Applies To:
Show VersionsF5OS-A
- 1.1.1
Updated Date: 07/06/2022
F5OS-A Release Information
Version: 1.1.1
Build: 9159
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Cumulative fixes from F5OS-A v1.1.0 that are included in this release
Known Issues in F5OS-A v1.1.x
Functional Change Fixes
None
F5OS-A Fixes
ID Number | Severity | Links to More Info | Description |
1123685-1 | 1-Blocking | Occasionally Selinux modules are getting corrupted when the system reboots | |
1117649-1 | 1-Blocking | rSeries Appliance inoperable after powering down from Linux while configured for Appliance Mode | |
1117277 | 1-Blocking | Occasional issue observed when tenant deployed on r2xx/r4xx series | |
1117237 | 1-Blocking | FPGA bit files are not updated to the latest version after a live upgrade | |
1112141-1 | 1-Blocking | 10G/25G/40G burst support in rSeries appliance | |
1099437-3 | 1-Blocking | Nic-manager core file | |
1121889 | 2-Critical | Confd encryption key can lockup the tpm module | |
1114485-2 | 2-Critical | K3S cluster goes to unhealthy state when system is rebooted after changing the hostname. | |
1117417-1 | 3-Major | Database config restore failed | |
1112533-2 | 3-Major | Status LED color always stays in amber |
Cumulative fixes from F5OS-A v1.1.0 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description |
1060905 | CVE-2020-10878 | K40508224 | Perl Vulnerability: CVE-2020-10878 |
Functional Change Fixes
None
F5OS-A Fixes
ID Number | Severity | Links to More Info | Description |
1065589 | 1-Blocking | K3S service does not start after system downgrade.&start; | |
1063781 | 1-Blocking | Duplicate broadcast/multicast packets are sent out a front panel interface. | |
1090089-1 | 2-Critical | NTP service does not work on rSeries appliances | |
1080421-1 | 2-Critical | LACP does not transmit PDU's when creating a LAG | |
1078633 | 2-Critical | Tenant to API gateway communication and unit-key will not work after key rotation | |
1064089 | 2-Critical | Traffic over shared VLANs does not work | |
1061149 | 2-Critical | Libvirt core is generated on system reboot | |
1012437-1 | 2-Critical | BT1012437 | Tenant virtual disk is deleted when the tenant running-state is set to "configured." |
991061-2 | 3-Major | Admin cannot edit the tenant config in Deployed state from GUI if the tenants are created via CLI; downgrading partition or rSeries appliance may leave device inoperative | |
987225-3 | 3-Major | Container hardening | |
923609 | 3-Major | rSeries 5900 Error - Thermal fault detected in hardware | |
1097925 | 3-Major | Resolving CVEs on F5OS-A 1.1.0 | |
1084817-1 | 3-Major | Api-svc-gateway crashes due to certificate issues in confd | |
1084581-1 | 3-Major | Log files collected by QKView are truncated with the newest entries removed | |
1083261 | 3-Major | Invalid DNS search path causes tenants to fail to start | |
1082529 | 3-Major | Delay in SSH login to Appliance management IP | |
1080417 | 3-Major | List of running containers are not captured in host qkview | |
1080109-1 | 3-Major | System reboot or link down/up transition causes packet loss. | |
1079697 | 3-Major | Incorrect link aggregation group (LAG) / trunk information passed to tenant. | |
1078149 | 3-Major | Unable to deploy one tenant when user attempts to deploy 28 tenants on r10800 | |
1077785 | 3-Major | STP errors messages reported in platform.log when global STP is enabled but STP parameters are not configured in interfaces | |
1074381 | 3-Major | Invalid error message in log when 40g transceiver is inserted | |
1073553 | 3-Major | Log rotation does not occur for k3s events. | |
1069529-2 | 3-Major | "Appliance Mode" UI control intermittently will revert your selection back to its configured state when enabling or disabling. | |
1069209-1 | 3-Major | LAG names starting with a digit | |
1067765-1 | 3-Major | BT1067765 | VELOS GUI occasionally shows stale content after upgrading&start; |
1067177-2 | 3-Major | The 'show portgroups portgroup' command is slow when no optical transceivers are plugged into front panel ports. | |
1066869-1 | 3-Major | The r10000 and r5000 platforms may reuse the MAC address for both management and data plane. | |
1066817-1 | 3-Major | Change in the procedure of PXE installation for appliances. | |
1066365-1 | 3-Major | Message of the Day not working for admin user | |
1065085 | 3-Major | BT1065085 | MD5 cipher is allowed on RESTCONF port 8888 with FIPS-enabled license. |
1064525-1 | 3-Major | Interface counters are slow to update | |
1064305-2 | 3-Major | BT1064305 | Unable to import VELOS images from the F5 downloads site |
1064125-1 | 3-Major | Sw_rbcast container restarts on non-fatal errors | |
1062021-1 | 3-Major | Lacpd process continuously restarts after creating a LAG interface with a space.&start; | |
1060193 | 3-Major | e2fsprogs vulnerability: CVE-2019-5188 | |
1057145 | 3-Major | Qkview capture with timeout does not stop capture after timeout | |
1057109 | 3-Major | CUPS Vulnerability: CVE-2017-18190 | |
1056705 | 3-Major | OpenLDAP Vulnerability: CVE-2020-25692 | |
1056137 | 3-Major | zsh Vulnerability: CVE-2019-20044 | |
1056129 | 3-Major | libcups vulnerabilities: CVE-2019-8696 CVE-2019-8675 | |
1046221-2 | 3-Major | SM2 cannot be used for creating self-signed certificates | |
1035589-1 | 3-Major | BT1035589 | Source address for TACACS+ server group configuration does not work |
1034093-2 | 3-Major | protobuf vulnerability: CVE-2021-3121 | |
1027009 | 3-Major | DNS servers attained through DHCP not reflected in confd | |
1061281-1 | 4-Minor | Snd_hda_intel 0000:00:1f.3: no codecs found. | |
1060537 | 4-Minor | Portgroup state set to empty strings when optic removed |
Cumulative fix details for F5OS-A v1.1.1 that are included in this release
991061-2 : Admin cannot edit the tenant config in Deployed state from GUI if the tenants are created via CLI; downgrading partition or rSeries appliance may leave device inoperative
Component: F5OS-A
Symptoms:
Trying to modify a tenant via the GUI or API may not work if the tenant was created via the CLI, and is deployed.
Attempting to downgrade an rSeries appliance from F5OS-A 1.1.0 or above to F5OS-A 1.0.x may fail if the device has any tenants deployed. This leaves the system inoperative, with errors similar to the following in /var/F5/system/log/confd.log:
<CRIT> 5-Jun-2022::03:17:21.056 appliance-1 confd[105]: - CDB: Upgrade failed: Upgrade transaction failed to validate: /f5-tenants:tenants/tenant{otters}/config/storage/size (value "90"): Storage size can be modified only if tenant is in Configured or Provisioned state.
Attempting to downgrade an F5OS-C partition from F5OS-C 1.3.0 or above to F5OS-C 1.2.1 or below may fail if the partition has any tenants deployed. The partition should continue running on the "from" target version.
Conditions:
Admin creates the tenant via CLI and subsequently edits the following tenant config when the running-state is set to Deployed:
-- Scale-up/Scale-down the tenant.
-- Add/Remove VLAN.
Impact:
Admin cannot scale up/scale down the cluster using the GUI if the tenant is initially deployed via CLI.
Downgrades of F5OS-A appliance or F5OS-C partition may fail or leave the system inoperative.
Workaround:
Use the CLI to scale-up/scale-down and add/remove the VLAN to the tenant.
When performing a downgrade, set the tenants to Provisioned first.
987225-3 : Container hardening
Component: F5OS-A
Symptoms:
Access controls on the file list/show command are not enforced as expected.
Conditions:
- Authenticated administrative user
- File list command
Impact:
User may list directories not intended to be exposed.
Workaround:
N/A
Fix:
The file list command now enforces controls as expected
923609 : rSeries 5900 Error - Thermal fault detected in hardware
Component: F5OS-A
Symptoms:
An rSeries 5900 displays the following error message:
"WARNING: Thermal fault detected in hardware"
This issue occurs intermittently on reboot at normal operating temperature. It is a false alarm.
Conditions:
Reboot a device running at operating temperature.
Impact:
Produces alarm message after reboot on the LCD that indicates the device is or has exceeded operating temperature, even when it's operating within normal operating temperature ranges.
Workaround:
None
Fix:
BIOS update fixes faulty thermal threshold configuration code that was causing false thermal event upon reboot.
1123685-1 : Occasionally Selinux modules are getting corrupted when the system reboots
Component: F5OS-A
Symptoms:
In rSeries appliances, If selinux modules are corrupted
-> Virt-handler pod crashes continuously.
-> Tenant will be in pending state.
-> semodule file size is 0 in dir "/etc/selinux/targeted/active/modules/400/"
Conditions:
If interruption happens during selinux modules building on system bootup. The interruption can be an abrupt power off.
Impact:
-> Virt-handler pod is crashing continuously.
-> Tenant functionality is impacted.
Workaround:
None.
Fix:
Identify & remove the corrupted selinux files and rebuild them while system is booting up.
1121889 : Confd encryption key can lockup the tpm module
Component: F5OS-A
Symptoms:
Due to an error that happens rarely in the hal layer, the encryption key mechanism can misinterpret such error as a a valid identifier for the system, causing the tpm to lock up by using that identifier to lock the tpm but then the actual identifier no longer unlocks the tpm.
Conditions:
This happens rarely but when it does, the system-manager cannot read the encryption keys and will not start confd.
This will manifest itself as unable to startup the configuration by attempting to become admin.
Impact:
The system is unusable. Installing a new iso does not help.
The tpm must be cleared to become unlocked. Once the tpm is cleared, a new key is generated so existing encryptions need to be re-encrypted. This is will require that the confd system database be reset-to-default.
Workaround:
The workaround is to do the following:
# docker exec system_manager tpm2_takeownership -c
# docker restart system_manager
# su admin
# config
# (config) system database reset-to-default proceed yes
# exit; exit
# docker restart system_api_svc_gateway
Fix:
Once the fix is in the system, the bogus identifier is ignored and the lockup would be avoided.
Note that the fix does not unlock a locked system The workaround would have to be applied first.
1117649-1 : rSeries Appliance inoperable after powering down from Linux while configured for Appliance Mode
Component: F5OS-A
Symptoms:
If the rSeries device is powered down from Linux (e.g., using 'halt -p', 'poweroff', or 'shutdown -h now') while in Appliance mode, the device becomes permanently disabled.
In this state, nothing external can be done to power on the Linux host, for example, cycling power, accessing the LCD Power on option, or pressing the Power button.
Trying to access the AOM menu from the serial console reports the following message:
AOM Command Menu - disabled for security purposes.
Conditions:
-- Appliance mode is enabled (this is the state the 'appliance-setup-wizard' wizard sets when it runs to completion).
-- The host is powered down (e.g., using 'halt -p', 'poweroff', or 'shutdown -h now')
Impact:
The AOM command menu is not available to power on the host. A power cycle of the appliance does not power on the host.
The disabled appliance must be replaced.
Workaround:
***Important!***
If the BIG-IP rSeries appliance is configured for Appliance Mode, do not power off the device using commands such as 'halt -p', 'poweroff', or 'shutdown -h now'.
Instead, run 'halt' and then remove power from the system (i.e. unplug, remove power brick, remove power from rack).
Note: If you have already encountered this issue, contact F5 Support :: https://www.f5.com/services/support to request an RMA. For more information, refer to K12882: Overview of the F5 RMA process :: https://support.f5.com/csp/article/K12882 .
Fix:
Appliance Mode no longer disables the AOM menu, allowing access to power on the host command with console access to the appliance.
1117417-1 : Database config restore failed
Component: F5OS-A
Symptoms:
System database config-restore will fail when there is mismatch in the system images between when the backup is taken and the current images present on the system.
Conditions:
The current system images that are present on the system (show system image) do not match the list of images that are stored in the backup file
Impact:
Config restore fails
Workaround:
None
Fix:
Fixed code to pass config restore
1117277 : Occasional issue observed when tenant deployed on r2xx/r4xx series
Component: F5OS-A
Symptoms:
The r2xx/r4xx appliance interface drivers are not created in time and lead to tenant deployment failure after the PXE boot, live upgrade, Reboot, and Port Profile change
Conditions:
Live upgrade from any version to v1.1.1 and PXE and on Reboot and on Port Profile Change
Impact:
Occasionally Tenant deployment fails to come up.
Workaround:
None
1117237 : FPGA bit files are not updated to the latest version after a live upgrade
Component: F5OS-A
Symptoms:
FPGA bit files are not updated to the latest version after a live upgrade.
Conditions:
Live upgrade to an ISO file.
Impact:
Unexpected behavior with tenant and traffic.
Workaround:
Run the following commands from the bash prompt:
1. /bin/systemctl stop appliance_orchestration_manager_container.service
2. /bin/systemctl stop platform-services-deployment.service
3. reboot
Once the system is rebooted, the correct bit files will be installed.
Fix:
Cleaned up the stale/old container volumes before bringing up the new containers.
1114485-2 : K3S cluster goes to unhealthy state when system is rebooted after changing the hostname.
Component: F5OS-A
Symptoms:
When the system hostname is changed and the system is rebooted:
-- System related pods in k3s are stuck in a failure state.
-- The k3s cluster shows more than one node.
Conditions:
The system is rebooted after the hostname is configured in confd.
Impact:
-- K3s cluster goes into an unhealthy state.
-- Tenant functionality is impacted.
Workaround:
None
Fix:
Changing the hostname via confd will not change the system host name.
Configured hostname will get reflected only in the bash and confd prompts.
When no hostname is configured, the bash prompt will have a default PS1 prompt.
1112533-2 : Status LED color always stays in amber
Component: F5OS-A
Symptoms:
The status LED is always amber.
Conditions:
This occurs during normal operation when the status LED should be green.
Impact:
Status LED may not be changed to Green when system is operational.
Workaround:
None
Fix:
Added a diagnostic task that periodically monitors and sets Status LED color to green.
1112141-1 : 10G/25G/40G burst support in rSeries appliance
Component: F5OS-A
Symptoms:
When a burst of traffic at 100Gb/s is sent to a 10G/25G/40G port, the burst size supported by the rSeries appliance depends on the buffer size. Once the buffer is full, packets are dropped.
Conditions:
-- Use of 10G/25G/40G ports.
-- A 100Gb/s burst of traffic occurs.
Impact:
This results in loss of egress packets.
Workaround:
None
Fix:
Improved the burst capability on rSeries appliances when 10G/25G/40G ports are used.
1099437-3 : Nic-manager core file
Component: F5OS-A
Symptoms:
During a power down sequence the l2-agent may generate a core file. The system comes back up without any issue.
Conditions:
System power loss.
Impact:
Core file is generated.
Workaround:
None
Fix:
A fix has been added to detect and prevent creating an l2-agent core file during a power down.
1097925 : Resolving CVEs on F5OS-A 1.1.0
Component: F5OS-A
Symptoms:
F5OS-A 1.1.0 is vulnerable to the CVEs mentioned in the bug.
CVE-2021-27219
CVE-2021-43527
CVE-2022-23852
CVE-2020-10531
CVE-2022-24407
CVE-2018-1000805
CVE-2021-44142
CVE-2020-12321
CVE-2020-24489
CVE-2021-42574
CVE-2020-8625
Impact:
F5OS-A 1.1.0 is vulnerable to the CVEs mentioned in the bug.
1090089-1 : NTP service does not work on rSeries appliances
Component: F5OS-A
Symptoms:
The NTP service does not work on rSeries appliances that run F5OS-A.
Running chronyc ntpdata returns "501 Not authorized"
Conditions:
-- rSeries appliance running F5OS-A
-- NTP configured
Impact:
NTP functionality does not work.
Workaround:
Change directory ownership to chrony using below command:
chown chrony:chrony /var/run/chrony
Fix:
Update ownership for "/var/run/chrony" directory and removed unwanted configuration from "chrony.conf".
1084817-1 : Api-svc-gateway crashes due to certificate issues in confd
Component: F5OS-A
Symptoms:
Api-svc-gateway container crashes when a bad self signed certificate or key is published to confd
Conditions:
A corrupted certificate/Key causes the issue
Impact:
Api-svc-gateway service crashes.
Workaround:
Running the below command can be used as a workaround
(config) # system database reset-to-default proceed
Fix:
In the scenario this happens, api-svc-gateway should
* detect when it cannot setup an SSL connnection using these credentials
* log an error
* set health status to unhealthy with apropriate error & severity
* try to start a grpc server with only insecure credentials
1084581-1 : Log files collected by QKView are truncated with the newest entries removed
Component: F5OS-A
Symptoms:
If log files are exceedingly large, they may be truncated when collected by QKView from the 'bottom-up', meaning that the most recent log entries are clipped.
Conditions:
Log files exceed the maximum file size (default 500 MB) specified during QKView creation.
Impact:
Most recent log entries are clipped, making diagnosis difficult.
Workaround:
Collect the log files manually.
Fix:
QKView log files are now truncated 'top-down', preserving the most recent log entries.
1083261 : Invalid DNS search path causes tenants to fail to start
Component: F5OS-A
Symptoms:
Tenants fail to start, with kubevirt virt-launcher pods in a restart loop.
Conditions:
Configuring an invalid DNS search domain to the system.
Impact:
Tenants fail to start, stuck in a "Pending" state
Workaround:
Reconfigure the DNS search domain with valid values.
1082529 : Delay in SSH login to Appliance management IP
Component: F5OS-A
Symptoms:
SSH to Appliance management IP takes time to login
Conditions:
This is an intermittent issue with no specific condition to encounter this issue.
Impact:
Delay in login to Appliance HW
Workaround:
None
Fix:
Fixed code to avoid login delays
1080421-1 : LACP does not transmit PDU's when creating a LAG
Component: F5OS-A
Symptoms:
The LAG interface creation will not be successful and tx packet count in 'show lacp' will be zero.
Conditions:
This issue occurs due to a race condition while creating a LAG interface and is not reproducible every time.
Impact:
Link aggregation of the front panel ports will not work as expected.
Workaround:
1) clear newly added lag configurations
a) remove lacp interface
no lacp interfaces interface <lag-name>
b) remove interfaces from lag
no interfaces interface <interface> ethernet config aggregate-id
c) remove lag interface
no interfaces interface <lag-interface>
2) create Lag interface and add interfaces to the lag
Fix:
Fix code to remove the race condition and read lag-type as LACP
1080417 : List of running containers are not captured in host qkview
Component: F5OS-A
Symptoms:
List of running containers are not captured in host qkview
Conditions:
Collect qkview and look for list of containers running on the system from qkview file.
Impact:
Unable to get the list of running containers from qkview
Workaround:
Administrator needs to run 'docker ps' command on the system and share the output with support.
Fix:
Qkview includes list of running containers on the system
1080109-1 : System reboot or link down/up transition causes packet loss.
Component: F5OS-A
Symptoms:
A reboot of the system or a link down/up transition can result in packet loss on the affected front-panel interface(s).
Conditions:
A link down->up transition on a front panel interface or interfaces. Either initiated from the peer side or a system reboot.
Impact:
LACP LAGs can fail to form. Ingress traffic is not received by the tenants.
Workaround:
Reboot the system.
Fix:
Change link down processing to not reset internal hardware state of front panel MACs.
1079697 : Incorrect link aggregation group (LAG) / trunk information passed to tenant.
Component: F5OS-A
Symptoms:
A BIG-IP tenant running on a VELOS system incorrectly reports all "ha-only" trunk objects as up, regardless of the actual status of the trunk.
BIG-IP tenants can also report incorrect status of trunks after the LAG type is changed from LACP to STATIC or vice-versa.
An interface name is displayed as empty when an interface is deleted from a LAG.
As a result of these, high availability (HA) group failover based on trunk status is unreliable and unusable.
Conditions:
-- LAGs configured on F5OS system.
-- Attempting to use high availability (HA) group failover based on trunk status inside BIG-IP tenant.
Impact:
HA group failover based on trunk status is unreliable and unusable for BIG-IP tenants running on an F5OS system.
Workaround:
After configuring a new LAG in the the F5OS partition or changing a LAG type from LACP to STATIC or from STATIC to LACP, reboot the traffic blades.
For rSeries devices, the entire device must be restarted.
After rebooting, the ha-group trunk entries should show the expected values when one or more members are missing from the aggregate link.
Fix:
This issue has been corrected.
1078633 : Tenant to API gateway communication and unit-key will not work after key rotation
Component: F5OS-A
Symptoms:
The system-api-svc-gateway fails to decrypt the unit key crashes, and is unable to communicate with the tenant.
Conditions:
A key migration or rotation is performed in confd: system aaa primary-key
Impact:
Communication between the API gateway and the tenant is disrupted.
Note: If no key-rotation was ever done, this issue does not occur.
Workaround:
To correct the current unit-key issue, invoke the config command:
system database reset-to-default proceed yes
To avoid the issue, disable key-rotation. To prevent key rotation, add the line '/tenants/tenant{%x}/config/unit-key' to the file in the confd-key-migration-mgr container:
/tenants/tenant{%x}/config/unit-key
To do so: ssh as root into the device and do the following:
# docker exec -it confd-key-migration-mgr bash
bash-4.2# echo "/tenants/platform-self-signed-cert/self-signed-key" >> /etc/confd-key-migration/appliance-secure-elem-manifest
bash-4.2# echo "/tenants/tenant{%x}/config/unit-key" >> /etc/confd-key-migration/appliance-secure-elem-manifest
bash-4.2# exit
# docker restart confd-key-migration-mgr
Fix:
The system now adds the line to the manifest file.
Because the unit-key does not get re-encrypted with the new key, after upgrading to a software version containing the fix, run the config command:
system database reset-to-default proceed yes
1078149 : Unable to deploy one tenant when user attempts to deploy 28 tenants on r10800
Component: F5OS-A
Symptoms:
The 28th tenant deployment fails when 28 tenants (each with 1 vCPU) are deployed.
The issue is seen only with an r10800 license.
27 tenants are deployed successfully but the 28th tenant deployment fails.
No issue when one tenant is deployed with 28 vCPUs
Conditions:
Issue is seen in the following conditions
-- System has R10800 license installed
-- You attempt to deploy 28 tenants
-- Each tenant has only 1 vCPU
Impact:
28th tenant is not deployed on r10800.
The max supported tenants on r10800 is 28
1077785 : STP errors messages reported in platform.log when global STP is enabled but STP parameters are not configured in interfaces
Component: F5OS-A
Symptoms:
The VELOS platform.log contains numerous STP error messages:
appliance-1 stpd[1]: priority="Err" version=1.0 msgid=0x6102000000000018 msg="Failed to write to cdb" FIELD="Adv Stp Interface name" ERRNO=8 ERRNOSTR="badly formatted or nonexistent path".
appliance-1 stpd[1]: priority="Err" version=1.0 msgid=0x6102000000000018 msg="Failed to write to cdb" FIELD="Adv Stp Interface port-num" ERRNO=8 ERRNOSTR="badly formatted or nonexistent path".
appliance-1 stpd[1]: priority="Err" version=1.0 msgid=0x6102000000000018 msg="Failed to write to cdb" FIELD="Adv Stp Interface port-state" ERRNO=8
Conditions:
The following is the correct sequence of STP configuration.
appliance-1(config)# stp global config enabled-protocol RSTP
appliance-1(config)# stp rstp interfaces interface 1.0 config cost 100;top
appliance-1(config)# stp interfaces interface 1.0 config edge-port EDGE_AUTO link-type P2P ;
appliance-1(config-interface-1.0)# exit
appliance-1(config)# commit;
If the command "stp rstp interfaces interface 1.0 config cost 100;top" is not run, the log messages will occur.
Impact:
VELOS platform.log size will grow at rate of 2MB per minute.
Workaround:
To stop these messages, configure the following:
stp rstp interfaces interface 1.0 config cost 100;top
Fix:
Multiple STP errors messages are no longer logged when not needed.
1074381 : Invalid error message in log when 40g transceiver is inserted
Component: F5OS-A
Symptoms:
An erroneous message is logged when a 40G optic is inserted.
appliance-1 fpgamgr[22]: priority="Err" version=1.0 msgid=0x303000000000013 msg="Unsupported SFP+/SFP28 Optic" portgroup=1.
Conditions:
40G optical transceiver inserted in VELOS or rSeries appliance
Impact:
A log message is logged at the Error level. It can be safely ignored.
Workaround:
None
Fix:
Errant message no longer appears.
1073553 : Log rotation does not occur for k3s events.
Component: F5OS-A
Symptoms:
the k3s_events.log file is not rotated.
Conditions:
K3s provisioning from the OMD is initiated.
Impact:
Most of the system memory is consumed by k3s_events.log and system starts responding slowly.
Workaround:
Manually empty the contents of /var/log/k3s_events.log file from the system.
1069529-2 : "Appliance Mode" UI control intermittently will revert your selection back to its configured state when enabling or disabling.
Component: F5OS-A
Symptoms:
On the SYSTEM SETTINGS/General screen for the rSeries appliance, the "Appliance Mode" Enable/Disable radio button choice will revert back to its configured state when you're attempting to change the configuration prior to saving it.
Conditions:
The Enable/Disable radio button for Appliance Mode will undo your preferred selection when the screen does a periodic poll in the background to refresh state information that is displayed on the SYSTEM SETTINGS/General screen.
Impact:
If you attempt to either enable or disable Appliance Mode and the screen does a periodic polling refresh at the moment you make your desired selection, your selection will be reverted back to the actual current configuration state for Appliance Mode.
Workaround:
The impact is intermittent and only occurs at the precise moment the screen is refreshing its state information --- typically a 10 second interval. Appliance Mode can still be enabled or disabled via the webUI as long as it is within the window the screen is not doing a periodic refresh. Additionally, Appliance Mode can be enabled or disabled from the command line interface (CLI).
Fix:
Periodic polling on the SYSTEM SETTINGS/General screen for rSeries appliances will be disabled or removed.
1069209-1 : LAG names starting with a digit
Component: F5OS-A
Symptoms:
Provisioning a VELOS tenant with a LAG name that begins with a digit can fail.
Conditions:
-- Configuring a LAG with a name that begins with a digit.
-- Provisioning a BIG-IP tenant
Impact:
VELOS tenant fails.
Workaround:
Do not configure LAG names that start with a digit.
Fix:
LAG names with digits are no longer allowed.
1067765-1 : VELOS GUI occasionally shows stale content after upgrading&start;
Links to More Info: BT1067765
Component: F5OS-A
Symptoms:
After upgrading VELOS and reloading a page, the GUI sometimes displays stale content in the browser cache.
Conditions:
After upgrading VELOS software upgrade and the browser cache settings are set to allow caching.
Impact:
Stale content is displayed.
Workaround:
Empty your browser cache and reload the page to display the latest content.
Fix:
This issue is fixed and the correct content is displayed after upgrading.
1067177-2 : The 'show portgroups portgroup' command is slow when no optical transceivers are plugged into front panel ports.
Component: F5OS-A
Symptoms:
The 'show portgroups portgroup' command is slow when no optical transceivers are plugged into front panel ports. This affects the CLI, GUI, and RESTCONF.
Conditions:
R5000 and r1000 platforms with sparsely populated or empty front panel ports.
Impact:
Slow response to portgroup information on unpopulated front panel ports. No functional impact - just slow reporting.
Workaround:
N/A
Fix:
N/A
1066869-1 : The r10000 and r5000 platforms may reuse the MAC address for both management and data plane.
Component: F5OS-A
Symptoms:
The MAC address assigned to the macvlan interface mgmt0-system may also be assigned to a dataplane object: a lag or a tenant.
Conditions:
More than 233 lags or tenants are configured on a r10000 or r5000 platforms.
Impact:
If the management interface mgmt0-system and the lag or tenant are on the same broadcast domain, both devices will have communication problems. Duplicate MACs going to different switches will be fine.
Workaround:
The MAC address that will be duplicated is 0xfc offset from the basemac. If a tenant or lag has been assigned basemac+0xfc remove the tenant or lag, reduce the number of lags + tenants to less than 252, then re-create the tenant or lag - checking to make sure the assigned MAC does not use offset 0xfc from the base MAC.
Fix:
The pool of available MAC addresses to be used for tenants or lags on r10000 and r5000 platforms has been reduced from 236 to 233 to ensure unique MACs are supplied for all interfaces, lags and tenants.
1066817-1 : Change in the procedure of PXE installation for appliances.
Component: F5OS-A
Symptoms:
There is a change in the procedure of PXE installation for appliances, defined at
https://techdocs.f5.com/en-us/f5os-a-1-0-0/f5-rseries-systems-installation-upgrade/title-install-upgrade-software.html#clean-install
Conditions:
After PXE install, the ISO needs to be copied to /var/export/chassis/import/iso folder before doing any other import activities.
Impact:
If this step is skipped, issues will occur with the software import and upgrade process.
Workaround:
None
Fix:
Fixed an issue with the documentation.
1066365-1 : Message of the Day not working for admin user
Component: F5OS-A
Symptoms:
Message of the Day (MOTD) is not displayed when the admin user logs in to BIG-IP Next.
Conditions:
Message of the day (MOTD) is configured on the BIG-IP Next.
Impact:
Admin users do not see the MOTD banner when they log in.
Workaround:
None
Fix:
MOTD is now displayed if configured.
1065589 : K3S service does not start after system downgrade.&start;
Component: F5OS-A
Symptoms:
During tenant deployment, the "compute" pod fails to come up.
Multiple kubehelper pods will be triggered.
Conditions:
This can occur after a downgrade.
Impact:
Tenant deployments fail.
Workaround:
1) manually delete the script /var/F5/system/apigw-tenant-helper.sh before the downgrade
2) If you forget to delete the script (step 1), recovery options are
a) remove the file and reboot the system
b) perform a bare metal install
Fix:
N/A
1065085 : MD5 cipher is allowed on RESTCONF port 8888 with FIPS-enabled license.
Links to More Info: BT1065085
Component: F5OS-A
Symptoms:
When a FIPS-enabled license is installed on the system, some MD5 ciphers are allowed on RESTCONF port 8888, when they should not be allowed.
Conditions:
The command "openssl s_client -connect <mgmt-ip>:8888 -cipher MD5" returns a valid certificate.
Impact:
MD5 SSLCipher continues to work on port 8888 on both system controller and chassis partition management IP addresses.
Workaround:
None
Fix:
Removed MD5 SSLCipherSuites from ssl.conf when a FIPS-enabled license is installed on the system.
1064525-1 : Interface counters are slow to update
Component: F5OS-A
Symptoms:
Interface counters do not immediately reflect traffic activity.
Conditions:
Normal user traffic
Impact:
Interface counters may not reflect the exact amount of traffic due to being slow to update.
Fix:
Increase counter polling frequency.
1064305-2 : Unable to import VELOS images from the F5 downloads site
Links to More Info: BT1064305
Component: F5OS-A
Symptoms:
Importing images from the F5 downloads site using the VELOS GUI fails.
Conditions:
-- Using direct links to the VELOS image on the F5 downloads site.
-- The URL contains a query string with parameters.
Impact:
The VELOS system fails to download the image from the F5 downloads site.
Workaround:
Use the confd CLI to download the file:
1. Using your web browser, navigate to the appropriate "Select a Download" screen for the file that you wish to download directly to the VELOS system
2. Copy the URL for the file
3. Use the file import command, ensuring that you put the remote-url value in quotation marks, for example:
syscon-1-active# file import remote-url "https://downloads07.f5.com/esd/download.sv?loc=downloads07.f5.com/downloads/53b686a5-d1cc-484d-af8b-5decd705d174/F5OS-C-1.2.2-12471.CONTROLLER.iso" local-file images/staging/
To check the download status, run the following command:
file transfer-status
Fix:
You can now import VELOS images from the F5 downloads site.
1064125-1 : Sw_rbcast container restarts on non-fatal errors
Component: F5OS-A
Symptoms:
VELOS logs indicate a disconnect and restart of the sw_rbcast container:
appliance-1 sw-rbcast[20]: priority="Notice" version=1.0 msgid=0x6903000000000003 msg="Software Rebroadcaster disconnected from Host DMA-Agent." error=3.
appliance-1 sw-rbcast[20]: priority="Info" version=1.0 msgid=0x6903000000000002 msg="Software Rebroadcaster connected to Host DMA-Agent".
Conditions:
High volume (> 200k packets/second) of broadcast traffic.
Impact:
None. The container restarts and continues to process traffic.
Workaround:
None
Fix:
Container no longer restarts for non-fatal errors.
1064089 : Traffic over shared VLANs does not work
Component: F5OS-A
Symptoms:
When two tenants share a VLAN, ARP replies from the tenants are not forwarded to the front-panel interfaces.
Conditions:
Two tenants sharing a VLAN
Impact:
Traffic does not work over shared VLANs
Fix:
Program service DAG entries into the ATSE-NSE logic.
1063781 : Duplicate broadcast/multicast packets are sent out a front panel interface.
Component: F5OS-A
Symptoms:
Clients may report 'duplicate response' due to multiple copies of the same broadcast/multicast packet.
Conditions:
Tenant generated broadcast/multicast traffic destined to a front-panel interface.
Impact:
No functional impact. Clients may report 'duplicate response' messages.
Fix:
Correct hardware programming to only send one copy of broadcast/multicast out a front-panel interface.
1062021-1 : Lacpd process continuously restarts after creating a LAG interface with a space.&start;
Component: F5OS-A
Symptoms:
Lacpd service restarts when the LAG name contains space.
The tenant wont get the LAG name and it will show a null value.
[root@localhost:Active:Standalone] config # tmsh list net trunk
net trunk "" {
cfg-mbr-count 2
distribution-hash src-dst-mac
id 0
interfaces {
1.0
2.0
}
stp disabled
type ha-only
working-mbr-count 2
}
Conditions:
LAG name contains a space.
Example : "lacp lag"
appliance-1(config)# interfaces interface "lacp lag" config type ieee8023adLag
Impact:
1. Lacpd service restarts.
2. BIG-IP tenant does not get the trunk name.
Note: In case of live upgrade from EA to GA release, any LAG created with a space in name will not work and you will need to either delete these or do a bare metal install before performing a live upgrade.
Workaround:
Don't create a LAG name that has space in the name.
Fix:
N/A
1061281-1 : Snd_hda_intel 0000:00:1f.3: no codecs found.
Component: F5OS-A
Symptoms:
During a reboot, error messages related to snd_hda_intel are logged:
"snd_hda_intel 0000:00:1f.3: no codecs found!"
Conditions:
This occurs during a reboot of an rSeries appliance.
Impact:
No functional impact, the error can be safely ignored.
Workaround:
N/A
Fix:
An erroneous error message has been suppressed.
1061149 : Libvirt core is generated on system reboot
Component: F5OS-A
Symptoms:
A flawed core file is generated on system reboot intermittently. But the tenant is actually healthy and functional after reboot.
Conditions:
Intermittently on system reboots.
Impact:
A libvirt core file is generated, but the tenant is actually healthy and functional.
Workaround:
None
Fix:
No impact on functionality. No user action is expected.
1060905 : Perl Vulnerability: CVE-2020-10878
Links to More Info: K40508224
1060537 : Portgroup state set to empty strings when optic removed
Component: F5OS-A
Symptoms:
When an optical transceiver is removed from a front panel port the portgroup state information in confd is set to empty strings
Conditions:
Physical removal of an optical transceiver in VELOS or rSeries
Impact:
Empty string is returned to REST call for portgroups/portgroup/state information when optic is removed.
Fix:
When an optical transceiver is removed from a front panel port the portgroup state is completely removed and will not show up in confd at all.
1060193 : e2fsprogs vulnerability: CVE-2019-5188
Component: F5OS-A
Symptoms:
A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
Conditions:
- A specially crafted ext4 directory
Impact:
- Code execution via e2fsck
Workaround:
N/A
Fix:
e2fsprogs updated to mitigate CVE-2019-5188
1057145 : Qkview capture with timeout does not stop capture after timeout
Component: F5OS-A
Symptoms:
Qkview capture does not stop when the timeout value expires.
Qkview ignores the timeout setting and proceeds with collection.
Conditions:
Timeout value is exceeded in the qkview capture command
Impact:
Qkview does not stop capture after the timeout expires
Workaround:
Invoke qkview cancel command to stop the capture manually after the timeout value.
`system diagnostics qkview cancel`
Fix:
Timeout is handled correctly to stop qkview capture after timeout.
1057109 : CUPS Vulnerability: CVE-2017-18190
Component: F5OS-A
Symptoms:
A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
Conditions:
- localhost.localdomain whitelist entry
- Unsafe DNS results for localhost.localdomain
Impact:
Remote attackers can execute IPP commands
Workaround:
N/A
Fix:
CUPS has been updated to mitigate CVE-2017-18190
1056705 : OpenLDAP Vulnerability: CVE-2020-25692
Component: F5OS-A
Symptoms:
This flaw allows a remote, unauthenticated attacker to crash the slapd process by sending a specially crafted request, causing a denial of service. The highest threat from this vulnerability is to system availability.
Conditions:
- LDAP request for renaming RDNs
Impact:
OpenLDAP slapd crashes on what seems to be a null-ptr-dereference after receiving a malicious TCP packet.
Workaround:
N/A
Fix:
OpenLDAP updated to mitigate CVE-2020-25692
1056137 : zsh Vulnerability: CVE-2019-20044
Component: F5OS-A
Symptoms:
A flaw was found in zsh. When unsetting the PRIVILEGED option, the shell sets its effective user and group IDs to match their respective real IDs
Conditions:
When the RUID and EUID were both non-zero, it is possible to regain the shell's former privileges.
Impact:
Insecure dropping of privileges when unsetting PRIVILEGED option
Workaround:
N/A
Fix:
Updated zsh to mitigate CVE-2019-20044
1056129 : libcups vulnerabilities: CVE-2019-8696 CVE-2019-8675
Component: F5OS-A
Symptoms:
A stack-buffer-overflow was found in libcups's asn1_* functions
Conditions:
- Certificate usage within libcups
Impact:
Stack buffer overflow
Workaround:
N/A
Fix:
libcups updated to mitigate CVE-2019-8696 CVE-2019-8675
1046221-2 : SM2 cannot be used for creating self-signed certificates
Component: F5OS-A
Symptoms:
When creating a self-signed certificate, VELOS returns an error.
The create self-signed certificate function allows for elliptic curves but does not work for 'SM2'.
Conditions:
When requesting a certificate using type ec, the curve name SM2 can be selected.
Impact:
Attempting to use SM2 curve name results in an error.
Workaround:
Outside confd you can create the SM2 key using:
/usr/bin/openssl ecparam -genkey -name SM2
The key can then be entered using system-aaa-tls-config-key and subsequently used to create a CSR.
The self-signed certificate would need to be done using openssl commands and entered manually if to be stored.
Fix:
The SM2 curve name can now be used like all the other ec curve names.
1035589-1 : Source address for TACACS+ server group configuration does not work
Links to More Info: BT1035589
Component: F5OS-A
Symptoms:
Attempting to set the source-address for a TACACS+ server group configuration might fail or does not work as expected.
Conditions:
Attempt to configure source-address for TACACS+ server group.
Impact:
No functional impact, as the source-address isn't used.
Workaround:
The source-address is not used by the TACACS+ client. Do not configure source-address.
Fix:
The source-address config element is now removed for TACACS+ server-group configuration.
1034093-2 : protobuf vulnerability: CVE-2021-3121
Component: F5OS-A
Symptoms:
A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects.
Conditions:
- Unmarshalling protobuf objects
Impact:
This flaw allows a remote attacker to send crafted protobuf messages, causing panic and resulting in a denial of service. The highest threat from this vulnerability is to availability.
Workaround:
N/A
Fix:
Protobuf updated to mitigate CVE-2021-3121
1027009 : DNS servers attained through DHCP not reflected in confd
Component: F5OS-A
Symptoms:
When DHCP is enabled on the management interface, DNS servers are attained by DHCP server. The 'show system dns' command in confd does not show the DNS entries fetched by the DHCP server.
Conditions:
Enable DHCP on the management interface from confd
Impact:
DNS server IPs fetched dynamically by the DHCP server are not displayed by confd
Workaround:
None
Fix:
Fixed code to update confd with DNS server IP addresses when DHCP is enabled on the management interface
1012437-1 : Tenant virtual disk is deleted when the tenant running-state is set to "configured."
Links to More Info: BT1012437
Component: F5OS-A
Symptoms:
A VELOS tenant's virtual-disk is deleted when the tenant running-state is set back to "configured" after having been "deployed." This behavior differs from vCMP.
It is recommended that you set the tenant running-state to "provisioned" in order to stop the running tenant.
Conditions:
Tenant running-state changed from "deployed" to "configured."
Impact:
Virtual disk is deleted, resulting in loss of tenant configuration.
Workaround:
Fixed. No workaround needed.
Fix:
The system no longer deletes the virtual disk when the state is changed from deployed to configured.
Known Issues in F5OS-A v1.1.x
F5OS-A Issues
ID Number | Severity | Links to More Info | Description |
1083061-1 | 1-Blocking | Loading saved config to BIG-IP fails if host modifications are made after "tmsh save sys config" | |
1121793 | 2-Critical | System goes into inoperative state when downgraded from 1.1.1 to 1.0.1 without moving the tenant to configured state | |
1117621 | 2-Critical | After an appliance upgrade from 1.0.1 to 1.1.1, a tenant in Provisioned state may show inconsistent CLI status&start; | |
1086381-2 | 2-Critical | Tenant deployment failing with error - "failed to set netlink MAC address: resource temporarily unavailable" | |
1084549-1 | 2-Critical | VLAN sharing isn't allowed on r2000 and r4000 systems | |
1123121-1 | 3-Major | Occational issue with tenant deployment after live upgrade on R2xx/R4xx series | |
1103001-2 | 3-Major | Tenants fail to come up after a liveupgrade from pre-1.1.0 version to 1.1.0 on the r4xxx appliances&start; | |
1101365-2 | 3-Major | User experiences delay in tenant deployment with tenant image corruption error | |
1100305 | 3-Major | Tcpdump capture of packets with interface based filtering fails on R5000 & R10000 appliances | |
1091941 | 3-Major | Tenant running instance status shows some error/warning events in confd | |
1086749 | 3-Major | Interface speeds are not reported correctly when linked at a slower speed | |
1083921-1 | 3-Major | VLAN name change is not allowed once a tenant is launched. | |
1083561 | 3-Major | Tenant running instance status shows some error/warning events in confd | |
1082513-1 | 3-Major | LACP waitOnAlertFd Errors | |
1063649-1 | 3-Major | Changing the system date to be older than the installation date is not supported. | |
1122941-1 | 4-Minor | Port-profile changes when tenants are in the deployed state |
Known Issue details for F5OS-A v1.1.x
1123121-1 : Occational issue with tenant deployment after live upgrade on R2xx/R4xx series
Component: F5OS-A
Symptoms:
Interface drivers are not created, leading to tenant deployment failure after a live upgrade
Conditions:
Live upgrade from version 1.1.0 to version 1.1.1
Impact:
Tenant deployment fails occasionally
Workaround:
Rebooting the device solves the issue
1122941-1 : Port-profile changes when tenants are in the deployed state
Component: F5OS-A
Symptoms:
Port-profile changes are not being blocked when tenant(s) are in the deployed state.
Conditions:
Tenants in the deployed state
Impact:
Tenants may not come up after the system reboots.
Workaround:
The tenant running state for any tenant in the deployed state must be moved to provisioned and back to deployed. Then the tenant will come up and function properly.
1121793 : System goes into inoperative state when downgraded from 1.1.1 to 1.0.1 without moving the tenant to configured state
Component: F5OS-A
Symptoms:
The system goes into an inoperative state when it is downgraded from F5OS-A version 1.1.1 to 1.0.1 without first moving the tenant to a configured state
Conditions:
When downgraded from 1.1.1 to 1.0.1 without moving the tenant to the configured state
Impact:
System becomes inoperative.
Workaround:
1. rm /var/F5/system/confd/*.cdb
2. reboot
Note: This removes all the system configuration
1117621 : After an appliance upgrade from 1.0.1 to 1.1.1, a tenant in Provisioned state may show inconsistent CLI status&start;
Component: F5OS-A
Symptoms:
After an appliance upgrade from 1.0.1 to 1.1.1, if the running-state of a tenant is configured in the Provisioned state, the operational status of the tenant may oscillate between "Ready to deploy" and "Allocating resources to the tenant is in progress" state in the partition CLI status.
Conditions:
A race condition exists after an appliance upgrade from 1.0.1 to 1.1.1, that may display an inaccurate tenant operational state when the tenant is configured as Provisioned.
Impact:
The tenant state constantly changes.
Workaround:
Configure the running-state of the tenant to Deployed.
1103001-2 : Tenants fail to come up after a liveupgrade from pre-1.1.0 version to 1.1.0 on the r4xxx appliances&start;
Component: F5OS-A
Symptoms:
When a live upgrade is attempted from a pre 1.1.0 release to a 1.1.0 release on the r4xxx series of appliances, the tenants will not come up after the live upgrade.
The symptoms that will be seen are:
ICE driver may not load ( "lsmod | grep -i ice" will not show a line with 'ice' ), no VFs will be created, tenant deployment will fail
Conditions:
-- A F5OS upgrade is performed on a r4xxx series appliance to version 1.1.0
-- The appliance was running pre-1.1.0 software
-- A license is installed
-- Tenants are attempted to be deployed
Impact:
Tenant deployment fails after live upgrade as the ICE driver is not loaded.
Workaround:
After the live upgrade, check that the tenant is failing to deploy.
Check that "lsmod | grep -i ice" does not show a line with 'ice'
reboot the system
Now rerun lsmod again. This should show the ice module line
1101365-2 : User experiences delay in tenant deployment with tenant image corruption error
Component: F5OS-A
Symptoms:
The user observes an intermediate error message stating "Tenant image corrupted - Update the tenant config with proper image." This error will be auto-recovered within 20 seconds.
Conditions:
Observed in 1.2.0 while bringing up the tenant.
Impact:
User experiences a delay in tenant deployment with an intermediate error on the CLI console.
1100305 : Tcpdump capture of packets with interface based filtering fails on R5000 & R10000 appliances
Component: F5OS-A
Symptoms:
On R5000 & R10000, running a tcpdump as follows:
appliance-1# system diagnostics tcpdump -nni 1.0
to filter packets traversing interface 1.0 only, will fail.
The error seen will be "
errbuf ERROR:Interface configuration failed. Please retry
tcpdump: pcap_loop: Interface configuration failed. Please retry"
and the client will terminate.
Retrying the client will not help, contrary to the message
Conditions:
Tcpdump capture is started on a R5000 & R10000 device and the option to filter packets based on an interface ( "-i" option) is chosen.
Impact:
Tcpdump cannot work in the interface filtering mode.
It will operate in the other modes, only the interface filtering option causes it to be unable to start.
Workaround:
1) Start a tcpdump capture with no interface filter
"system diagnostics tcpdump" or
"system diagnostics tcpdump -nni 0.0"
Packets will be captured from all interfaces, and further (non-interface) filters can be used to narrow down capture
For example:
"system diagnostics tcpdump host 1.1.1.1 and port 80" or
"system diagnostics tcpdump vlan 200"
2) Restart the tcpdump container. This would make the -i option available again.
1091941 : Tenant running instance status shows some error/warning events in confd
Component: F5OS-A
Symptoms:
Some error/warning events intermittently occur that are related to 'k3s events stale in cluster' inside confd. But the tenant is actually healthy and functional.
Conditions:
Intermittently on system reboots. Tenant Status might not updated in Confd.
Impact:
The tenant status is incorrect, but the tenant is actually healthy & functional.
Workaround:
None
1086749 : Interface speeds are not reported correctly when linked at a slower speed
Component: F5OS-A
Symptoms:
RSeries 2xxx/4xxx interfaces support linking at certain speeds slower than the portgroup speed, but the interface speed is reported as higher.
For example:
-- A portgroup in 25G mode accepts a 10G SFP and link at 10G. The interface speed is reported as 25G.
-- A portgroup in 25G mode can link at 1G. The interface speed is reported as 25G.
-- A portgroup in 10G mode can link at 1G. The interface speed is reported as 10G.
Conditions:
This occurs when using an SFP that only supports a slower speed, or when connecting a 10G copper port to a 1G capable device.
Impact:
The interface speed reported in the GUI/CLI is higher than the actual link speed.
Workaround:
You can determine the actual link speed using ethtool, for example:
-- For port 1.0, use ethtool x557_1.
-- For port 5.0, use ethtool sfp_5.
1086381-2 : Tenant deployment failing with error - "failed to set netlink MAC address: resource temporarily unavailable"
Component: F5OS-A
Symptoms:
Tenant deployment fails with an error -
Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "<id>": [default/virt-launcher-bigiptenant1-1-2ghl7:sriov-net5-bigiptenant1]: error adding container to network "sriov-net5-bigiptenant1": failed to set up pod interface "net9" from the device "sfp_6": failed to set netlink MAC address to 14:a9:d0:02:1a:0f: resource temporarily unavailable
Conditions:
Previous tenant teardown did not clean up the virtual function (VF) mac address and reset the VF interface.
Impact:
Tenant deployment fails.
Workaround:
Identify the VF number in the PF which has the mac address issue then reset the mac address manually using ip command.
Ex:
ip link set sfp_8 vf 1 mac 00:00:00:00:0d:01
1084549-1 : VLAN sharing isn't allowed on r2000 and r4000 systems
Component: F5OS-A
Symptoms:
This is a product limitation in F5OS-A 1.1.0 on r2000 and r4000 based systems.
These platforms are unable to use the same VLAN for two different tenants, but the F5OS-A software does not prevent you from configuring them.
Conditions:
Assigning an identical VLAN to two different tenants.
Impact:
Same VLAN traffic will not be shared between multiple tenants.
Workaround:
None
1083921-1 : VLAN name change is not allowed once a tenant is launched.
Component: F5OS-A
Symptoms:
When you change the VLAN name on a rseries (R2x00 or R4x00) Appliance, the BIG-IP tenant does not honor the name change.
Conditions:
-- One or more tenants are running on a rseries (R4x00 or R2x00) platform.
-- A VLAN name is changed for a VLAN that is in use by a running tenant.
Impact:
Changing the VLAN name after a tenant is launched and reassigning that VLAN removes the interface in TMM.
Workaround:
Set the VLAN name to the initial name that the tenant used when it was launched. Or, if you need to change the name of the VLAN, delete the tenant and redeploy.
1083561 : Tenant running instance status shows some error/warning events in confd
Component: F5OS-A
Symptoms:
Some error/warning events intermittently occur that are related to 'failed to sync cache' inside confd. But the tenant is actually healthy and functional.
Conditions:
Intermittently on system reboots. Tenant Status might show error messages in Confd
Impact:
No impact, tenant is actually healthy & functional.
Workaround:
None
1083061-1 : Loading saved config to BIG-IP fails if host modifications are made after "tmsh save sys config"
Component: F5OS-A
Symptoms:
The configuration load fails with an error similar to the following:
01070257:3: Requested VLAN member (1.5) is currently a trunk member
Unexpected Error: Loading configuration process failed.
Conditions:
-- rSeries 4x00 or R2x00 platform
-- Configuration is backed up using tmsh
-- A change is made to one or more VLANs, interfaces, trunks, or type of VLANs on the host
-- The BIG-IP system loads the configuration
Impact:
Configuration load fails.
Workaround:
On a failure while loading sys config, open the affected configuration file, fix the object that was changed manually, and retry loading the sys config.
For example, if the load sys config at mcpd complains about "vlan member 1.x" is not found on vlan-xyz then open /config/bigip_xxx.conf file and update the vlan-xyz with vlan-member 1.x and retry the config load.
1082513-1 : LACP waitOnAlertFd Errors
Component: F5OS-A
Symptoms:
The system posts error messages in the platform.log:
LacpdHeartBeatsClient::run() waitOnAlertFd Error!
Conditions:
This occurs at startup, reboot, and upgrade.
Impact:
There is no functional impact; you can safely ignore these messages.
Workaround:
None
1063649-1 : Changing the system date to be older than the installation date is not supported.
Component: F5OS-A
Symptoms:
All system self-signed certificates are generated using the installation system date. Changing the date to an older date than the installation date can cause instability.
Conditions:
Setting the system date to be older than the installation date on an rSeries appliance.
Impact:
System goes to unstable state.
Workaround:
N/A
&start; This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/