure
1063649-1 3-Major   Changing the system date to be older than the installation date is not supported.
1122941-1 4-Minor   Port-profile changes when tenants are in the deployed state

 

Known Issue details for F5OS-A v1.1.x

1184917-1 : On rSeries, the MAC masquerade feature is only supported on BIG-IP tenants 15.1.6 and later

Component: F5OS-A

Symptoms:
The MAC masquerade feature is only supported on BIG-IP tenant versions 15.1.6 and later. Using the feature in an HA pair can cause traffic to fail over incorrectly between the pair.

Conditions:
MAC masquerade is used on rSeries with BIG-IP tenant versions other than 15.1.6 and later.

Impact:
Traffic may be degraded on a failover between an HA pair.

Workaround:
Upgrade BIG-IP tenant version to 15.1.6 or later.


1123685-1 : Occasionally Selinux modules are getting corrupted when the system reboots

Component: F5OS-A

Symptoms:
In rSeries appliances, if Selinux modules are corrupted
-> Virt-handler pod crashes continuously.
-> Tenant will be in pending state.
-> Semodule file size is 0 in dir "/etc/selinux/targeted/active/modules/400/"

Conditions:
If interruption happens during Selinux modules building on system bootup, the interruption can be an abrupt power off.

Impact:
-> Virt-handler pod is crashing continuously.
-> Tenant functionality is impacted.

Workaround:
None.


1123121-3 : Occasional issue with tenant deployment after live upgrade on r2xxx/r4xxx series platforms

Component: F5OS-A

Symptoms:
Interface drivers are not created, leading to tenant deployment failure after a live upgrade on r2xxx/r4xxx series platforms.

Conditions:
-- Live upgrade from F5OS version 1.1.0 to F5OS version 1.1.1.
-- Using r2xxx/r4xxx series platforms.

Impact:
Tenant deployment fails occasionally.

Workaround:
Reboot the device and try the upgrade again.


1122941-1 : Port-profile changes when tenants are in the deployed state

Component: F5OS-A

Symptoms:
Port-profile changes are not being blocked when tenants are in the deployed state.

Conditions:
Changing port-profile on a system with a tenant in the running-state is deployed.

Impact:
Tenants may not come up after the system reboots.

Workaround:
For each tenant in the deployed state, move the tenant running state to provisioned and back to deployed.

Then the tenant will then come up and function properly.


1121889 : ConfD encryption key can lock up the TPM module

Component: F5OS-A

Symptoms:
Due to an error that happens rarely in the HAL layer, the encryption key mechanism can misinterpret such an error as a valid identifier for the system. This causes the TPM to lock up, using that identifier, but then the actual identifier no longer unlocks the TPM.

Conditions:
This happens rarely but when it does, the system-manager cannot read the encryption keys and will not start ConfD.

This will manifest itself as unable to start up the configuration by attempting to become admin.

Impact:
The system is unusable. Installing a new ISO does not help.
The TPM must be cleared to become unlocked. Once the TPM is cleared, a new key is generated so existing encryptions need to be re-encrypted. This is will require that the ConfD system database be reset to default.

Workaround:
The workaround is to do the following:

 # docker exec system_platform-mgr tpm2_takeownership -c
 # docker restart system_manager
 # su admin
 # config
 # (config) system database reset-to-default proceed yes
 # exit; exit
 # docker restart system_api_svc_gateway


1121793 : System goes into inoperative state when downgraded from 1.1.1 to 1.0.1 without moving the tenant to configured state

Component: F5OS-A

Symptoms:
The system goes into an inoperative state when it is downgraded from F5OS-A version 1.1.1 to F5OS-A version 1.0.1 without first moving the version 1.1.1 tenant to a configured state

Conditions:
When downgraded from 1.1.1 to 1.0.1 without moving the 1.1.1 tenant to the configured state

Impact:
System becomes inoperative.

Workaround:
1. rm /var/F5/system/confd/*.cdb
2. reboot

Note: This removes all the system configuration.


1117649-1 : rSeries Appliance inoperable after powering down from Linux while configured for Appliance mode

Component: F5OS-A

Symptoms:
If the rSeries device is powered down from Linux (for example, using 'halt -p', 'poweroff', or 'shutdown -h now') while in Appliance mode, the device becomes permanently disabled.

In this state, nothing external can be done to power on the Linux host, for example, cycling power, accessing the LCD Power on option, or pressing the Power button.

Trying to access the AOM menu from the serial console reports the following message:
 AOM Command Menu - disabled for security purposes.

Conditions:
-- Appliance mode is enabled (this is the state the 'appliance-setup-wizard' sets when it runs to completion).

-- The host is powered down (for example, using 'halt -p', 'poweroff', or 'shutdown -h now')

Impact:
The AOM command menu is not available to power on the host. A power cycle of the appliance does not power on the host.

The disabled appliance must be replaced.

Workaround:
***Important!***

If the BIG-IP rSeries appliance is configured for Appliance mode, do not power off the device using commands such as 'halt -p', 'poweroff', or 'shutdown -h now'.

Instead, run 'halt' and then remove power from the system (for example, unplug, remove power brick, remove power from rack).

Note: If you have already encountered this issue, contact F5 Support :: https://www.f5.com/services/support to request an RMA. For more information, refer to K12882: Overview of the F5 RMA process :: https://support.f5.com/csp/article/K12882 .


1117621 : After an appliance upgrade from 1.0.1 to 1.1.1, a tenant in Provisioned state may show inconsistent CLI status

Component: F5OS-A

Symptoms:
After an appliance upgrade from 1.0.1 to 1.1.1, if the running-state of a tenant is configured in the Provisioned state, the operational status of the tenant may oscillate between "Ready to deploy" and "Allocating resources to the tenant is in progress" state in the partition CLI status.

Conditions:
A race condition exists after an appliance upgrade from 1.0.1 to 1.1.1, that may display an inaccurate tenant operational state when the tenant is configured as Provisioned.

Impact:
The tenant state constantly changes.

Workaround:
Configure the running-state of the tenant to Deployed.


1117417-1 : Database config restore failed on rSeries appliance

Component: F5OS-A

Symptoms:
System database config-restore will fail when there is mismatch in the system images between when the backup is taken and the current images present on the system.

Conditions:
The current system images that are present on the system (show system image) do not match the list of images that are stored in the backup file.

Impact:
Config restore fails.

Workaround:
Edit the configuration backup file and delete the <image> stanza, from:

    <image xmlns="http://f5.com/yang/system/image">
to
    </image>


1117277 : Occasional issue observed when tenant deployed on r2xxx/r4xxx series

Component: F5OS-A

Symptoms:
The r2xxx/r4xxx appliance interface drivers are not created in time and lead to tenant deployment failure after the PXE boot, live upgrade, reboot, and port profile change.

Conditions:
Live upgrade from any version to v1.1.1 and PXE and on reboot and on port profile change.

Impact:
Occasionally tenant deployment fails to come up.

Workaround:
None


1117237 : FPGA bit files are not updated to the latest version after a live upgrade

Component: F5OS-A

Symptoms:
FPGA bit files are not updated to the latest version after a live upgrade.

Conditions:
Live upgrade to an ISO file.

Impact:
Unexpected behavior with tenant and traffic.

Workaround:
Run the following commands from the bash prompt:

1. /bin/systemctl stop appliance_orchestration_manager_container.service

2. /bin/systemctl stop platform-services-deployment.service

3. reboot

Once the system is rebooted, the correct bit files will be installed.


1116869-2 : Tcpdump on F5OS does not capture packets of certain sizes

Component: F5OS-A

Symptoms:
When using tcpdump on the F5OS host, packets of certain sizes may not be captured via tcpdump.

Conditions:
Tcpdump packets less than 1501 bytes and greater than 1483 bytes as well as several other ranges are affected by this issue.

Impact:
Tcpdumps may be incomplete.


1114485-2 : K3s cluster goes to unhealthy state when system is rebooted after changing hostname.

Component: F5OS-A

Symptoms:
When the system hostname is changed and the system is rebooted, all or some of the following symptoms may be encountered:
-- System-related pods in K3s are stuck in a failure state.
-- The K3s cluster shows more than one node.
-- OMD continuously cores.

Conditions:
The system is rebooted after the hostname is configured in confd.

Impact:
-- K3s cluster goes into an unhealthy state.
-- Tenant functionality is impacted.

Workaround:
None


1112533-3 : Status LED color always stays amber

Component: F5OS-A

Symptoms:
The status LED is always amber.

Conditions:
This occurs during normal operation when the status LED should be green.

Impact:
Status LED may not change to green when system is operational.

Workaround:
None


1112141-1 : 10G/25G/40G burst support in rSeries appliance

Component: F5OS-A

Symptoms:
When a burst of traffic at 100Gb/s is sent to a 10G/25G/40G port, the burst size supported by the rSeries appliance depends on the buffer size. Once the buffer is full, packets are dropped.

Conditions:
-- Use of 10G/25G/40G ports.
-- A 100Gb/s burst of traffic occurs.

Impact:
This results in loss of egress packets.

Workaround:
None


1103001-2 : Tenants fail to come up after a live upgrade from pre-1.1.0 version to 1.1.0 on the r4xxx appliances

Component: F5OS-A

Symptoms:
When a live upgrade is attempted from a pre-1.1.0 release to a 1.1.0 release on the r4xxx series of appliances, the tenants will not come up after the live upgrade.

The symptoms that will be seen are:
ICE driver may not load ( "lsmod | grep -i ice" will not show a line with 'ice' ), no VFs will be created, tenant deployment will fail.

Conditions:
-- An F5OS upgrade is performed on an r4xxx series appliance to version 1.1.0
-- The appliance was running pre-1.1.0 software
-- A license is installed
-- Tenants are attempted to be deployed

Impact:
Tenant deployment fails after live upgrade as the ICE driver is not loaded.

Workaround:
After the live upgrade, check that the tenant is failing to deploy.
Check that "lsmod | grep -i ice" does not show a line with 'ice'
reboot the system
Now rerun lsmod again. This should show the ice module line.


1101365-2 : Delay in tenant deployment with tenant image corruption error

Component: F5OS-A

Symptoms:
The system posts an intermediate error message:

Tenant image corrupted - Update the tenant config with proper image.

This error auto-recovers within 20 seconds.

Conditions:
Observed intermittently while bringing up the tenant.

Impact:
There is a delay in tenant deployment with an intermediate error on the CLI console.

Workaround:
None


1100305 : Tcpdump capture of packets with interface-based filtering fails on r5000 and r10000 appliances

Component: F5OS-A

Symptoms:
On r5000 and r10000, running a tcpdump as follows:
appliance-1# system diagnostics tcpdump -nni 1.0

to filter packets traversing interface 1.0 only, will fail.

The error seen will be "errbuf ERROR:Interface configuration failed. Please retry tcpdump: pcap_loop: Interface configuration failed. Please retry."
and the client will terminate.

Retrying the client will not help, contrary to the message.

Conditions:
Tcpdump capture is started on an r5000 and r10000 device and the option to filter packets based on an interface ("-i" option) is chosen.

Impact:
Tcpdump cannot work in the interface filtering mode.
It will operate in the other modes; only the interface filtering option causes it to be unable to start.

Workaround:
1) Start a tcpdump capture with no interface filter
"system diagnostics tcpdump" or
"system diagnostics tcpdump -nni 0.0"

Packets will be captured from all interfaces, and further (non-interface) filters can be used to narrow down capture
For example:
"system diagnostics tcpdump host 1.1.1.1 and port 80" or
"system diagnostics tcpdump vlan 200"

2) Restart the tcpdump container. This would make the -i option available again.


1099437-2 : Nic-manager core file

Component: F5OS-A

Symptoms:
During a power down sequence the l2-agent may generate a core file. The system comes back up without any issue.

Conditions:
System power loss.

Impact:
Core file is generated.

Workaround:
None


1091941 : Tenant running instance status shows some error/warning events in confd

Component: F5OS-A

Symptoms:
Some error/warning events intermittently occur that are related to 'k3s events stale in cluster' inside confd. But the tenant is actually healthy and functional.

Conditions:
Intermittently on system reboots. Tenant Status might not updated in Confd.

Impact:
The tenant status is incorrect, but the tenant is actually healthy & functional.

Workaround:
None


1086749 : Interface speeds are not reported correctly when linked at a slower speed

Component: F5OS-A

Symptoms:
RSeries 2xxx/4xxx interfaces support linking at certain speeds slower than the portgroup speed, but the interface speed is reported as higher.

For example:
-- A portgroup in 25G mode accepts a 10G SFP and link at 10G. The interface speed is reported as 25G.
-- A portgroup in 25G mode can link at 1G. The interface speed is reported as 25G.
-- A portgroup in 10G mode can link at 1G. The interface speed is reported as 10G.

Conditions:
This occurs when using an SFP that only supports a slower speed, or when connecting a 10G copper port to a 1G capable device.

Impact:
The interface speed reported in the webUI/CLI is higher than the actual link speed.

Workaround:
You can determine the actual link speed using ethtool, for example:

 -- For port 1.0, use ethtool x557_1.
 -- For port 5.0, use ethtool sfp_5.


1086381-2 : Tenant deployment failing with error - "failed to set netlink MAC address: resource temporarily unavailable"

Component: F5OS-A

Symptoms:
Tenant deployment fails with an error -

Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "<id>": [default/virt-launcher-bigiptenant1-1-2ghl7:sriov-net5-bigiptenant1]: error adding container to network "sriov-net5-bigiptenant1": failed to set up pod interface "net9" from the device "sfp_6": failed to set netlink MAC address to 14:a9:d0:02:1a:0f: resource temporarily unavailable

Conditions:
Previous tenant teardown did not clean up the virtual function (VF) mac address and reset the VF interface.

Impact:
Tenant deployment fails.

Workaround:
Identify the VF number in the PF which has the mac address issue then reset the mac address manually using ip command.

Ex:
ip link set sfp_8 vf 1 mac 00:00:00:00:0d:01


1084549-1 : VLAN sharing isn't allowed on r2000 and r4000 systems

Component: F5OS-A

Symptoms:
This is a product limitation in F5OS-A 1.1.0 on r2000 and r4000 based systems.

These platforms are unable to use the same VLAN for two different tenants, but the F5OS-A software does not prevent you from configuring them.

Conditions:
Assigning an identical VLAN to two different tenants.

Impact:
Same VLAN traffic will not be shared between multiple tenants.

Workaround:
None


1083921-1 : VLAN name change is not allowed once a tenant is launched

Component: F5OS-A

Symptoms:
When you change the VLAN name on a rseries (R2x00 or R4x00) Appliance, the BIG-IP tenant does not honor the name change.

Conditions:
-- One or more tenants are running on a rSeries (R4x00 or R2x00) platform.
-- A VLAN name is changed for a VLAN that is in use by a running tenant.

Impact:
Changing the VLAN name after a tenant is launched and reassigning that VLAN removes the interface in TMM.

Workaround:
Set the VLAN name to the initial name that the tenant used when it was launched. Or, if you need to change the name of the VLAN, delete the tenant and redeploy.


1083561 : Tenant running instance status shows some error/warning events in confd

Component: F5OS-A

Symptoms:
Some error/warning events intermittently occur that are related to "failed to sync cache" inside ConfD. But the tenant is actually healthy and functional.

Conditions:
Intermittently on system reboots. Tenant status might show error messages in ConfD.

Impact:
No impact, tenant is actually healthy and functional.

Workaround:
None


1083061-1 : Loading saved config to BIG-IP fails if host modifications are made after "tmsh save sys config"

Component: F5OS-A

Symptoms:
The configuration load fails with an error similar to the following:

01070257:3: Requested VLAN member (1.5) is currently a trunk member
Unexpected Error: Loading configuration process failed.

Conditions:
-- rSeries 4x00 or R2x00 platform
-- Configuration is backed up using tmsh
-- A change is made to one or more VLANs, interfaces, trunks, or type of VLANs on the host
-- The BIG-IP system loads the configuration

Impact:
Configuration load fails.

Workaround:
On a failure while loading sys config, open the affected configuration file, fix the object that was changed manually, and retry loading the sys config.

For example, if the load sys config at mcpd complains about "vlan member 1.x" is not found on vlan-xyz then open /config/bigip_xxx.conf file and update the vlan-xyz with vlan-member 1.x and retry the config load.


1082513-1 : LACP waitOnAlertFd Errors

Component: F5OS-A

Symptoms:
The system posts error messages in the platform.log:

LacpdHeartBeatsClient::run() waitOnAlertFd Error!

Conditions:
This occurs at startup, reboot, and upgrade.

Impact:
There is no functional impact; you can safely ignore these messages.

Workaround:
None


1080437-1 : VerifyDmesg test failure

Component: F5OS-A

Symptoms:
An error message is seen as dmesg output:

Failed to allocate irq -2147483648: -107

Conditions:
The error message is seen sometimes when restarting/rebooting device is complete.

Impact:
The error message does not impact any functionality as after the allocation of irq for SMBUS is failed, it would switch to polling mode.

Workaround:
NA


1063649-1 : Changing the system date to be older than the installation date is not supported.

Component: F5OS-A

Symptoms:
All system self-signed certificates are generated using the installation system date. Changing the date to an older date than the installation date can cause instability.

Conditions:
Setting the system date to be older than the installation date on an rSeries appliance.

Impact:
System goes to unstable state.

Workaround:
N/A




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************