Supplemental Document : F5OS-A 1.3.1 Fixes and Known Issues Release Notes

Applies To:

Show Versions Show Versions

F5OS-A

  • 1.3.1
Updated Date: 12/06/2022

F5OS-A Release Information

Version: 1.3.1
Build: 8863

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from F5OS-A v1.3.0 that are included in this release
Known Issues in F5OS-A v1.3.x

Functional Change Fixes

None


F5OS-A Fixes

ID Number Severity Links to More Info Description
1185369-1 1-Blocking   F5OS rSeries appliances will not launch tenants after upgrade to F5OS-A 1.3.0
1190969-1 2-Critical   Memory leak in system-image-agent service



Cumulative fixes from F5OS-A v1.3.0 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description
1075693-1 CVE-2021-22543 K01217337 CVE-2021-22543 Linux Kernel Vulnerability


Functional Change Fixes

ID Number Severity Links to More Info Description
1144177-1 3-Major   CLI idle-time is not persistently configurable
1122593-1 3-Major   No options to control system power via LCD menu


F5OS-A Fixes

ID Number Severity Links to More Info Description
1173853 1-Blocking   Packet loss caused by failure of internal hardware bus
1169193 1-Blocking   Unable to move tenants to provisioned or configured state with storage size specified as 76 in 1.2.0 after upgrading from 1.2.0 to 1.3.0
1141801 1-Blocking   F5OS-A Intel CPU vulnerability CVE-2021-33060
1135125 1-Blocking   Reading data from wrong socket leads to LACPD restart.
1123685 1-Blocking   Occasionally Selinux modules are getting corrupted when the system reboots
1121889-2 1-Blocking   ConfD encryption key can lock up the TPM module
1117277-2 1-Blocking   Occasional issue observed when tenant deployed on r2xxx/r4xxx series
1117237-2 1-Blocking   FPGA bit files are not updated to the latest version after a live upgrade
1112141-2 1-Blocking   10G/25G/40G burst support in rSeries appliance
1169341-1 2-Critical   Using MAC Masquerade in a BIG-IP tenant causes traffic issues when re-deploying the tenant
1166277 2-Critical   System downgrade is not possible with tenants in deployed state.
1162609 2-Critical   F5 r2600/r2800/r4600/r4800 devices unable to establish LACP link or send LLDP to some switches
1145753 2-Critical   QKView obfuscation step can cause excessive disk usage
1141577 2-Critical   WebUI Crashes When a New SSL/TLS Private Key is Generated
1137121 2-Critical   Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0
1136361 2-Critical   RJ45 interface links once at 1G
1136213 2-Critical   Network Manager crashes while processing an L2 Listener Request on R2x00 or R4x00
1135849-1 2-Critical   telemetry.db grew to 50G and caused error "database disk image is malformed"
1135661-2 2-Critical   Ability to configure LDAP chase-referrals option
1135233-1 2-Critical BT1135233 Updating LDAP configuration on Auth Settings screen on the webUI fails to preserve the existing bind password
1134737 2-Critical   CVE-2021-42740 - The shell-quote package before 1.7.3 for Node.js allows command injection
1134729 2-Critical   CVE-2022-0686 - Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8
1134725 2-Critical   CVE-2020-15256 - Prototype pollution vulnerability found in `object-path` <= 0.11.4
1134721 2-Critical   CVE-2021-44906 - Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js
1134717 2-Critical   CVE-2021-23436 - Package immer before 9.0.6. has a type confusion issue
1134705 2-Critical   CVE-2021-26707 - The merge-deep library before 3.0.3 for Node.js can be tricked
1134701 2-Critical   CVE-2022-0691 - Authorization Bypass Through User-Controlled Key in NPM url-parse
1134685 2-Critical   CVE-2022-1650 - Exposure of Sensitive Information to an Unauthorized Actor in GitHub...
1134681 2-Critical   CVE-2021-3757 - immer is vulnerable to Improperly Controlled Modification of Object Prototype...
1134677 2-Critical   CVE-2021-42581 - ** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier
1134673 2-Critical   CVE-2021-3918 - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype...
1132733-1 2-Critical BT1132733 LDAP config tried to configure blank bind password
1131993 2-Critical   Not able to set severity from CLI/webUI for some services.
1125761 2-Critical   appliance-orch-manager coredump
1117649-2 2-Critical   rSeries Appliance inoperable after powering down from Linux while configured for Appliance mode
1117621-2 2-Critical   After an appliance upgrade from 1.0.1 to 1.1.1, a tenant in Provisioned state may show inconsistent CLI status
1117461 2-Critical   CVE-2021-3538 satori/go.uuid: predictable UUIDs generated via insecure randomness
1116869-1 2-Critical   Tcpdump on F5OS does not capture packets of certain sizes
1116185-1 2-Critical   Removing multiple images simultaneously from the webUI causes an error
1114485-1 2-Critical   K3s cluster goes to unhealthy state when system is rebooted after changing hostname.
1111549-1 2-Critical BT1111549 System import functionality is unstable if PXE install source is not imported
1109021-2 2-Critical BT1109021 CLI commands are not logged in audit.log
1108509 2-Critical   Unable to fetch appliance fan speed using SNMP
1105001-1 2-Critical BT1105001 Large tar/gz/iso file download via the restconf API fails.
1101237-1 2-Critical   When configured for SNMP, the system does not properly report a sysObjectID for the F5OS system
1099437-1 2-Critical   Nic-manager core file
1099197 2-Critical   Packet loss caused by failure of internal hardware bus
1090753 2-Critical   NSO and ASW XBAR packet drops on 10G, 25G, and 40G interfaces.
1090521 2-Critical BT1090521 Tenant deployment may fail if the memory configured is an odd number.
1090089 2-Critical   NTP service does not work on rSeries appliances
1088565-1 2-Critical BT1088565 Various services may stop working on a system controller if the LCD is malfunctioning
1085925-1 2-Critical   SSH connection cannot be allowed/blocked based on source IP address
1072209-3 2-Critical BT1072209 Packets are dropped on VELOS when a masquerade MAC is on a shared VLAN
1055329-2 2-Critical BT1055329 VLAN shared between two tenants might not pass traffic to tenant with non-default CMP hash.
945537-2 3-Major BT945537 STP Validation for forward-delay, max-age, and hello-time fields
1166201-1 3-Major   Opensource Updates
1154129 3-Major   Missing port-speed option for management interface on Appliance
1145841 3-Major   WebUI fails to delete an LACP LAG that does not have the corresponding LACP interface
1143769 3-Major   Updating LDAP configuration on Auth Settings screen on the webUI having no TLS key updates it to empty string.
1141753 3-Major   User manager containers should not mount /var/log/tally as /tmp
1141593 3-Major   tmstat-merged log messages for invalid argument
1137725 3-Major   nslcd start/run script may fail or log alarming messages
1137669 3-Major   Potential mis-forwarding of packets caused by stale internal hardware acceleration configuration
1137309 3-Major   NSLCD does not restart if it dies or exits
1136829-1 3-Major BT1136829 Blank server error popup appears over unauthorized popup for operator user
1136777 3-Major   Monitoring agent service is missing telemetry inputs after its restart
1135865 3-Major   Remotely authenticated user who is a member of multiple roles that include invalid roles is not allowed to log in
1135861 3-Major   Remote user with no valid role is allowed to log in.
1135281-1 3-Major BT1135281 Blank LDAP tls_key causes error
1134733 3-Major   CVE-2021-37701 - Vulnerability in the npm package "tar" (aka node-tar)
1134713 3-Major   CVE-2020-7660 - arbitrary code injection in serialize-javascript prior to 3.1.0
1134709 3-Major   CVE-2021-23434 - A type confusion vulnerability in object-path before 0.11.6.
1134697 3-Major   CVE-2018-19827 - In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr Class
1134693 3-Major   CVE-2021-32804 - Insufficient path sanitization in node-tar
1134689 3-Major   CVE-2021-37713 - node-tar file creation/overwrite vulnerability
1134669 3-Major   CVE-2021-32803 - node-tar uses insufficient symlink protection
1134665 3-Major   CVE-2018-11698 - An out-of-bounds discovered in LibSass through 3.5.4.
1134649 3-Major   CVE-2021-37712 - node-tar file creation/overwrite vulnerability
1134633 3-Major   CVE-2018-11694 - A NULL pointer dereference issue in LibSass through 3.5.4.
1134289 3-Major   Diagnostic Controller Panic messages getting logged in platform.log at startup
1134141 3-Major   Uploading qkview to iHealth may fail on long iHealth user names
1134033 3-Major   Continuous Diagnostic Controller Event Queue errors are printed in platform.log
1132973 3-Major   Live upgrade to F5OS-A-1.3.0 will not work if STP is not configured correctly.
1132617 3-Major   WS-2021-0200 - DoS in YAML from versions v2.2.0 to v2.2.2
1125349-1 3-Major BT1125349 Changing the root password in appliance mode is unlocking root account
1123329 3-Major   Tagged LLDP PDUs (VLAN ID 1) are sent on appliance devices.
1117577 3-Major   Management interface is not accessible if core system daemons are not running
1117417-2 3-Major   Database config restore failed on rSeries appliance
1114437 3-Major   Ambiguous error message when user configures duplicate IP port combination
1114369 3-Major   Error log "Failed to execute iptable cmd: ," getting generated when trying to add same port to allow list
1114173 3-Major   LOP Controller RX error: unknown
1112533-1 3-Major   Status LED color always stays amber
1112229-1 3-Major   File download API changes to support file download from the webUI
1111533 3-Major   PSU status undeterminable under "show system events" output
1111237-1 3-Major BT1111237 Logrotate parameters do not get updated by software upgrade
1110429-1 3-Major BT1110429 Duplicate service-instance entries in chassis partition
1109029-1 3-Major   Host Logs in F5OS-A not being rotated
1106881-3 3-Major BT1106881 F5OS with an AFM license provisioned may provide incorrect AFM stats to a BIG-IP tenant
1104569 3-Major   On upgrading, the correct webUI changes are not reflected
1104541 3-Major   MIBs directory content is not accessible
1103001 3-Major   Tenants fail to come up after a live upgrade from pre-1.1.0 version to 1.1.0 on the r4xxx appliances
1101365 3-Major   Delay in tenant deployment with tenant image corruption error
1100305-2 3-Major   Tcpdump capture of packets with interface-based filtering fails on r5000 and r10000 appliances
1099469 3-Major   Control plane starvation on a fully loaded rSeries system
1097925-1 3-Major   Resolving CVEs on F5OS-A 1.1.0
1097833 3-Major BT1097833 Debug messages logged in platform.log
1092049 3-Major   CVE-2020-7774 - The package y18n before 3.2.2, 4.0.1 and 5.0.5, allows unsafe operations.
1091641-2 3-Major BT1091641 NTP (chrony) packet authentication is not fully implemented on VELOS
1090145-1 3-Major BT1090145 VLAN-Listener incorrectly updated on Network Manager component restart
1089721 3-Major   Prefix length support to allow multiple IP addresses
1086749-1 3-Major   Interface speeds are not reported correctly when linked at a slower speed
1085149-1 3-Major   Customer requires auth token session to be configurable
1084817-3 3-Major BT1084817 Container api-svc-gateway crashes due to certificate issues partition database
1083993-1 3-Major BT1083993 File import should check that the target doesn't exist
1083077-1 3-Major   LACP trunks are not configured automatically in BIG-IP tenant running on F5OS chassis/appliances
1082513 3-Major   LACP waitOnAlertFd Errors
1077149-1 3-Major   The fpga-tables CLI command results in syntax error in configuration mode
1075361-1 3-Major   Messages log has a very high number of "error" and "fail" entries
1074093 3-Major   Admin console is displayed when SSH login with a new root user
1074001 3-Major   service:overall-health attribute reports OK when the service state is unhealthy
1073581-2 3-Major BT1073581 Removing a 'patch' version of services might remove the associated 'base' version as well
1062765-1 3-Major   Tenant Status shows error "Insufficient f5.com/qat"
1062309-1 3-Major   "Failed unmounting" errors during shutdown.
1056453-1 3-Major   Tenant datapath will not work if the tenant is named "stpd".
1053793-1 3-Major   QKView list and status results are difficult to parse
1040461-3 3-Major BT1040461 Permissions of some QKView control files do not follow standards
1137889-1 4-Minor BT1137889 CLI "show interfaces summary" command doesn't provide a summary
1134957 4-Minor   ldapsearch not available to use on F5OS devices
1134625-1 4-Minor BT1134625 webUI session timeout popup referring to browser time instead of server time
1132745 4-Minor   Improve user readability during file upload on partition or controller
1116169 4-Minor   WebUI does not inform users that file transfer status may take some time to return depending on various factors like network speed
1104745-1 4-Minor   Request for a webUI option to clear/reset the STP mode configuration
1102137-2 4-Minor   Diagnostics ihealth upload qkview-file does not auto-complete with available qkview file names
1096885-1 4-Minor   Tenant image filename with special characters allowed to import, but tenant deployment fails
1137361 5-Cosmetic   Enabling LDAP may produce a log message with the usage help for the kill command

 

Cumulative fix details for F5OS-A v1.3.1 that are included in this release

945537-2 : STP Validation for forward-delay, max-age, and hello-time fields

Links to More Info: BT945537

Component: F5OS-A

Symptoms:
One or more forwarding-delay, max-age, or hello-time fields are configured and are not mirrored as operational data, or

One or more forwarding-delay, max-age, or hello-time fields are configured, and the configuration is not reflected in the spanning-tree BPDUs.

Conditions:
When configuring STP, use this formula for the forwarding-delay, max-age, and hello-time fields for STP, RSTP, and MSTP configurations:

2 * (hello-time + 1)) <= max-age && max-age <= (2 * (forwarding-delay - 1

Impact:
Any configuration that does not match the expected formula will not propagate to spanning tree BPDUs.

Workaround:
Configure the forward-delay, max-age, and hello-time fields using this formula:

2 * (hello-time + 1)) <= max-age && max-age <= (2 * (forwarding-delay - 1

Fix:
Fixed an issue where a user could configure the forward-delay, max-age, and hello-time fields for STP so that the expected formula was not met. Entering an invalid configuration displays an error.


1190969-1 : Memory leak in system-image-agent service

Component: F5OS-A

Symptoms:
Memory usage by system-image-agent is sometimes higher than expected.

Conditions:
When system-image-agent service is idle, there is a periodic memory leak. Rate of leak increases with the repeated image management related operations.

Impact:
Memory usage goes higher than expected, which eventually crashes the appliance.

Workaround:
No workaround.

Fix:
Leak scenarios have been fixed.


1185369-1 : F5OS rSeries appliances will not launch tenants after upgrade to F5OS-A 1.3.0

Component: F5OS-A

Symptoms:
After an upgrade to F5OS-A 1.3.0, the system will not be able to deploy tenants. Even if the system software is reverted to the previous version, the issue remains.

The system may report a tenant status such as the following:

- Tenant deployment failed - Server is not responding
- 0/1 nodes are available: 1 node(s) didn't match Pod's node affinity/selector.

The "show cluster cluster-status" command will report that the cluster is not ready:

cluster cluster-status summary-status "1 Appliance is NOT ready, K3S cluster is NOT ready."

There will be error messages in /var/log/messages that mention "x509: certificate signed by unknown authority", for instance:

k3s: E1102 16:50:48.340717 44106 kuberuntime_manager.go:790] "CreatePodSandbox for pod failed" err="rpc error: code = Unknown desc = failed to setup network for sandbox \"5ba7aa29305335ce0b6a87b48a570b292f90e1f42f2a2b4ae4fff90a96a55df7\": Multus: [kube-system/klipper-lb-8cht8]: error getting pod: Get \"https://[100.75.0.1]:443/api/v1/namespaces/kube-system/pods/klipper-lb-8cht8?timeout=1m0s\": x509: certificate signed by unknown authority" pod="kube-system/klipper-lb-8cht8"

Conditions:
- F5OS rSeries appliance
- System upgraded to F5OS-A 1.3.0 for the first time

Impact:
The system is unable to deploy tenants. Even if the system is reverted to the previous software version, the issue remains and the system will be unable to launch tenants.

Workaround:
Once a system is affected, the fix is to reinstall the Kubernetes cluster. This procedure will take about 10 minutes and will not affect the configuration or data of the tenants.

1. Log in to the rSeries appliance CLI with the root account.

2. To identify if the setup is in an error state, check for the string “x509: certificate signed by unknown authority” in /var/log/messages, or K3S cluster is not healthy and running.

3. Change all deployed tenants to a provisioned state.

4. Stop the appliance_orchestration_manager service by running the following command:

systemctl stop appliance_orchestration_manager_container

5. Uninstall K3S by running the following commands:

k3s-uninstall.sh
rm /var/omd/* /tmp/omd/tokens/* /tmp/omd/appliance-ansible-host

6. Start the appliance_orchestration_manager service by running the following command:

systemctl start appliance_orchestration_manager_container

7. Wait about 10 minutes.

8. From the F5OS CLI (log in as admin), check the cluster status:

    show cluster install-status ; show cluster cluster-status

The cluster-status should be "K3S cluster is initialized and ready for use".

From a root shell, check that "kubectl get pods -A" shows running containers in both the "kube-system" and "kubevirt" namespaces.

Fix:
N/A


1173853 : Packet loss caused by failure of internal hardware bus

Component: F5OS-A

Symptoms:
All or 50% of from-network packets arriving at a front panel port are dropped in hardware prior to delivery to tenant(s) running on the CPU. Packet loss is caused by CRC errors on an internal bus connecting two hardware components leading to eventual failure of the bus.

Conditions:
Issue occurs randomly, but is most commonly seen soon after bootup when packets first start to be handled by fastL4 hardware acceleration, hardware per-virtual server syn cookie protection, or AFM hardware protection.

Impact:
Total loss of from-network to CPU packets on r5900, r5800, and r5600 appliances, and either total loss or loss of 50% of from-network to CPU packets on r10900, r10800, and r10600 appliances. The r4800, r4600, r2800, and r2600 appliances are unaffected.

Workaround:
Reboot the appliance and disable fastL4 acceleration, per-virtual syn cookie hardware protection, and AFM hardware protection before re-enabling ingress traffic.

Fix:
This issue has been corrected.


1169341-1 : Using MAC Masquerade in a BIG-IP tenant causes traffic issues when re-deploying the tenant

Component: F5OS-A

Symptoms:
If the tenant has configured MAC Masquerade, when the tenant is moved to a Configured or Provisioned state, then back to Deployed, the tenant may experience loss of traffic.

Conditions:
The tenant has configured MAC Masquerade and redeploys the tenant.

Impact:
The tenant may experience loss of datapath traffic.

Workaround:
N/A

Fix:
Using MAC Masquerade in a BIG-IP tenant no longer causes traffic issues.


1169193 : Unable to move tenants to provisioned or configured state with storage size specified as 76 in 1.2.0 after upgrading from 1.2.0 to 1.3.0

Component: F5OS-A

Symptoms:
Not able to move tenants to a provisioned or configured state with storage size specified with 76GB in 1.2.0 and moved to 1.3.0.

Conditions:
Deploy tenant in 1.2.0 with 76GB specified storage size and upgrade the F5OS to 1.3.0 and try to change running state of tenant to configured or provisioned.

Impact:
Once upgraded to 1.3.0 will not be able to change running state of tenant to provisioned or configured. In deployed state it is not possible to resize.

Workaround:
When tenant running state is being updated to provisioned or configured, the storage size must be greater than the default size of that image.

Fix:
Tenants can be moved to provisioned or configured state.


1166277 : System downgrade is not possible with tenants in deployed state.

Component: F5OS-A

Symptoms:
Tenants stuck in pending phase or tenant pods are missing.

Conditions:
Tenants deployed in 1.3.0 will be stuck in the pending phase when the system is downgraded to 1.2.0.

Impact:
Tenants will not be in a running state.

Workaround:
Move tenants to configured/provisioned state.


1166201-1 : Opensource Updates

Component: F5OS-A

Symptoms:
Opensource libraries used in previous versions were potentially susceptible to:
CVE-2016-4658
CVE-2017-18342
CVE-2018-25032
CVE-2019-15605
CVE-2019-17498
CVE-2019-20044
CVE-2020-10531
CVE-2020-12321
CVE-2020-24489
CVE-2020-25710
CVE-2020-8625
CVE-2021-20233
CVE-2021-20271
CVE-2021-2388
CVE-2021-25214
CVE-2021-25217
CVE-2021-27219
CVE-2021-27803
CVE-2021-30465
CVE-2021-3156
CVE-2021-3538
CVE-2021-3621
CVE-2021-4034
CVE-2021-42574
CVE-2021-43527
CVE-2021-44142
CVE-2022-1227
CVE-2022-1271
CVE-2022-23852
CVE-2022-24407
CVE-2022-24903
CVE-2022-2526
CVE-2022-2738
CVE-2022-29154
CVE-2022-34169
CVE-2022-40674
CVE-20919-8696

Conditions:
This addresses different problems. Multiple common vulnerabilities are fixed.

Impact:
Strengthens System Security

Fix:
Multiple common vulnerabilities are fixed to make system more secure.

RPM libraries have been upgraded to the following versions.
rpm-4.11.3-48.el7_9.x86_64
rpm-build-libs-4.11.3-48.el7_9.x86_64
rpm-libs-4.11.3-48.el7_9.x86_64
rpm-python-4.11.3-48.el7_9.x86_64
rsync-3.1.2-11.el7_9.x86_64
java-1.8.0-openjdk-headless-1:1.8.0.342.b07-1.el7_9.x86_64
tzdata-2022a-1.el7.noarch
tzdata-java-2022a-1.el7.noarch
systemd-219-78.el7_9.7.x86_64
systemd-libs-219-78.el7_9.7.x86_64
systemd-sysv-219-78.el7_9.7.x86_64
podman-1.6.4-36.el7_9.x86_64
runc-1.0.0-69.rc10.el7_9.x86_64
expat-2.1.0-15.el7_9.x86_64


1162609 : F5 r2600/r2800/r4600/r4800 devices unable to establish LACP link or send LLDP to some switches

Component: F5OS-A

Symptoms:
LACP and LLDP messages transmitted from an F5OS r2x00/r4x00 appliance to a peer switch have an incorrect length, and are ignored by some switches.

This can result in LACP aggregate links configured between an F5OS appliance and peer switch to fail to establish.

For example, Extreme Networks switches may produce a message similar to this:

<Erro:LACP.RxPDUSizExcd> Slot-2: Received PDU LACP size exceeded. Incoming Port: 1:1 PDU size: 132 required size: 128

Juniper hardware may produce messages similar to this:

kernel: xe-1/1/1: received pdu - length mismatch for lacp : len 128, pdu 124 like 1

LLDP packets sent from the F5OS device may not be accepted or correctly interpreted by the connected switch.

Conditions:
-- rSeries r2600/r2800/r4600/r4800-series appliance

-- LACP trunk (aggregate link) configured
(or)
-- LLDP advertising enabled

Impact:
Unable to establish an LACP trunk between the F5OS r2600/r2800/r4600/r4800 and a network switch.

Workaround:
Configure the LAG using a static configuration (that is, no LACP) on both sides, if possible.

Fix:
Fixed code to trim extra 4 bytes going in the BPDUs.


1154129 : Missing port-speed option for management interface on Appliance

Component: F5OS-A

Symptoms:
There is no option to change the port speed on the management interface of the Appliance through the CLI. An error displays when you attempt to disable auto-negotiation or when you try to change the port speed from the webUI (after disabling from
the CLI).

Conditions:
Always

Impact:
Port speed cannot be configured for the management interface on Appliance.

Workaround:
No workaround.

Fix:
Current schema changes allow port speed to be configured for management interface on Appliance.


1145841 : WebUI fails to delete an LACP LAG that does not have the corresponding LACP interface

Component: F5OS-A

Symptoms:
WebUI fails to delete an LACP LAG that does not have the corresponding LACP interface.

Conditions:
The LACP interface for the LACP LAG does not exist.

Impact:
Unable to delete the LAG on webUI.

Workaround:
Users can either delete the LAG from the CLI or create the LACP interface for the LAG and then delete it from webUI.

Fix:
With this fix, the user will be able to delete an LACP LAG even if it does not have the corresponding LACP interface.


1145753 : QKView obfuscation step can cause excessive disk usage

Component: F5OS-A

Symptoms:
QKView performs the obfuscation steps for capturing files, which can create temporary files the same size as the captured files. If a sufficiently large file is captured, this may cause a disk full error.

Conditions:
QKView captures a very large file and obfuscates it.

Impact:
System may be unusable.

Workaround:
Before executing QKView, scan the system for extraordinarily large log files and delete them. One example is telemetry.db.

Fix:
This bug fix truncates the file to a maximum size of 0.5 GB (or a size defined by the maxfilesize argument) before performing obfuscation. This limits the chance for a disk full error.


1144177-1 : CLI idle-time is not persistently configurable

Component: F5OS-A

Symptoms:
The default CLI idle-timeout is set in a non-user-modifiable configuration file, and must be set each time the user logs in.

Conditions:
The user desires to set an persistent idle-timeout to a value other than the pre-set default, or to disable it.

Impact:
User cannot select a default idle-timeout other than the predefined default.

Workaround:
None.

Fix:
A configuration setting has been added to the configuration database as "system settings config idle-timeout" so that the administrator can configure a default idle-timeout for the CLI. The setting applies to the particular system instance (controller, partition, or appliance).

Behavior Change:
Administrator can configure the default CLI timeout value, so that it applies to all user sessions.


1143769 : Updating LDAP configuration on Auth Settings screen on the webUI having no TLS key updates it to empty string.

Component: F5OS-A

Symptoms:
When the LDAP configuration on Auth Settings is updated via the webUI, with TLS key not previously configured, it is updated to be an empty string. This is resulting in empty string encryption.

Conditions:
Add/Modify LDAP configuration on Auth Settings screen.

Impact:
TLS key is set to empty string and is encrypted.

Workaround:
One of the following:

-- Use the F5OS CLI to modify authentication settings, rather than using the webUI.

-- Use the webUI to edit authentication settings only when the TLS key is already configured, meaning, there is an encrypted value already present in TLS key field.

Fix:
Updating LDAP configuration when the TLS key is not configured will not create a TLS key with empty string.


1141801 : F5OS-A Intel CPU vulnerability CVE-2021-33060

Component: F5OS-A

Symptoms:
There are no visible symptoms.

Conditions:
The issue is present in BIOS versions 2.00.114.1 and earlier.

Impact:
Out-of-bounds write in the BIOS firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access. (CVE-2021-33060)

Workaround:
As local access is required to exploit this vulnerability, you can mitigate this by restricting access to the affected F5 product (on the host OS and in a container or tenant) to only trusted users.

Fix:
Resolve Intel CPU vulnerability CVE-2021-33060


1141753 : User manager containers should not mount /var/log/tally as /tmp

Component: F5OS-A

Symptoms:
Unnecessary files left in /var/log.

Conditions:
When qkview is captured.

Impact:
Unnecessary files left in /var/log and collected by qkview as a result of a container using /var/log/tally as a temporary space.

Workaround:
N/A

Fix:
User manager does not mount /var/log/tally anymore.


1141593 : tmstat-merged log messages for invalid argument

Component: F5OS-A

Symptoms:
Repeated log messages from tmstat-agent about invalid arguments from fzmq_handle_to_socket_thread_safe.

Conditions:
VELOS appliance.

Impact:
Fills log files and could obcsure or roll over more important log messages.

Workaround:
N/A

Fix:
Not relevant to appliances.


1141577 : WebUI Crashes When a New SSL/TLS Private Key is Generated

Component: F5OS-A

Symptoms:
The webUI crashes when a new SSL/TLS certificate is created in the Certificate Management tab.

The HTTP server has to restart to read the newly-created private keys(encrypted or un encrypted) from a configuration file. Before the HTTP server restarts, all active client connections will be closed. This will cause the webUI to crash, and the server will be unreachable temporarily.

Conditions:
No configuration changes required.

Impact:
webUI crashes and the TCP connection with the HTTP server will be closed.

Workaround:
The user has to reestablish the connection to the server after waiting a few seconds.

Fix:
No fix required.


1137889-1 : CLI "show interfaces summary" command doesn't provide a summary

Links to More Info: BT1137889

Component: F5OS-A

Symptoms:
The "show interfaces" command is quite cluttered when displaying the state of both physical and virtual (aggregate) interfaces, making it difficult to get a high-level summary of all interfaces.

The "show interfaces interface full" command displays a confusing subset of interface states, when the intent of "full" was to display all state fields, including the duplicate "name" column.

Conditions:
The administrator attempts to use the "show interfaces" command to diagnose networking problems.

Impact:
Difficult to diagnose interface configuration/connectivity problems.

Workaround:
None

Fix:
The new "summary" option for "show interfaces" displays a brief subset of the most important interface state information.

appliance-1# show interfaces interface state summary
                                     OPER
NAME TYPE MTU ENABLED STATUS
---------------------------------------------
1.0 ethernetCsmacd 9600 true UP
2.0 ethernetCsmacd 9600 true UP
3.0 ethernetCsmacd 9600 true UP
4.0 ethernetCsmacd 9600 true UP
5.0 ethernetCsmacd 9600 true UP
6.0 ethernetCsmacd 9600 true UP
7.0 ethernetCsmacd 9600 true UP
8.0 ethernetCsmacd 9600 true UP
mgmt ethernetCsmacd - true UP


1137725 : nslcd start/run script may fail or log alarming messages

Component: F5OS-A

Symptoms:
The script that watches and restarts the nslcd process could sometimes fail to do so, and would sometimes log messages that appeared alarming.

Conditions:
Changing authentication settings that affect nslcd.

Impact:
The messages were benign, but the occasional failure to restart nslcd on config change could cause authentication changes to fail to propagate to the running process.

Workaround:
Restarting the name-service-ldap container is likely to solve the issue.

Fix:
The nslcd start/run script was rewritten to minimize alarming log messages and reliably start and restart the process when expected.


1137669 : Potential mis-forwarding of packets caused by stale internal hardware acceleration configuration

Component: F5OS-A

Symptoms:
Because configuration entries added to the internal ePVA hardware acceleration tables may become stuck, packets arriving from front panel ports may be handled by stale entries resulting in unexpected forwarding behavior. The stale entries may also prevent TMM from offloading new connections to ePVA.

Conditions:
The most likely cause for entries to become stuck is either a reboot of tenant or restart of TMM while it has active connections offloaded to ePVA without also rebooting the entire appliance.

Impact:
Packets may be forwarded to unexpected destinations, and/or new connections are unable to be offloaded to ePVA.

Workaround:
Don't reboot or restart TMM without also rebooting the entire appliance.

Fix:
Packets are behaving as expected.


1137361 : Enabling LDAP may produce a log message with the usage help for the kill command

Component: F5OS-A

Symptoms:
If the nslcd process is being restarted but was not previously running, this message could be issued.

Conditions:
The nslcd process is being restarted because of a configuration change but was not previously running.

Impact:
Alarming log messages. Potential failure to restart nslcd, resulting in failures in remote authentication.

Workaround:
Restarting the name-service-ldap container is likely to resolve the issue.

Fix:
The nslcd run/start script was rewritten to make it more robust, while reducing the chance for unnecessarily alarming log messages.


1137309 : NSLCD does not restart if it dies or exits

Component: F5OS-A

Symptoms:
If the NSLCD process is terminated for any reason, the process is not restarted.

Conditions:
LDAP authentication is enabled and the NSLCD process is terminated or unexpectedly exits.

Impact:
LDAP authentication will be unavailable.

Workaround:
The process can be restarted by manually restarting the container using the command docker restart name-service-ldap.

Fix:
The NSLCD process will now restart if it is terminated.


1137121 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0

Component: F5OS-A

Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".

Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.

Impact:
Tenants will not start and are unusable.

Workaround:
To work around this issue, perform one of these actions:

1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".

Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.


1136829-1 : Blank server error popup appears over unauthorized popup for operator user

Links to More Info: BT1136829

Component: F5OS-A

Symptoms:
When an operator user performs any operation that makes a REST call that is unauthorized for the operator role, a blank server error popup appears behind the unauthorized popup.

Conditions:
When the logged in user is in an operator role and performs an unauthorized action.

Impact:
A blank server error popup is seen behind an unauthorized popup, which is unnecessary.

Workaround:
NA

Fix:
Tested that only the unauthorized popup is visible when the operator user performs any unauthorized action.


1136777 : Monitoring agent service is missing telemetry inputs after its restart

Component: F5OS-A

Symptoms:
When diagnostic event queue is getting flooded due to watch dog closure issue, we are seeing failure in telemetry input reload.

Conditions:
Only seen when the diagnostic event log gets flooded due to watch dog closure issue and followed by monitoring service restart.

Impact:
Diagnostic agent service will not get any latest measurements.

Workaround:
N/A

Fix:
Monitoring agent service is reloading all telemetry inputs after its restart.


1136361 : RJ45 interface links once at 1G

Component: F5OS-A

Symptoms:
The RJ45 interfaces on F5 r2000 and r4000 platforms link at 1G only once. If the link goes down, the interfaces cannot reestablish a link at 1G.

Conditions:
When an RJ45 interface that is 10G/1G capable is connected to a 1G port on F5 r2000 and r4000 platforms.

Impact:
The RJ45 interface won't achieve a link.

Workaround:
To clear the no-link condition, reboot or power cycle the platform. The RJ45 link will then come up at 1G, but only once.

Fix:
The RJ45 interfaces on F5 r2000 and r4000 platforms are now able to re-establish a 1G link.


1136213 : Network Manager crashes while processing an L2 Listener Request on R2x00 or R4x00

Component: F5OS-A

Symptoms:
Network Manager crashes and a core file will be generated asynchronously.

Conditions:
When an L2 Listener Request is received on the platform, which is not expected to be received in the case of R2x00 or R4x00 platforms.

Impact:
Network Manager crashes generating a core file.

Workaround:
N/A

Fix:
Network Manager no longer crashes.


1135865 : Remotely authenticated user who is a member of multiple roles that include invalid roles is not allowed to log in

Component: F5OS-A

Symptoms:
Users on systems have a role assigned to them. This role is one of a predefined set which includes the admin role. A remote user with multiple roles, some of which are not in this predefined set, is configured on a remote authentication server (LDAP, tacplus or RADIUS). Such a user was treated different based on mode of access (GUI or ssh) and the remote authentication method. Sometimes the user can log in, sometimes not.

Conditions:
A user has to configured on a remote authentication server (LDAP, tacplus or RADIUS) with multiple group IDs, some of which are not assigned to any role in our system.
That remote authentication method has to be configured as an authentication method on our system.
User supplies the correct password and tries to log in. The user may or may not be allowed into the system, depending on method of access and remote authentication method.

Impact:
When a remote user has multiple roles which include invalid roles, the behavior of the system was inconsistent.

Workaround:
Removing the invalid group ID from the remote server will fix the issue.

Fix:
When a remote user belongs to multiple roles, some of which are invalid ones, only the valid roles are considered for authorization. Also, this is consistently done across methods of access (GUI, ssh, etc.) and across all remote authentication methods (LDAP, tacplus, RADIUS, etc.).


1135861 : Remote user with no valid role is allowed to log in.

Component: F5OS-A

Symptoms:
Under certain circumstances when remote authentication (ldap, tacplus, or radius) is configured, a remote user may be able to log in with low privileges when they should not.

Conditions:
An improperly configured user profile.
Remote authentication configured on F5OS.

Impact:
A User without a valid role is let into the system with low privileges.

Workaround:
None

Fix:
Only users with valid group per /etc/group will be allowed


1135849-1 : telemetry.db grew to 50G and caused error "database disk image is malformed"

Component: F5OS-A

Symptoms:
As we received multiple RAS events continuously while monitoring, the telemetry.db size grew to 50G.

Conditions:
If the hardware is in issue state, we can see more events getting generated, which will increase the telemetry.db size.

Impact:
File system will not be accessible as telemetry.db is consuming more space.

Workaround:
Delete the telemetry.db file and restart the platform-monitor service.

Fix:
This fix truncates the telemetry.db to a size of 500 MB or less.


1135661-2 : Ability to configure LDAP chase-referrals option

Component: F5OS-A

Symptoms:
By default, our LDAP implementation was set to chase LDAP referrals. This could be expensive and make lookups very slow in large organizations with multiple layers of LDAP servers.

Conditions:
LDAP enabled in very large LDAP organizations with multiple levels of servers.

Impact:
The default of chasing referrals in the above conditions could result in slow LDAP lookups and timeouts.

Fix:
A chase referrals option was added to LDAP configuration. The default is still enabled, but now it can be easily disabled:
system aaa authentication ldap chase-referrals false


1135281-1 : Blank LDAP tls_key causes error

Links to More Info: BT1135281

Component: F5OS-A

Symptoms:
When using the CLI or older webUI, it was possible to enter an "empty" tls_key. This would cause nslcd to be incorrectly configured.

Conditions:
LDAP configured. Blank LDAP tls_key entered:
system aaa authentication ldap tls_key ""

Impact:
A blank tls_key would fail to work correctly when configuring authentication or talking to the LDAP server.

Workaround:
Explicitly set the bind password to unset:
no system aaa authentication ldap tls_key

Fix:
Fixed authentication so any form of "empty" tls_key results in the tls_key being unset.


1135233-1 : Updating LDAP configuration on Auth Settings screen on the webUI fails to preserve the existing bind password

Links to More Info: BT1135233

Component: F5OS-A

Symptoms:
When the LDAP configuration on Auth Settings is updated via webUI, the unchanged/existing bind password is replaced by an empty string, resulting in LDAP authentication failure.

Conditions:
Modify existing LDAP configuration on Auth Settings screen.

Impact:
Bind password is not preserved.

Workaround:
One of the following:

-- Use the F5OS CLI to modify authentication settings, rather than using the webUI.

-- When editing authentication settings in the webUI, always re-enter the bind password.

Fix:
Updating LDAP configuration preserves existing/unchanged bind password, will not result in LDAP authentication failure.


1135125 : Reading data from wrong socket leads to LACPD restart.

Component: F5OS-A

Symptoms:
Reading an update from the ConfD subscription socket
leads to LACPD container restart.

Conditions:
Reading an update from the ConfD subscription socket.

Impact:
This issue leads to LACPD container restart.

Workaround:
N/A

Fix:
Read data from read socket, not from subscription socket.


1134957 : ldapsearch not available to use on F5OS devices

Component: F5OS-A

Symptoms:
ldapsearch is a crucial utility for troubleshooting LDAP remote authentication. However, it wasn't available on any F5OS devices, and therefore, couldn't be utilized.

Conditions:
The utility could not be found searching on the base OS using the command: "find / -name '*ldapsearch*'"

It also could not be found within the name-service-ldap container, using the command: "docker exec -it name-service-ldap ldapsearch"

Impact:
Troubleshooting is made more difficult.

Fix:
ldapsearch has now been installed and can be accessed using the name-service-ldap container. To do this, you can run the command: "docker exec -it name-service-ldap bash".


1134737 : CVE-2021-42740 - The shell-quote package before 1.7.3 for Node.js allows command injection

Component: F5OS-A

Symptoms:
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded to shell-quote version 1.7.3.


1134733 : CVE-2021-37701 - Vulnerability in the npm package "tar" (aka node-tar)

Component: F5OS-A

Symptoms:
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/` characters as path separators, however `\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded to tar v6.1.11.


1134729 : CVE-2022-0686 - Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8

Component: F5OS-A

Symptoms:
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded url-parse to v1.5.10.


1134725 : CVE-2020-15256 - Prototype pollution vulnerability found in `object-path` <= 0.11.4

Component: F5OS-A

Symptoms:
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded react-scripts to version 4.0.0 which doesn't require object-path.


1134721 : CVE-2021-44906 - Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js

Component: F5OS-A

Symptoms:
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded minimist to version 1.2.6.


1134717 : CVE-2021-23436 - Package immer before 9.0.6. has a type confusion issue

Component: F5OS-A

Symptoms:
This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded immer to version 9.0.6.


1134713 : CVE-2020-7660 - arbitrary code injection in serialize-javascript prior to 3.1.0

Component: F5OS-A

Symptoms:
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded 'react-scripts' to version 4.0.0 which uses 'serialize-javascript' versions - 4.0.0 and 5.0.1.


1134709 : CVE-2021-23434 - A type confusion vulnerability in object-path before 0.11.6.

Component: F5OS-A

Symptoms:
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded react-scripts to version 4.0.0 which do not require object-path.


1134705 : CVE-2021-26707 - The merge-deep library before 3.0.3 for Node.js can be tricked

Component: F5OS-A

Symptoms:
The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded react-scripts to v4.0.0 which don't require merge-deep dependency.


1134701 : CVE-2022-0691 - Authorization Bypass Through User-Controlled Key in NPM url-parse

Component: F5OS-A

Symptoms:
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded to url-parse v1.5.10


1134697 : CVE-2018-19827 - In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr Class

Component: F5OS-A

Symptoms:
In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service or possibly have another unspecified impact.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Replaced node-sass with sass.


1134693 : CVE-2021-32804 - Insufficient path sanitization in node-tar

Component: F5OS-A

Symptoms:
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded tar to version 6.1.11.


1134689 : CVE-2021-37713 - node-tar file creation/overwrite vulnerability

Component: F5OS-A

Symptoms:
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\path`. If the drive letter does not match the extraction target, for example `D:\extraction\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded to tar v6.1.11.


1134685 : CVE-2022-1650 - Exposure of Sensitive Information to an Unauthorized Actor in GitHub...

Component: F5OS-A

Symptoms:
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded eventsource to v1.1.2.


1134681 : CVE-2021-3757 - immer is vulnerable to Improperly Controlled Modification of Object Prototype...

Component: F5OS-A

Symptoms:
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded immer to v9.0.6.


1134677 : CVE-2021-42581 - ** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier

Component: F5OS-A

Symptoms:
** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded Ramda to 0.27.1.


1134673 : CVE-2021-3918 - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype...

Component: F5OS-A

Symptoms:
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Replaced node-sass with sass which doesn't require json-schema dependency.


1134669 : CVE-2021-32803 - node-tar uses insufficient symlink protection

Component: F5OS-A

Symptoms:
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded to tar v6.1.11.


1134665 : CVE-2018-11698 - An out-of-bounds discovered in LibSass through 3.5.4.

Component: F5OS-A

Symptoms:
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Replaced node-sass with sass.


1134649 : CVE-2021-37712 - node-tar file creation/overwrite vulnerability

Component: F5OS-A

Symptoms:
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded node-tar to version 6.1.11.


1134633 : CVE-2018-11694 - A NULL pointer dereference issue in LibSass through 3.5.4.

Component: F5OS-A

Symptoms:
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Conditions:
rSeries GUI uses node-sass dependency which is a wrapper around LibSass. Hence the NULL pointer dereference issue in LibSass could be potentially leveraged by an attacker via node-sass.

Impact:
The issue could be leveraged by an attacker to cause a denial of service (application crash) or possibly have other impact.

Workaround:
None

Fix:
rSeries GUI has shifted from node-sass to a sass dependency which is not dependent on LibSass.


1134625-1 : webUI session timeout popup referring to browser time instead of server time

Links to More Info: BT1134625

Component: F5OS-A

Symptoms:
If the browser time is not in parity with the server time then the session timeout popup is showing up early (before the token expires) or sometimes not showing up even when the token actually expires.

Conditions:
When the user browser and the server times are not in sync.

Impact:
The user sees incorrect session timeout popup or does not see session timeout popup when the token actually expires.

Workaround:
NA

Fix:
This issue is fixed and verified that the timer for the popup is set correctly.


1134289 : Diagnostic Controller Panic messages getting logged in platform.log at startup

Component: F5OS-A

Symptoms:
On startup, receiving the Info messages from LOP for all bits and some of them are not relevant to system type. This is causing panic logs from diagnostic agent service.

Conditions:
This occurs only during startup.

Impact:
No functionality impact.

Workaround:
N/A

Fix:
Diagnostic agent will not panic and log any panic messages during the system startup.


1134141 : Uploading qkview to iHealth may fail on long iHealth user names

Component: F5OS-A

Symptoms:
When an iHealth username/email is entered into the configuration for the iHealth upload feature, if it is sufficiently long (over 16 characters), there may be an authentication error when attempting to upload.

Conditions:
iHealth username/email exceeds 16 characters.

Impact:
Unable to upload to iHealth.f5.com via F5OS-A or F5OS-C webUI.

Workaround:
Use the file export feature to download the qkview file from the device to a PC, and then use the PC to upload the qkview file to iHealth.f5.com.

Fix:
Feature has been fixed in F5OS-C 1.6.0 and F5OS-A 1.3.0.


1134033 : Continuous Diagnostic Controller Event Queue errors are printed in platform.log

Component: F5OS-A

Symptoms:
Flooding of logs continuously in platform.log.

Conditions:
Whenever the watchdog timer is closed, this issue occurs.

Impact:
Event Queue is getting flooded.

Workaround:
N/A

Fix:
Provided watchdog timer fix to avoid the event log flooding.


1132973 : Live upgrade to F5OS-A-1.3.0 will not work if STP is not configured correctly.

Component: F5OS-A

Symptoms:
System database compatibility checks will fail with STP misconfigurations.

Conditions:
Live upgrades to F5OS-A-1.3.0 will not work if STP is not configured correctly.

Impact:
System database compatibility checks will fail.

Workaround:
STP cannot be enabled on individual LAG members. To perform a live upgrade to F5OS-A-1.3.0, the user must correct the STP configurations by removing the STP from the interface which is assigned to aggregation-id.


1132745 : Improve user readability during file upload on partition or controller

Component: F5OS-A

Symptoms:
When the user starts uploading a tenant image file, the file transfer status in the image import status table displays after a few seconds rather than immediately.

Conditions:
On the tenant images screen, when the user has started a file upload from his local machine.

Impact:
User is notified of file upload status after some time, which might lead the user to think that file upload has not started until he sees the status.

Workaround:
None.

Fix:
A new banner was added at the top of the page saying "File upload is initializing, the transfer status will appear momentarily.", which appears as soon as the user starts the file upload. After a few seconds the message on the banner will change to "File upload in progress, please do not refresh the page.", informing user that refreshing the page will cancel the upload process.


1132733-1 : LDAP config tried to configure blank bind password

Links to More Info: BT1132733

Component: F5OS-A

Symptoms:
When using the CLI or older webUI, it was possible to enter an "empty" password. This would cause nslcd to be incorrectly configured.

Conditions:
LDAP configured. Blank LDAP bind password entered:
system aaa authentication ldap bindpw ""

Impact:
A blank password was highly unlikely to be the intended result and would fail to work correctly when configuring authentication or talking to the LDAP server.

Workaround:
Explicitly set the bind password to unset:
no system aaa authentication ldap bindpw

Fix:
Fixed authentication so any form of "empty" password results in the password being unset.


1132617 : WS-2021-0200 - DoS in YAML from versions v2.2.0 to v2.2.2

Component: F5OS-A

Symptoms:
YAML in versions v2.2.0 to v2.2.2 is vulnerable to a denial of service attack.

Conditions:
N/A

Impact:
N/A

Workaround:
There is currently no workaround for this issue.

Fix:
YAML v2.2.0 - v2.2.2 has been removed and upgraded to YAML v3.0.0 in F5OS-A v1.3.0 or later, which resolves WS-2021-0200.


1131993 : Not able to set severity from CLI/webUI for some services.

Component: F5OS-A

Symptoms:
Not able to set severity for following services from CLI/webUI in F5OS-A.
R5R10: - Utils-agent, partition-common(system-common), tcam-manager
R2R4: - Utils-agent, partition-common.

Conditions:
Try to change severity for following services:
R5R10: Utils-agent, partition-common(system-common), tcam-manager
R2R4: Utils-agent, partition-common.

Impact:
Not able to change severity as these services are not listed in ConfD CLI as well as webUI.

Workaround:
N/A

Fix:
Severity can now be set from CLI/webUI for all services.


1125761 : appliance-orch-manager coredump

Component: F5OS-A

Symptoms:
appliance-orch-manager(omd) polls node, events and system pods status and update the status into ConfD. During K3S response processing, OMD failed to handle a few exceptions. Because of that, OMD coredump is observed.

Conditions:
Intermittently OMD core dumps if K3S response is not as expected.

Impact:
Intermittent OMD core dumps.

Workaround:
N/A

Fix:
If OMD core dumps, systemd will bring up the process automatically. No action is expected from user.
However, if any OMD core dumps are observed, contact F5 support.


1125349-1 : Changing the root password in appliance mode is unlocking root account

Links to More Info: BT1125349

Component: F5OS-A

Symptoms:
If the password of root is changed in appliance mode, it disables appliance mode.

Conditions:
Appliance mode is enabled.
Root password is changed using set-password API.

Impact:
Appliance mode is disabled.

Workaround:
Toggle appliance mode to enable it again.

Fix:
Appliance mode is not disabled and displays a message: "Info: The password has changed but appliance mode is enabled that blocks root login."


1123685 : Occasionally Selinux modules are getting corrupted when the system reboots

Component: F5OS-A

Symptoms:
In rSeries appliances, if Selinux modules are corrupted
-> Virt-handler pod crashes continuously.
-> Tenant will be in pending state.
-> Semodule file size is 0 in dir "/etc/selinux/targeted/active/modules/400/"

Conditions:
If interruption happens during Selinux modules building on system bootup, the interruption can be an abrupt power off.

Impact:
-> Virt-handler pod is crashing continuously.
-> Tenant functionality is impacted.

Workaround:
None.

Fix:
Identify and remove the corrupted Selinux files and rebuild them while the system is booting up.


1123329 : Tagged LLDP PDUs (VLAN ID 1) are sent on appliance devices.

Component: F5OS-A

Symptoms:
VLAN ID 1 is seen in LLDP PDU coming from appliances.

Conditions:
LLDP is enabled and RXTX is configured to send and receive LLDP PDU.

Impact:
Tagged VLAN ID 1 is coming in LLDP PDU.

Workaround:
N/A

Fix:
Fixed issue by adding required VLAN at F5OS.


1122593-1 : No options to control system power via LCD menu

Component: F5OS-A

Symptoms:
The front-panel LCD on rSeries appliances does not provide a way to control system power to the host operating system.

Conditions:
One of the following rSeries appliances:
- r2000 / r4000
- r5000 / r10000

Impact:
The system LCD panel provides no way to power on/off the device.

Workaround:
The system power can be controlled via the AOM.

Fix:
The system LCD now provides a Power On control in the System menu.

Behavior Change:
In the older release, the system power can be controlled via the AOM. In the current release, it is being addressed.
The system LCD now provides a Power On control in the System menu.


1121889-2 : ConfD encryption key can lock up the TPM module

Component: F5OS-A

Symptoms:
Due to an error that happens rarely in the HAL layer, the encryption key mechanism can misinterpret such an error as a valid identifier for the system. This causes the TPM to lock up, using that identifier, but then the actual identifier no longer unlocks the TPM.

Conditions:
This happens rarely but when it does, the system-manager cannot read the encryption keys and will not start ConfD.

This will manifest itself as unable to start up the configuration by attempting to become admin.

Impact:
The system is unusable. Installing a new ISO does not help.
The TPM must be cleared to become unlocked. Once the TPM is cleared, a new key is generated so existing encryptions need to be re-encrypted. This is will require that the ConfD system database be reset to default.

Workaround:
The workaround is to do the following:

 # docker exec system_platform-mgr tpm2_takeownership -c
 # docker restart system_manager
 # su admin
 # config
 # (config) system database reset-to-default proceed yes
 # exit; exit
 # docker restart system_api_svc_gateway

Fix:
The incorrect identifier is now ignored and the lockup is avoided.

Note that the fix does not unlock a locked system. The workaround will have to be applied first.


1117649-2 : rSeries Appliance inoperable after powering down from Linux while configured for Appliance mode

Component: F5OS-A

Symptoms:
If the rSeries device is powered down from Linux (for example, using 'halt -p', 'poweroff', or 'shutdown -h now') while in Appliance mode, the device becomes permanently disabled.

In this state, nothing external can be done to power on the Linux host, for example, cycling power, accessing the LCD Power on option, or pressing the Power button.

Trying to access the AOM menu from the serial console reports the following message:
 AOM Command Menu - disabled for security purposes.

Conditions:
-- Appliance mode is enabled (this is the state the 'appliance-setup-wizard' sets when it runs to completion).

-- The host is powered down (for example, using 'halt -p', 'poweroff', or 'shutdown -h now')

Impact:
The AOM command menu is not available to power on the host. A power cycle of the appliance does not power on the host.

The disabled appliance must be replaced.

Workaround:
***Important!***

If the BIG-IP rSeries appliance is configured for Appliance mode, do not power off the device using commands such as 'halt -p', 'poweroff', or 'shutdown -h now'.

Instead, run 'halt' and then remove power from the system (for example, unplug, remove power brick, remove power from rack).

Note: If you have already encountered this issue, contact F5 Support :: https://www.f5.com/services/support to request an RMA. For more information, refer to K12882: Overview of the F5 RMA process :: https://support.f5.com/csp/article/K12882 .

Fix:
Appliance mode no longer disables the AOM menu, allowing access to power on the host command with console access to the appliance.


1117621-2 : After an appliance upgrade from 1.0.1 to 1.1.1, a tenant in Provisioned state may show inconsistent CLI status

Component: F5OS-A

Symptoms:
After an appliance upgrade from 1.0.1 to 1.1.1, if the running-state of a tenant is configured in the Provisioned state, the operational status of the tenant may oscillate between "Ready to deploy" and "Allocating resources to the tenant is in progress" state in the partition CLI status.

Conditions:
A race condition exists after an appliance upgrade from 1.0.1 to 1.1.1, that may display an inaccurate tenant operational state when the tenant is configured as Provisioned.

Impact:
The tenant state constantly changes.

Workaround:
Configure the running-state of the tenant to Deployed.


1117577 : Management interface is not accessible if core system daemons are not running

Component: F5OS-A

Symptoms:
If the system management daemon (confd) is not able to run when the system starts up, the system will not configure its management IP address and will not have network connectivity.

Conditions:
rSeries appliance

Impact:
Management connectivity is lost, and the only way to access the system is via serial console.

Workaround:
An administrator can configure an IP address and default route for an rSeries appliance when logged in from the serial console using the "ip" command.

For instance, the following commands temporarily assign a management IP address of 198.51.100.100 to the appliance, and create a default route via a gateway of 198.51.100.254.

    ip addr add 198.51.100.100/24 dev mgmt0-system
    ip route add default via 198.51.100.254

Fix:
Configure IP workaround.


1117461 : CVE-2021-3538 satori/go.uuid: predictable UUIDs generated via insecure randomness

Component: F5OS-A

Symptoms:
Versions of satori/go.uuid have a flaw which allows for predictable UUIDs to be generated.

Conditions:
N/A

Impact:
N/A

Workaround:
There is currently no workaround for this CVE, however, later versions of F5OS-A have been updated to removed satori/go.uuid and replaced with gofrs/uuid, which is does not have this vulnerability.

Fix:
The satori/go.uuid package has been removed in F5OS-A 1.3.0 and later versions with gofrs/uuid.


1117417-2 : Database config restore failed on rSeries appliance

Component: F5OS-A

Symptoms:
System database config-restore will fail when there is mismatch in the system images between when the backup is taken and the current images present on the system.

Conditions:
The current system images that are present on the system (show system image) do not match the list of images that are stored in the backup file.

Impact:
Config restore fails.

Workaround:
Edit the configuration backup file and delete the <image> stanza, from:

    <image xmlns="http://f5.com/yang/system/image">
to
    </image>

Fix:
Configuration restore on rSeries appliances now works regardless of differences in the set of available system software images.


1117277-2 : Occasional issue observed when tenant deployed on r2xxx/r4xxx series

Component: F5OS-A

Symptoms:
The r2xxx/r4xxx appliance interface drivers are not created in time and lead to tenant deployment failure after the PXE boot, live upgrade, reboot, and port profile change.

Conditions:
Live upgrade from any version to v1.1.1 and PXE and on reboot and on port profile change.

Impact:
Occasionally tenant deployment fails to come up.

Workaround:
None


1117237-2 : FPGA bit files are not updated to the latest version after a live upgrade

Component: F5OS-A

Symptoms:
FPGA bit files are not updated to the latest version after a live upgrade.

Conditions:
Live upgrade to an ISO file.

Impact:
Unexpected behavior with tenant and traffic.

Workaround:
Run the following commands from the bash prompt:

1. /bin/systemctl stop appliance_orchestration_manager_container.service

2. /bin/systemctl stop platform-services-deployment.service

3. reboot

Once the system is rebooted, the correct bit files will be installed.

Fix:
Cleaned up the stale/old container volumes before bringing up the new containers.


1116869-1 : Tcpdump on F5OS does not capture packets of certain sizes

Component: F5OS-A

Symptoms:
When using tcpdump on the F5OS host, packets of certain sizes may not be captured via tcpdump.

Conditions:
Tcpdump packets less than 1501 bytes and greater than 1483 bytes as well as several other ranges are affected by this issue.

Impact:
Tcpdumps may be incomplete.

Fix:
Packets of certain sizes are no longer dropped.


1116185-1 : Removing multiple images simultaneously from the webUI causes an error

Component: F5OS-A

Symptoms:
The image removal action handler takes the input and processes it one item at a time. From the CLI/RESTCONF interface, the user can provide one image at a time. But the webUI allows the user to select multiple images and click Delete to remove them in a single click. This was creating a backend handler issue that caused the image agent to crash.

Conditions:
When multiple images are selected and processed for removal from the webUI.

Impact:
In this situation, all subsequent image removal requests cause an error: "Error: application communication failure".

Workaround:
The issue is fixed in F5OS-A 1.2.0. To avoid this situation in other releases of F5OS-A, the user must select one image at a time for deletion from the webUI.

Restarting the image agent service recovers the system from this state.

Fix:
The issue is fixed by improving the image removal process.


1116169 : WebUI does not inform users that file transfer status may take some time to return depending on various factors like network speed

Component: F5OS-A

Symptoms:
The webUI does not inform users that file transfer status may take some time to return depending on various factors like network speed, which could lead to some confusion.

Conditions:
Occasional delay in fetching file transfer status due to network speed and other factors.

Impact:
Missing clarity on file transfer success/failure.

Workaround:
If the user is not able to see the file transfer status immediately they will be able to see it automatically within 15 seconds, as there is continuous polling for the API.

Fix:
Informative text on the file import/export displays to align user expectations.


1114485-1 : K3s cluster goes to unhealthy state when system is rebooted after changing hostname.

Component: F5OS-A

Symptoms:
When the system hostname is changed and the system is rebooted, all or some of the following symptoms may be encountered:
-- System-related pods in K3s are stuck in a failure state.
-- The K3s cluster shows more than one node.
-- OMD continuously cores.

Conditions:
The system is rebooted after the hostname is configured in confd.

Impact:
-- K3s cluster goes into an unhealthy state.
-- Tenant functionality is impacted.

Workaround:
None

Fix:
Changing the hostname via confd does not change the system hostname.

Configured hostname is reflected only in the bash and confd prompts.

When no hostname is configured, the bash prompt uses a default PS1 prompt.


1114437 : Ambiguous error message when user configures duplicate IP port combination

Component: F5OS-A

Symptoms:
A duplicate IP/port combination is not allowed in allowlist configuration. Allowlist is mainly used to allow traffic from specific source addresses.
The error message is generic and does not describe the problem.

Conditions:
An error is displayed when the user tries to configure the same IP and port as part of two different allowlist profiles.

Impact:
The error message is not descriptive, and the user might not be able to identify the issue immediately.

Workaround:
N/A

Fix:
A descriptive error message is displayed on the screen, informing the user about a duplicate IP and port.


1114369 : Error log "Failed to execute iptable cmd: ," getting generated when trying to add same port to allow list

Component: F5OS-A

Symptoms:
When an allowed IP for the same port is added more than once, this log is generated.

Conditions:
Add allowed IP for the same port more than once.

Impact:
No impact on functionality. The function to remove the default rule, which is failing, is being called every time.

Workaround:
N/A

Fix:
The log is no longer generated.


1114173 : LOP Controller RX error: unknown

Component: F5OS-A

Symptoms:
Within the platform.log file, one can see a large number of error messages with the text including "LOP Controller RX error: unknown".

Conditions:
When the LOP firmware is upgraded to a recent version, new messages around the PSU PMBus have been added. When the application software is rolled back to an older version, the HAL layer no longer recognizes those messages and reports an unknown message error.

Impact:
The issue does not impact the operation of the product.

Workaround:
Updating to a more recent version of the rSeries ISO will prevent the message from showing up in the platform.log file.

Fix:
Update to a more recent version of the rSeries ISO.


1112533-1 : Status LED color always stays amber

Component: F5OS-A

Symptoms:
The status LED is always amber.

Conditions:
This occurs during normal operation when the status LED should be green.

Impact:
Status LED may not change to green when system is operational.

Workaround:
None

Fix:
Added a diagnostic task that periodically monitors and sets status LED color to green.


1112229-1 : File download API changes to support file download from the webUI

Component: F5OS-A

Symptoms:
Header information is not effective to download files from the webUI.

Conditions:
X-Auth token is required to download from the webUI.

Impact:
Downloading files from the webUI fails.

Workaround:
None


1112141-2 : 10G/25G/40G burst support in rSeries appliance

Component: F5OS-A

Symptoms:
When a burst of traffic at 100Gb/s is sent to a 10G/25G/40G port, the burst size supported by the rSeries appliance depends on the buffer size. Once the buffer is full, packets are dropped.

Conditions:
-- Use of 10G/25G/40G ports.
-- A 100Gb/s burst of traffic occurs.

Impact:
This results in loss of egress packets.

Workaround:
None

Fix:
Improved the burst capability on rSeries appliances when 10G/25G/40G ports are used.


1111549-1 : System import functionality is unstable if PXE install source is not imported

Links to More Info: BT1111549

Component: F5OS-A

Symptoms:
If a VELOS controller or rSeries appliance is PXE installed with a given ISO, and that ISO is not imported manually on the controller after the installation, future imports may fail or be left in an inconsistent state.

Conditions:
1. PXE install VELOS system controller or rSeries appliance
2. Fail to manually import ISO used for PXE install
3. Import other software

Impact:
Confusing import and upgrade failures under conditions that seem like they shouldn't produce issues.

Workaround:
After PXE installing a VELOS controller, make sure to manually import the ISO used for PXE install before importing any other platform software components.

Fix:
Better handling for cases where the ISO that is used for PXE install of VELOS controllers is not imported after the install.


1111533 : PSU status undeterminable under "show system events" output

Component: F5OS-A

Symptoms:
The "show system events" log messages are not clearly communicating PSU status.

Conditions:
The "show system events" command in ConfD always shows "Presence detected" when we assert and de-assert the power supply.

Impact:
User might not be able to conclude whether PSU is present and removed.

Workaround:
N/A

Fix:
User is now able to see "Absent" when PSU is physically removed and "Presence detected" when PSU is connected.


1111237-1 : Logrotate parameters do not get updated by software upgrade

Links to More Info: BT1111237

Component: F5OS-A

Symptoms:
If the parameters (frequency/size) for log file rotation are updated in a new software release, they are not updated on the target system during upgrade. The result is that the size of retained log messages depends on the upgrade history, not on the software version.

Conditions:
System that is live upgraded from any version to any other version prior to F5OS-C 1.5.0.

Impact:
When logfiles are collected by qkview, differing amounts of data may be gathered, perhaps omitting information that was intended to be collected.

Workaround:
None.

Fix:
The system updates the logrotate parameters during software install, so that the setting correspond to the software version, not the upgrade history.


1110429-1 : Duplicate service-instance entries in chassis partition

Links to More Info: BT1110429

Component: F5OS-A

Symptoms:
In rare circumstances, when viewing the partition service-instance entries, duplicate entries will exist for system level daemons like LACPD, L2FwdSvc, and SwRbcaster. The issue occurs rarely, and the user should only notice a cosmetic difference.

Conditions:
Adding blades to and removing blades from a partition may trigger the issue.

Impact:
Display is not correct.

Workaround:
Delete and recreate the affected partition.

Fix:
Duplicate service-instance entries will be removed in cases of a blade rebooting and a blade being added to a partition.


1109029-1 : Host Logs in F5OS-A not being rotated

Component: F5OS-A

Symptoms:
Log files under /var/log in host-os were able to grow in GBs.

Conditions:
Log files under /var/log not added in logrotate.

Impact:
Size of log files will grow in GBs, which will consume a significant amount of hard disk space.

Workaround:
N/A

Fix:
Host Logs in F5OS-A are now being rotated as expected.


1109021-2 : CLI commands are not logged in audit.log

Links to More Info: BT1109021

Component: F5OS-A

Symptoms:
CLI commands from ConfD are not getting logged in audit.log.

Conditions:
Execute commands using the ConfD CLI.

Impact:
CLI commands which are required for security compliance audit will not get logged in audiit.log file.

Workaround:
None


1108509 : Unable to fetch appliance fan speed using SNMP

Component: F5OS-A

Symptoms:
Unable to get appliance fan RPMs using SNMP (for example, snmpget/snmpwalk).

Conditions:
Appliance with management IP and allowlist configuration.

Impact:
User cannot fetch fan RPMs using SNMP; an SNMP walk will fail.

Workaround:
Fan speed can be fetched using CLI.

Fix:
Support to fetch fan details is added to the appliance code in 1.3.0, and data can now be fetched using SNMP.


1106881-3 : F5OS with an AFM license provisioned may provide incorrect AFM stats to a BIG-IP tenant

Links to More Info: BT1106881

Component: F5OS-A

Symptoms:
This is an intermittent problem where the affected BIG-IP tenant may receive incorrect statistics from the F5OS platform. This can cause the BIG-IP tenant to drop DNS traffic that should not be dropped.

Typically, the BIG-IP tenant will have periods of time where it receives the correct stats, and periods where it receives incorrect stats.

Conditions:
All of the below must be true:

-- Two or more BIG-IP tenants are deployed either on the same node in a partition or on the same appliance.
-- An AFM license is installed on the F5OS platform.
-- At least one tenant is receiving malformed DNS traffic.

Impact:
Clients that send DNS traffic to the affected BIG-IP tenant will not receive DNS responses when they should.

Workaround:
When AFM is provisioned for the system, deploying tenants on different nodes on a chassis based system or one tenant per appliance avoids the issue.

Fix:
BIG-IP tenants receive the correct platform statistics regardless of the node in which they are deployed.


1105001-1 : Large tar/gz/iso file download via the restconf API fails.

Links to More Info: BT1105001

Component: F5OS-A

Symptoms:
Downloading large tar/gz/iso files using the restconf API results in a corrupted file.

Conditions:
Large tar/gz/iso file download via the restconf API.

Impact:
Download fails, the downloaded file is corrupted.

Workaround:
None

Fix:
Fixed the code to download large tar/gz/iso files.


1104745-1 : Request for a webUI option to clear/reset the STP mode configuration

Component: F5OS-A

Symptoms:
On the webUI STP Configuration screen, the user does not have an option to clear STP mode once they have selected an STP mode.

Conditions:
User should have selected an STP mode.

Impact:
Once the STP mode is selected, the user does not have an option on the webUI to clear the selection.

Workaround:
None

Fix:
Added a new disabled option in STP mode selection. Selecting it will clear the previous STP mode selection.


1104569 : On upgrading, the correct webUI changes are not reflected

Component: F5OS-A

Symptoms:
On upgrading from one F5OS-A version to another, the appropriate webUI changes are not reflected, and the older changes still persist.

Conditions:
Upgrading from one F5OS-A version to another.

Impact:
Appropriate changes with respect to the version are not reflected on the webUI.

Workaround:
Refreshing the containers is a known workaround using /usr/libexec/platform-deployment stop and /usr/libexec/platform-deployment start.

Fix:
The fix is to clean up stale volumes so that new volumes are mounted after system reboot. A --remove-orphans flag was added to docker-compose down to remove volumes which were created in the previous run of docker-compose. Also, appliance_orchestration_manager was called to stop separately, as it was using a volume called config_vlogsev, which was also being used by other containers, because it is not a part of the platform.yml file. Also docker-compose down has been added before starting service in the beginning of the platform-deployment service to handle the scenario of upgrading from broken ISO to fix ISO.


1104541 : MIBs directory content is not accessible

Component: F5OS-A

Symptoms:
Directory contents are not accessible from ConfD API.

Conditions:
When file list ConfD API is used on MIBs directory, it is showing an invalid path.

Impact:
Will not be able to see directory content from ConfD API.

Workaround:
N/A

Fix:
The MIBs directory content is now accessible as expected.


1103001 : Tenants fail to come up after a live upgrade from pre-1.1.0 version to 1.1.0 on the r4xxx appliances

Component: F5OS-A

Symptoms:
When a live upgrade is attempted from a pre-1.1.0 release to a 1.1.0 release on the r4xxx series of appliances, the tenants will not come up after the live upgrade.

The symptoms that will be seen are:
ICE driver may not load ( "lsmod | grep -i ice" will not show a line with 'ice' ), no VFs will be created, tenant deployment will fail.

Conditions:
-- An F5OS upgrade is performed on an r4xxx series appliance to version 1.1.0
-- The appliance was running pre-1.1.0 software
-- A license is installed
-- Tenants are attempted to be deployed

Impact:
Tenant deployment fails after live upgrade as the ICE driver is not loaded.

Workaround:
After the live upgrade, check that the tenant is failing to deploy.
Check that "lsmod | grep -i ice" does not show a line with 'ice'
reboot the system
Now rerun lsmod again. This should show the ice module line.

Fix:
Fixed in all versions after 1.1.0.


1102137-2 : Diagnostics ihealth upload qkview-file does not auto-complete with available qkview file names

Component: F5OS-A

Symptoms:
The ConfD command system diagnostics ihealth upload qkview-file is not tab-expandable, and you are not presented with the list of available qkview files.

Conditions:
Running "system diagnostics ihealth upload qkview-file <TAB>" to see the list of available qkview files.

Impact:
The available qkview files are not presented using tab autocomplete.

Workaround:
Run "system diagnostics qkview list" to obtain the list of available qkview files, and then manually type the desired qkview file name in when using the "system diagnostics ihealth upload qkview-file" command.

Fix:
Pressing <TAB> after system diagnostics ihealth upload qkview-file will produce a list of available files. Entering part of the name and <TAB> will auto-complete selecting a valid and available qkview file name.


1101365 : Delay in tenant deployment with tenant image corruption error

Component: F5OS-A

Symptoms:
The system posts an intermediate error message:

Tenant image corrupted - Update the tenant config with proper image.

This error auto-recovers within 20 seconds.

Conditions:
Observed intermittently while bringing up the tenant.

Impact:
There is a delay in tenant deployment with an intermediate error on the CLI console.

Workaround:
None


1101237-1 : When configured for SNMP, the system does not properly report a sysObjectID for the F5OS system

Component: F5OS-A

Symptoms:
F5OS systems may not be detected by SolarWinds or other management systems due to the wrong sysObjectID configuration in SNMP.

Conditions:
SNMP

Impact:
F5OS systems may not be detected by SolarWinds or other management systems due to the wrong sysObjectID configuration in SNMP.

Fix:
The sysObjectIDs are correct now.


1100305-2 : Tcpdump capture of packets with interface-based filtering fails on r5000 and r10000 appliances

Component: F5OS-A

Symptoms:
On r5000 and r10000, running a tcpdump as follows:
appliance-1# system diagnostics tcpdump -nni 1.0

to filter packets traversing interface 1.0 only, will fail.

The error seen will be "errbuf ERROR:Interface configuration failed. Please retry tcpdump: pcap_loop: Interface configuration failed. Please retry."
and the client will terminate.

Retrying the client will not help, contrary to the message.

Conditions:
Tcpdump capture is started on an r5000 and r10000 device and the option to filter packets based on an interface ("-i" option) is chosen.

Impact:
Tcpdump cannot work in the interface filtering mode.
It will operate in the other modes; only the interface filtering option causes it to be unable to start.

Workaround:
1) Start a tcpdump capture with no interface filter
"system diagnostics tcpdump" or
"system diagnostics tcpdump -nni 0.0"

Packets will be captured from all interfaces, and further (non-interface) filters can be used to narrow down capture
For example:
"system diagnostics tcpdump host 1.1.1.1 and port 80" or
"system diagnostics tcpdump vlan 200"

2) Restart the tcpdump container. This would make the -i option available again.


1099469 : Control plane starvation on a fully loaded rSeries system

Component: F5OS-A

Symptoms:
When an rSeries appliance is running to maximum capacity, and CPU load is 100%, the control plane does not get enough cycles to perform operations.

Conditions:
When an rSeries appliance is running to maximum capacity.

Impact:
The control plane does not get enough cycles to perform operations.

Workaround:
echo 2048 > /sys/fs/cgroup/cpu/kubepods/cpu.shares

Fix:
cpu.shares is set to 2048 on boot to boost its CPU shares.


1099437-1 : Nic-manager core file

Component: F5OS-A

Symptoms:
During a power down sequence the l2-agent may generate a core file. The system comes back up without any issue.

Conditions:
System power loss.

Impact:
Core file is generated.

Workaround:
None

Fix:
A fix has been added to detect and prevent creating an l2-agent core file during a power down.


1099197 : Packet loss caused by failure of internal hardware bus

Component: F5OS-A

Symptoms:
All or 50% of from-network packets arriving at a front panel port are dropped in hardware prior to delivery to tenant(s) running on the CPU. Packet loss is caused by CRC errors on an internal bus connecting two hardware components leading to eventual failure of the bus.

Conditions:
Issue occurs randomly, but most commonly seen soon after bootup when packets first start to be handled by fastL4 hardware acceleration, hardware per-virtual server syn cookie protection, or AFM hardware protection.

Impact:
Total loss of from-network to CPU packets on r5900, r5800, and r5600 appliances, and either total loss or loss of 50% of from-network to CPU packets on r10900, r10800, and r10600 appliances. r4800, r4600, r2800, and r2600 appliances are unaffected.

Workaround:
Reboot the appliance and disable fastL4 acceleration, per-virtual syn cookie hardware protection, and AFM hardware protection before re-enabling ingress traffic.

Fix:
This issue has been corrected.


1097925-1 : Resolving CVEs on F5OS-A 1.1.0

Component: F5OS-A

Symptoms:
F5OS-A 1.1.0 is vulnerable to the CVEs mentioned in the bug.
CVE-2021-27219
CVE-2021-43527
CVE-2022-23852
CVE-2020-10531
CVE-2022-24407
CVE-2018-1000805
CVE-2021-44142
CVE-2020-12321
CVE-2020-24489
CVE-2021-42574
CVE-2020-8625

Impact:
F5OS-A 1.1.0 is vulnerable to the CVEs mentioned in the bug.


1097833 : Debug messages logged in platform.log

Links to More Info: BT1097833

Component: F5OS-A

Symptoms:
When performing an ISO install on the hardware, some services log debug messages to platform.log until ConfD comes up.

Conditions:
This occurs during an ISO install.

Impact:
Unnecessary debug logs are logged to platform.log.

Workaround:
None


1096885-1 : Tenant image filename with special characters allowed to import, but tenant deployment fails

Component: F5OS-A

Symptoms:
Images imported with special characters in their name like parenthesis cause tenant deployment failure when used to launch a tenant.

Conditions:
Tenant image filename contains special characters such as '(' or ')'.

Impact:
Image imports, but tenant provisioning and deployed fails.

Workaround:
1. Delete the tenant that is using the "bad" image.
2. Rename the tenant image filename removing the special characters.
3. Re-create the tenant.

Fix:
Special characters are handled appropriately in the respective tenant launching applications.


1092049 : CVE-2020-7774 - The package y18n before 3.2.2, 4.0.1 and 5.0.5, allows unsafe operations.

Component: F5OS-A

Symptoms:
The package y18n before 3.2.2, 4.0.1 and 5.0.5, allows unsafe operations.

Conditions:
This affects the package y18n before 3.2.2, 4.0.1, and 5.0.5.

Impact:
N/A

Workaround:
None

Fix:
This has been fixed by upgrading 'react-scripts' to version 4.0.0 and thus 'y18n' to v4.0.3 and replacing 'node-sass' with 'sass' which doesn't require 'y18n'.


1091641-2 : NTP (chrony) packet authentication is not fully implemented on VELOS

Links to More Info: BT1091641

Component: F5OS-A

Symptoms:
It is not possible to enable NTP packet authentication.

Conditions:
Running a version of F5OS-C earlier than 1.5.0.

Impact:
NTP packet authentication is not available.

Workaround:
None

Fix:
Added support for NTP packet authentication.


1090753 : NSO and ASW XBAR packet drops on 10G, 25G, and 40G interfaces.

Component: F5OS-A

Symptoms:
Unexpected egress packet drops can be seen in XBAR for 10G, 25G, and 40G ports.

This is a packet burst congestion issue that overflows XBAR egress buffers. The issue is seen mainly on 10G ports.

Conditions:
This issue can happen when customers are using the 10G, 25G, or 40G front panel interfaces.

Impact:
The impact is egress packets dropped at 10G, 25G, and 40G front panel interfaces.

Workaround:
The workaround for this issue is to upgrade to NSO bitfile version nso_1ST210EU2F50E2VG_v70.2.10.11_d22.06.23.00.bit and ASW bitfile version asw_1ST280EU2F50E2VG_v71.2.12.11_d22.06.15.00.bit. These bitfiles and newer include added packet buffer memory in the XBAR.

The added packet buffer memory greatly improves the packet drop issue, but does not resolve it completely. In testing, packet drops were still seen as system throughput approached 190Gb.

Fix:
The initial fix for this issue is to add memory to the 10G, 25G, and 40G output buffers. Memory was increased from 4Mb to 8Mb.

The added packet buffer memory greatly improves the packet drop issue, but does not resolve it completely. In testing, packet drops were still seen as system throughput approached 190Gb.


1090521 : Tenant deployment may fail if the memory configured is an odd number.

Links to More Info: BT1090521

Component: F5OS-A

Symptoms:
1. Tenant deployment fails.
2. System may go into bad state.

Conditions:
When memory configured for a tenant is set to an odd number.

Impact:
Tenant deployment fails.

Workaround:
This issue has been fixed in F5OS-A 1.2.0.


1090145-1 : VLAN-Listener incorrectly updated on Network Manager component restart

Links to More Info: BT1090145

Component: F5OS-A

Symptoms:
When the Network Manager component is restarted, VLAN Listener entries can be incorrectly updated to each tenant's default Service ID.

Conditions:
Network Manager restarts can happen due to system controller restarts, partition upgrades, or a manual restart.

Impact:
Some traffic could incorrectly follow the default Port Hash disaggregation algorithm. For example, if a VLAN has been set to use the IPPORT disaggregation algorithm, this reset can cause some of the traffic to revert to using the default Port Hash algorithm.

Workaround:
Inside the affected tenants, the cmp-hash field can be changed back to default, then changed back to the desired setting.


1090089 : NTP service does not work on rSeries appliances

Component: F5OS-A

Symptoms:
The NTP service does not work on rSeries appliances that run F5OS-A.

Running chronyc ntpdata returns "501 Not authorized"

Conditions:
-- rSeries appliance running F5OS-A
-- NTP configured

Impact:
NTP functionality does not work.

Workaround:
Change directory ownership to chrony using below command:

chown chrony:chrony /var/run/chrony

Fix:
Update ownership for "/var/run/chrony" directory and removed unwanted configuration from "chrony.conf".


1089721 : Prefix length support to allow multiple IP addresses

Component: F5OS-A

Symptoms:
Prefix length was not supported previously, and users had to configure one IP per command in order to support multiple source IPs.

Conditions:
Always

Impact:
Multiple source IP addresses cannot be allowed using a single command.

Workaround:
NA

Fix:
This improvement supports the configuration of prefix length to allow multiple IP addresses using a single command.
Prefix length is an additional parameter in the existing configuration command.


1088565-1 : Various services may stop working on a system controller if the LCD is malfunctioning

Links to More Info: BT1088565

Component: F5OS-A

Symptoms:
Various services may become unresponsive or not work correctly.

Conditions:
LCD is not working or host cannot communicate with the LCD.

Impact:
Any functionality that interacts with platform-hal could be impacted.

Workaround:
Recover or repair the LCD. Rebooting the affected system controller can also help temporarily.

Fix:
Fixed a leak that occurs when platform-hal cannot communicate with the LCD.


1086749-1 : Interface speeds are not reported correctly when linked at a slower speed

Component: F5OS-A

Symptoms:
RSeries 2xxx/4xxx interfaces support linking at certain speeds slower than the portgroup speed, but the interface speed is reported as higher.

For example:
-- A portgroup in 25G mode accepts a 10G SFP and link at 10G. The interface speed is reported as 25G.
-- A portgroup in 25G mode can link at 1G. The interface speed is reported as 25G.
-- A portgroup in 10G mode can link at 1G. The interface speed is reported as 10G.

Conditions:
This occurs when using an SFP that only supports a slower speed, or when connecting a 10G copper port to a 1G capable device.

Impact:
The interface speed reported in the webUI/CLI is higher than the actual link speed.

Workaround:
You can determine the actual link speed using ethtool, for example:

 -- For port 1.0, use ethtool x557_1.
 -- For port 5.0, use ethtool sfp_5.

Fix:
Now reports correct interface speeds.


1085925-1 : SSH connection cannot be allowed/blocked based on source IP address

Component: F5OS-A

Symptoms:
There is no command in F5OS-A or F5OS-C that can be used to allow SSH connection only from specific (or range) IP addresses.

SSH connections are allowed from all source IP addresses.

Conditions:
F5 rSeries or VELOS platform

Impact:
Malicious users might be able to connect (SSH) to F5OS-A or F5OS-C device.

Workaround:
None

Fix:
The existing command "system allowed-ips allowed-ip ..." is enhanced to support SSH. The command can be used to specify source IP addresses that can establish SSH connection.


1085149-1 : Customer requires auth token session to be configurable

Component: F5OS-A

Symptoms:
The restconf token session was not configurable in both F5OS-C and F5OS-A.

Conditions:
F5OS-C or F5OS-A webUI.

Impact:
The customer experienced a fixed session timeout within one hour and the customer has to log in again to the webUI session.

Workaround:
N/A

Fix:
This issue is fixed in F5OS-C 1.6.0 and F5OS-A 1.3.0. Now the token session timeout is configurable for up to one day.


1084817-3 : Container api-svc-gateway crashes due to certificate issues partition database

Links to More Info: BT1084817

Component: F5OS-A

Symptoms:
The api-svc-gateway container crashes when a bad self-signed certificate or key is published to partition database.

Conditions:
A corrupted certificate/key causes the issue.

Impact:
The api-svc-gateway service crashes.

Workaround:
Run the following command:

(config) # system database reset-to-default proceed

Fix:
In the scenario this happens, api-svc-gateway now:

 * detects when it cannot set up an SSL connection using these credentials
 * logs an error
 * sets health status to unhealthy with appropriate error and severity
 * tries to start a GRPC server with only insecure credentials


1083993-1 : File import should check that the target doesn't exist

Links to More Info: BT1083993

Component: F5OS-A

Symptoms:
File import will fail if the same file name already exists.

Conditions:
Importing a file that already exists on the file system.

Impact:
An error occurs if the file already exists.

Workaround:
None


1083077-1 : LACP trunks are not configured automatically in BIG-IP tenant running on F5OS chassis/appliances

Component: F5OS-A

Symptoms:
When an LACP trunk is configured on an F5OS chassis/appliance and only the native VLAN is attached, the LACP trunk will not be automatically configured on the BIG-IP tenant.

Conditions:
This behavior is observed only when the LACP trunk is attached to a native VLAN.

Impact:
LACP trunk configuration will not be applied to the BIG-IP tenant automatically when only a native VLAN is attached to it on the platform.

Workaround:
Configure the LACP trunk in the BIG-IP tenant manually.

Fix:
LACP trunks are now configured automatically in BIG-IP tenant running on F5OS chassis/appliances, as expected.


1082513 : LACP waitOnAlertFd Errors

Component: F5OS-A

Symptoms:
The system posts error messages in the platform.log:

LacpdHeartBeatsClient::run() waitOnAlertFd Error!

Conditions:
This occurs at startup, reboot, and upgrade.

Impact:
There is no functional impact; you can safely ignore these messages.

Workaround:
None

Fix:
Reduced the frequency of LACP waitOnAlertFd error messages.


1077149-1 : The fpga-tables CLI command results in syntax error in configuration mode

Component: F5OS-A

Symptoms:
When in configuration mode on the CLI and entering the fpga-tables path, a syntax error is encountered. For example:

r5900-2(config)# fpga-tables ?
Possible completions:
  <cr>
r5900-2(config)# fpga-tables
-----------------------------^
syntax error: incomplete path
r5900-2(config)#

Conditions:
Performing CLI commands in the fpga-tables path while in configuration mode.

Impact:
The fpga-tables are intended to be operational data only. Configuration of the fpga-tables path is not supported, so the impact is cosmetic. The error can be ignored.

Workaround:
The error can be ignored.


1075693-1 : CVE-2021-22543 Linux Kernel Vulnerability

Links to More Info: K01217337


1075361-1 : Messages log has a very high number of "error" and "fail" entries

Component: F5OS-A

Symptoms:
During system bring up/reboot, various fail and error logs are seen from multiple software components.

Conditions:
During system boot up or if we perform multiple reboots we may see various errors/failures in log messages.

Impact:
User will see error/fail messages, while System bring up/reboot.

Workaround:
N/A

Fix:
Fixed the error/fail logs for few components.


1074093 : Admin console is displayed when SSH login with a new root user

Component: F5OS-A

Symptoms:
Non-root user is allowed to get root role. If any such user exist, they get an admin console instead of root console.

Conditions:
A new non-root user is created with root role.
Example :
appliance-1(config)# system aaa authentication users user user_test config username user_test role root

Impact:
non-root user with role root is restricted.

Note: In case of live upgrade from previous to current release, any non-root user with root role may cause upgrade to fail (as non-root users with root role are restricted), and you will need to either delete these users or do a bare metal install before performing a live upgrade.

Fix:
Current fix prevents creation of a non-root user with root role.


1074001 : service:overall-health attribute reports OK when the service state is unhealthy

Component: F5OS-A

Symptoms:
service:overall-health value is reported as OK, when state is unhealthy.

Conditions:
When service state is unhealthy, service:overall-health attribute is not updated.

Impact:
service:overall-health is not reporting service state properly.

Workaround:
N/A

Fix:
Updated the service:overall-health attribute.


1073581-2 : Removing a 'patch' version of services might remove the associated 'base' version as well

Links to More Info: BT1073581

Component: F5OS-A

Symptoms:
Removing a 'patch' version (X.Y.Z, Z>0) of a platform ISO or services might, under certain conditions, lead to the unexpected removal of the 'base' version (X.Y.0) associated with that patch.

Conditions:
1. A 'patch' ISO is imported when the 'base' associated with the patch is not already imported (example: An F5OS-C 1.2.2 ISO is imported, and F5OS-C1.2.0 is not already imported).
2. Some time later, the F5OS-C 1.2.2 ISO is removed. This also removes the 1.2.0 services.

Impact:
F5OS-C removes software that wasn't explicitly chosen to be removed.

Workaround:
To work around this issue, import the 'base' version ISO (X.Y.0) before importing any patches. If this is done, removal of a 'patch' will not remove the 'base'. If a 'base' was already removed accidentally, re-importing the 'base' ISO will also make it available again.

Fix:
N/A


1072209-3 : Packets are dropped on VELOS when a masquerade MAC is on a shared VLAN

Links to More Info: BT1072209

Component: F5OS-A

Symptoms:
On the VELOS platform, any packets destined to a masquerade MAC address are dropped when the masquerade MAC is located on a shared VLAN (a VLAN shared between multiple F5OS tenants).

On rSeries hardware platforms, all traffic for this MAC is first handled by the software-rebroadcaster and is replicated to all tenants sharing that VLAN.

Conditions:
-- A masquerade MAC is configured on a shared VLAN.
-- Traffic to the MAC address is initiated, that is, ping a floating self-IP.
-- The packets are dropped on ingress.

Impact:
Connectivity issues.

Workaround:
Configure a static FDB entry at the partition level.

Fix:
Packets are no longer dropped when a masquerade MAC is on a shared VLAN.


1062765-1 : Tenant Status shows error "Insufficient f5.com/qat"

Component: F5OS-A

Symptoms:
Some unhealthy events intermittently occur that are related to "Insufficient f5.com/qat" inside ConfD. But the tenant is actually healthy and functional.

Conditions:
Intermittently on a system upgrade. Tenant status might show failed messages in ConfD.

Impact:
No impact, the tenant is actually healthy and functional.

Workaround:
No workaround necessary.

Fix:
Issue fixed in F5OS-A 1.3.0 release.


1062309-1 : "Failed unmounting" errors during shutdown.

Component: F5OS-A

Symptoms:
"Failed unmounting" errors are seen during the shutdown, because of unmounting of temporary directories, which are created during the SW import.
[FAILED] Failed unmounting /var/images/R5R10/1.0.0-10192.
[FAILED] Failed unmounting /var/export/chass...mounts/iso/R5R10/1.0.0-10192/m3.
[FAILED] Failed unmounting /var/export/chass...unts/services/R5R10/1.0.0-10192.

Conditions:
The "Failed unmounting" errors are seen when a system is rebooted.

Impact:
Error statements are seen in the shutdown logs. They can be ignored.


1056453-1 : Tenant datapath will not work if the tenant is named "stpd".

Component: F5OS-A

Symptoms:
If a tenant is created with the name "stpd", there will be a conflict with a system component. The datapath will not function correctly.

Conditions:
A tenant is created with the name "stpd".

Impact:
The datapath for the tenant will not function.

Workaround:
Change the name of the tenant.

Fix:
N/A


1055329-2 : VLAN shared between two tenants might not pass traffic to tenant with non-default CMP hash.

Links to More Info: BT1055329

Component: F5OS-A

Symptoms:
If two tenants on a VELOS chassis are configured with a shared VLAN, one tenant might not pass traffic if it has a non-default CMP hash configured for that VLAN.

Conditions:
-- VELOS chassis
-- Configure a VLAN shared between two or more tenants
-- In one tenant, configure a non-default CMP hash for the VLAN

Impact:
No connectivity.

Workaround:
After configuring a non-default cmp hash, run "docker restart partition_sw_rbcast" on each blade.

Fix:
Fixed operation of shared VLAN when cmp hash is not the default.


1053793-1 : QKView list and status results are difficult to parse

Component: F5OS-A

Symptoms:
The QKView list and status commands return output that can be difficult to read.

Example 1 :: running the command: system diagnostics qkview list:

frodo# system diagnostics qkview list
result {"Qkviews":[{"Filename":"appliance-1.qkview","Date":"2022-06-15T22:59:57.704997979Z","Size":320434703},{"Filename":"cancelme.tar.canceled","Date":"2022-04-28T17:22:10.411870757Z","Size":3734340},{"Filename":"duplicate.qkview","Date":"2022-08-10T20:40:10.966027168Z","Size":490039715},{"Filename":"test.qkview","Date":"2022-06-15T23:21:23.068041954Z","Size":321199668},{"Filename":"test2.qkview","Date":"2022-07-13T19:01:32.712663042Z","Size":416706874},{"Filename":"teststatus.qkview","Date":"2022-08-23T23:27:19.283797639Z","Size":530892644}]}

resultint 0


This output is easier to parse:

FILENAME SIZE CREATED ON
------------------------------------------------------------------
teststatus.qkview 530892644 2022-08-23T23:27:19.283797639Z
duplicate.qkview 490039715 2022-08-10T20:40:10.966027168Z
test2.qkview 416706874 2022-07-13T19:01:32.712663042Z
test.qkview 321199668 2022-06-15T23:21:23.068041954Z
appliance-1.qkview 320434703 2022-06-15T22:59:57.704997979Z
cancelme.tar.canceled 3734340 2022-04-28T17:22:10.411870757Z

Example 2 :: running the command: system diagnostics qkview status:

result {"Busy":false,"Percent":100,"Status":"complete","Message":"Completed collection.","Filename":"teststatus.qkview"}

resultint 0


This output is easier to parse:
system diagnostics qkview state status capture-in-progress false
system diagnostics qkview state status percentage 100
system diagnostics qkview state status status-msg "Completed collection."
system diagnostics qkview state status filename teststatus.qkview

Conditions:
- Running "system diagnostics qkview list" within the CLI
- Running "system diagnostics qkview status" within the CLI

Impact:
Formatting of output makes troubleshooting more difficult.

Workaround:
None

Fix:
QKView output formatting is improved and easier to read, utilizing new commands.

To see a list of QKView files, use the following command within the CLI:
show system diagnostics qkview state files

To see the current status of a captured QKView, use the following command within the CLI:
show system diagnostics qkview state status


1040461-3 : Permissions of some QKView control files do not follow standards

Links to More Info: BT1040461

Component: F5OS-A

Symptoms:
Permissions of some QKView control files do not follow standards.

Conditions:
Viewing permissions of QKView files.

Impact:
Some do not follow standards.

Workaround:
None

Fix:
Permissions of all QKView control files now follow the standards.



Known Issues in F5OS-A v1.3.x


F5OS-A Issues

ID Number Severity Links to More Info Description
1184917-3 2-Critical   On rSeries, the MAC masquerade feature is only supported on BIG-IP tenants 15.1.6 and later
1168573 2-Critical   Tenants failing to come up with error address already in use
1156125 2-Critical   Tenant status shows error "Liveness probe failed:" in ConfD after reboot
1155549 2-Critical   iavf/i40evf reset triggers kernel bug at drivers/pci/msi.c:357
1144401 2-Critical   F5OS-A kubectl/docker related information missing in qkview
1110217-2 2-Critical BT1110217 System controller is not responding when the disk is out of space
1109525-1 2-Critical   K3s cluster is unhealthy when the system date or time is changed
1188141 3-Major   Tenant launch gets stuck due to un-initialization of VFs under one or more PF
1188101 3-Major   Incorrect LCD-UI after upgrade to 1.3.1
1185557-2 3-Major   Upgrading to F5OS-A v1.3.1 requires increasing the minimum tenant Virtual Disk Size to 77GB from 76GB of to allow editing of existing tenants in the webUI
1166905 3-Major   Port speed is configurable from restconf for data port interfaces on Appliance devices.
1153989-2 3-Major BT1153989 SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown
1136557 3-Major   F5OS config restore fails if mismatch occurred in configuration file
1135109 3-Major   AAA server group name and type are not displayed on ConfD
1132473 3-Major   VELOS shows in the wording for "show services service " table on rSeries
1120945 3-Major   Downgrade to 1.0.1 failed with tenant configuration
1110181 3-Major   Downgrade from F5OS-A 1.3.0 or later to any release before F5OS-A 1.3.0 with tenants having more than one service can cause redirects
1084153 3-Major   Tenant deployment will fail when we move tenant (deployed with max vCPU) from provisioned to deployed
1083921 3-Major   VLAN name change is not allowed once a tenant is launched
1080437 3-Major   VerifyDmesg test failure
1062129 3-Major   Tenants are in pending state forever.

 

Known Issue details for F5OS-A v1.3.x

1188141 : Tenant launch gets stuck due to un-initialization of VFs under one or more PF

Component: F5OS-A

Symptoms:
On r2x00/r4x00 based systems, tenant launch gets stuck with an error in ConfD tenant status leaf:

"error adding container to network \"sriov-net3-tenant1\": SRIOV-CNI failed to load netconf: LoadConf(): failed to get VF information: \"lstat /sys/bus/pci/devices/0000:ec:00.7/physfn/net: no such file or directory"

The VFs(aka, SR-IOV Based Virtual Functions) were not seen under a PF(aka, SR-IOV based Physical Function) when run following the command.

Command: `ip link show <PF>`
PF can be, `x557_1`, `x557_2`, `x557_3`, `x557_4`, `sfp_5`, `sfp_6`, `sfp_7`, `sfp_8`.


For example, the faulty PF(x557_4 in this case) has no VFs listed compared to the healthy PF(x557_1 in this case),

# ip link show x557_4
18: x557_4: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
    link/ether 14:a9:d0:01:56:8a brd ff:ff:ff:ff:ff:ff
# ip link show x557_1
15: x557_1: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
    link/ether 14:a9:d0:01:56:87 brd ff:ff:ff:ff:ff:ff
    vf 2 MAC 00:00:00:00:11:02, spoof checking on, link-state auto, trust off
    vf 2 MAC 00:00:00:00:11:02, spoof checking on, link-state auto, trust off
    vf 2 MAC 00:00:00:00:11:02, spoof checking on, link-state auto, trust off
    vf 2 MAC 00:00:00:00:11:02, spoof checking on, link-state auto, trust off

Conditions:
On r4x00 or r2x00 based systems:

1. ConfD tenant status leaf reports "LoadConf(): failed to get VF information".
2. The VFs were not created under one or more PFs.
3. One of the files from "x557_1", "x557_2", "x557_3", "x557_4", "sfp_5", "sfp_6", "sfp_7", "sfp_8" missed from "/sys/class/net" directory.

For suppose when x557_4 is a faulty PF(aka, SR-IOV based Physical Function), then `/sys/class/net` shouldn't list x557_4 in its directory.
[root@appliance-1 ~]# ls /sys/class/net/x557_4
ls: cannot access /sys/class/net/x557_4: No such file or directory
[root@appliance-1 ~]#

Impact:
Tenant launch will be unsuccessful and is not able to connect to the tenant console or over tenant's management connection.

Workaround:
Workaround #1
===============
1. Move the tenant(s)' running-state in ConfD to provisioned.
2. Run "/usr/omd/scripts/config_ice_vfs.sh" script when "/sys/class/net" starts to show missing PF from the list above.
3. Run "kubectl rollout restart daemonset kube-sriov-device-plugin-amd64 -n kube-system".
4. Move the tenant(s)' running-state in ConfD to deployed.

Workaround #2 (only when second step takes too long)
==================================================
1. From second step in Workaround #1, if the PF wasn't detected in "/sys/class/net" even after a 20 minute duration, reboot the host to trigger the device probing.


1188101 : Incorrect LCD-UI after upgrade to 1.3.1

Component: F5OS-A

Symptoms:
An upgrade to F5OS-A 1.3.1 entails LCD-UI upgrade. This is not reflected correctly in platform inventory where the version displayed is the one before LCD-UI upgrade.

Conditions:
The issue is seen when AFU triggers LCD-UI upgrade. No issue when LCD-UI is not upgraded.

Impact:
LCD-UI is upgraded successfully to the desired version but the version displayed as part of platform inventory ("show components component properties property") is not correct.

Workaround:
The next reboot will update platform inventory with the correct LCD-UI firmware version.


1185557-2 : Upgrading to F5OS-A v1.3.1 requires increasing the minimum tenant Virtual Disk Size to 77GB from 76GB of to allow editing of existing tenants in the webUI

Component: F5OS-A

Symptoms:
After upgrading to F5OS-A v1.3.1 from an earlier version, when you attempt to edit the attributes and parameters of an existing tenant, the Save button on the screen will not become selectable.

Conditions:
Applies to upgrading from an earlier F5OS-A version to F5OS-A v1.3.1 and preexisting configured, provisioned, or deployed tenants are present.

Impact:
If the Virtual Disk Size for any of the preexisting tenants is not increased to a minimum Virtual Disk Size of 77GB you will be unable to edit and save the tenant configuration via the webUI.

Workaround:
Increase the minimum tenant Virtual Disk Size to 77GB on the Add/Edit Tenant screen in addition to any other configuration elements and the Save button will become enabled. Alternatively, tenants can be edited via the CLI interface.


1184917-3 : On rSeries, the MAC masquerade feature is only supported on BIG-IP tenants 15.1.6 and later

Component: F5OS-A

Symptoms:
The MAC masquerade feature is only supported on BIG-IP tenant versions 15.1.6 and later. Using the feature in an HA pair can cause traffic to fail over incorrectly between the pair.

Conditions:
MAC masquerade is used on rSeries with BIG-IP tenant versions other than 15.1.6 and later.

Impact:
Traffic may be degraded on a failover between an HA pair.

Workaround:
Upgrade BIG-IP tenant version to 15.1.6 or later.


1168573 : Tenants failing to come up with error address already in use

Component: F5OS-A

Symptoms:
rSeries tenants fail to come up with an error address already in use when tenants are deployed, without waiting for the system to complete the downgrade process from 1.3.0 to 1.2.0.

Conditions:
rSeries appliance takes up to 8 minutes to properly downgrade from 1.3.0 to 1.2.0.

The user will observe this issue if they deployed the tenant before the downgrade procedure.

Impact:
Tenants will land in an error state (address already in use) and cannot be recovered unless the system is rebooted.

Workaround:
User should wait at least 8 minutes for the downgrade to complete before deploying the tenants.


1166905 : Port speed is configurable from restconf for data port interfaces on Appliance devices.

Component: F5OS-A

Symptoms:
User can set port speed for data ports using restconf.
This is applicable for only Appliance devices.

Conditions:
This is user configuration, and restconf access is required to configure the system.

Impact:
There is no impact, but the user is not advised to configure port speed as it is internal to the system.

Workaround:
N/A


1156125 : Tenant status shows error "Liveness probe failed:" in ConfD after reboot

Component: F5OS-A

Symptoms:
Some unhealthy events intermittently occur that are related to "Liveness probe failed:" inside ConfD. But the tenant is actually healthy and functional.

Conditions:
Intermittently on system reboots. Tenant status might show failed messages in ConfD.

Impact:
No impact, tenant is actually healthy and functional.

Workaround:
None


1155549 : iavf/i40evf reset triggers kernel bug at drivers/pci/msi.c:357

Component: F5OS-A

Symptoms:
vmcore-dmesg.txt core will be generated and available in /var/crash with following trace:

[ 3686.956609] [<ffffffff8ae10435>] pci_disable_msix+0x35/0x40
[ 3686.990468] [<ffffffffc0862323>] iavf_reset_interrupt_capability+0x23/0x40 [iavf]
[ 3687.035753] [<ffffffffc0862ff7>] iavf_remove+0x147/0x350 [iavf]
[ 3687.071682] [<ffffffff8adf076e>] pci_device_remove+0x3e/0xd0
[ 3687.106053] [<ffffffff8aed6b12>] __device_release_driver+0x82/0x110
[ 3687.144063] [<ffffffff8aed6bc3>] device_release_driver+0x23/0x30
[ 3687.180512] [<ffffffff8ade7ac4>] pci_stop_bus_device+0x84/0xa0

Conditions:
On shutdown, disabling already disabled iavf device.

Impact:
There is no impact.

Workaround:
N/A


1153989-2 : SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown

Links to More Info: BT1153989

Component: F5OS-A

Symptoms:
If a virtual server has an iRule performing SSL payload processing in CLIENTSSL_DATA, TMM fails to process or forward an ingress TCP FIN from a client, leaving the connection in a zombie state until it eventually idles out.

Conditions:
The issue occurs only when SSL::collect is used in CLIENTSSL_DATA

   when CLIENTSSL_DATA {
        log local0. "."
        SSL::release
        SSL::collect
    }

Impact:
Unexpected growth in the number of connections idling on a virtual server leads to memory pressure.

Workaround:
None.


1144401 : F5OS-A kubectl/docker related information missing in qkview

Component: F5OS-A

Symptoms:
Kubectl/docker information on the system is not collected as part of qkview.

Conditions:
Kubectl/docker information on the system is missed in qkview whenever qkview is triggered on the system.

Impact:
Kubectl/docker information on the system is not collected as part of qkview.

Workaround:
No workaround.


1136557 : F5OS config restore fails if mismatch occurred in configuration file

Component: F5OS-A

Symptoms:
Mismatches in the backup file will contract with existing configuration and files with admin access denied error.

Conditions:
If the mismatch occurs in the configuration file.

Impact:
Configuration restore fails.

Workaround:
N/A


1135109 : AAA server group name and type are not displayed on ConfD

Component: F5OS-A

Symptoms:
When a server group is created on an appliance, "show system aaa server-groups" does not display the name and type of the server group.

Conditions:
When a AAA server group is created (LDAP/RADIUS/TACACS).

Impact:
appliance-1# show system aaa server-groups
NAME NAME TYPE
------------------------
ldap-group - - ----> Name and type are not displayed

Workaround:
N/A


1132473 : VELOS shows in the wording for "show services service " table on rSeries

Component: F5OS-A

Symptoms:
When the user runs "show services service" on rSeries:

appliance-1# show services service
Possible completions:
  9 Service id is unique and generated by Network Manager
  displaylevel Depth to show
  | Output modifiers
  <cr>
Possible match completions:
  ipv6-prefix-length Networking mask used by disaggregator algorithms
  tenant_name Tenant name associated with each Service
  tier1_dag_profile sDAG on VELOS <--
  tier2_dag_profile eDAG on VELOS <--

You can see "VELOS" in the description; this text is incorrect. It should either say "rSeries" or no platform at all.

Conditions:
Run "show service service".

Impact:
No functional impact.

Workaround:
N/A


1120945 : Downgrade to 1.0.1 failed with tenant configuration

Component: F5OS-A

Symptoms:
When an appliance system has tenants configured already, attempting to downgrade to version 1.0.1 fails, and the appliance will not become operational.

Conditions:
During the downgrade process, the system goes for a reboot and attempts to come up in 1.0.1 release. During this bring-up process, the tenant configuration validation fails, which causes the system to fail to become operational.

Impact:
Downgrade to 1.0.1 is not possible if tenants are already configured.

Workaround:
Remove all tenants and then perform the downgrade to 1.0.1.


1110217-2 : System controller is not responding when the disk is out of space

Links to More Info: BT1110217

Component: F5OS-A

Symptoms:
System becomes unresponsive when the disk runs out of space. This could happen when multiple qkview logs are generated and stored on the disk.

Conditions:
When the disk runs out of space, some of the applications either stop or restart. If the application restarts, it does so improperly.

Impact:
The controller on which the disk has run out of space will not come up properly. A controller restart is required.

Workaround:
Clean up the unwanted files from the disk and trigger the controller reboot with the below options.

Recovery options
1. Restarting all containers from the affected controller using "systemctl restart platform-services-deployment.service"

2. Use the CLI of another controller and reboot the standby controller using the API "system reboot controllers controller standby" command


1110181 : Downgrade from F5OS-A 1.3.0 or later to any release before F5OS-A 1.3.0 with tenants having more than one service can cause redirects

Component: F5OS-A

Symptoms:
From F5OS-A 1.3.0 or later releases have new DAG capability to enable "dag-adjust" and "ipv6-prefix-length" settings in combination with BIG-IP tenant version 15.1.8 and later.

If we downgrade F5OS-A 1.3.0 or later to older releases before F5OS-A 1.3.0 and have a BIG-IP tenant software version 15.1.8 or later, the platform creates duplicate service entries. Due to a mismatch in the DAG profile in the platform and tenant, there will be packet redirects.

Conditions:
Downgrading F5OS-A 1.3.0 or later to any older release before F5OS-1.3.0 with BIG-IP tenant software version 15.1.8 or later.

Impact:
Performance degrade due to packet redirects.

Workaround:
Workaround steps:
1. Backup the tenant's configuration that experienced this issue -> https://support.f5.com/csp/article/K13132
2. Copy the configuration off the tenant to some other host
3. Take note of the affected tenant's partition configuration -> show running-config tenants tenant <name>
4. Delete the affected tenant in the partition
5. Recreate the tenant with the same configuration noted in step #3
6. Copy the tenant config backup taken in step #1 back to the tenant and reload the configuration


1109525-1 : K3s cluster is unhealthy when the system date or time is changed

Component: F5OS-A

Symptoms:
When the system date is changed, some of the k3s cluster certificates becomes invalid, and pods enter into an unknown/non-operational state.

Once the system date and time are made current, most pods will be recovered.

Some of the virt-controller/virt-operator/virt-api kubevirt pods are in a failed state but tenant functionality is not affected.

Conditions:
System date and time is changed back and forth.

Impact:
Some of the k3s pods go into a failed/non-operational state.

Workaround:
Re-spinning the certificates will restore the pods.
Delete the pods to trigger a re-spin of certificates that are in a terminating or crashed state.
The orchestration manager will start the pod with a new certificate.

Command to delete the pod:

#kubectl delete pod <pod-name> -n <name-space>


1084153 : Tenant deployment will fail when we move tenant (deployed with max vCPU) from provisioned to deployed

Component: F5OS-A

Symptoms:
Tenant deployment will fail when moved (deployed with max vCPU) from provisioned to deployed while the old resources are still terminating in the system.

Conditions:
When the same tenant is redeployed immediately, the appliance cannot allocate resources as the old resources were not released to the system yet. This issue is observed only on r2k/r4k but not on r5k/r10k.

Impact:
Tenant deployment will be stuck in a pending state forever.

Workaround:
Move the tenant to provisioned state and wait for the tenant resources to terminate completely in the system and then move it to a deployed state.


1083921 : VLAN name change is not allowed once a tenant is launched

Component: F5OS-A

Symptoms:
When you change the VLAN name on a rseries (R2x00 or R4x00) Appliance, the BIG-IP tenant does not honor the name change.

Conditions:
-- One or more tenants are running on a rSeries (R4x00 or R2x00) platform.
-- A VLAN name is changed for a VLAN that is in use by a running tenant.

Impact:
Changing the VLAN name after a tenant is launched and reassigning that VLAN removes the interface in TMM.

Workaround:
Set the VLAN name to the initial name that the tenant used when it was launched. Or, if you need to change the name of the VLAN, delete the tenant and redeploy.


1080437 : VerifyDmesg test failure

Component: F5OS-A

Symptoms:
An error message is seen as dmesg output:

Failed to allocate irq -2147483648: -107

Conditions:
The error message is seen sometimes when restarting/rebooting device is complete.

Impact:
The error message does not impact any functionality as after the allocation of irq for SMBUS is failed, it would switch to polling mode.

Workaround:
NA


1062129 : Tenants are in pending state forever.

Component: F5OS-A

Symptoms:
Tenants never enter into running state.

Conditions:
If a tenant request contains more vCPUs greater than available vCPUs on the system.

Impact:
-- Tenants go into pending state forever.
 -- Empty CPUs are listed under tenants state in confd.

Workaround:
Always follow defined product License capability to configure vCPUs for a tenant.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************