Applies To:
Show VersionsF5OS-A
- 1.3.2
F5OS-A Release Information
Version: 1.3.2
Build: 13054
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Cumulative fixes from F5OS-A v1.3.1 that are included in this release
Cumulative fixes from F5OS-A v1.3.0 that are included in this release
Known Issues in F5OS-A v1.3.x
Functional Change Fixes
None
F5OS-A Fixes
ID Number | Severity | Links to More Info | Description |
1204481-1 | 2-Critical | System may flap external links multiple times during startup or links may fail to come up at all | |
1196085-1 | 2-Critical | Disabling and re-enabling a port on rSeries can leave the port in a DOWN state | |
1196073-1 | 2-Critical | Front panel port initialization failures can leave a port permanently DOWN | |
1226429-3 | 3-Major | Log messages in /var/log/message | |
1186105-1 | 3-Major | rSeries logs multiple UP/DOWN link transitions during system start up. | |
1186101-1 | 3-Major | Front panel interfaces are not disabled on system reboot |
Cumulative fixes from F5OS-A v1.3.1 that are included in this release
Functional Change Fixes
None
F5OS-A Fixes
ID Number | Severity | Links to More Info | Description |
1185369-1 | 1-Blocking | F5OS rSeries appliances will not launch tenants after upgrade to F5OS-A 1.3.0 | |
1190969-1 | 2-Critical | Memory leak in system-image-agent service |
Cumulative fixes from F5OS-A v1.3.0 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description |
1096885-1 | CVE-2023-22657 | Tenant image filename with special characters allowed to import, but tenant deployment fails | |
1075693-1 | CVE-2021-22543 | K01217337 | CVE-2021-22543 Linux Kernel Vulnerability |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description |
1144177-1 | 3-Major | CLI idle-time is not persistently configurable | |
1122593-1 | 3-Major | No options to control system power via LCD menu | |
1122081 | 3-Major | BT1122081 | BIG-IP tenants created before F5OS-C 1.5.1 or F5OS-A 1.3.0 may be allocated a smaller disk than required |
F5OS-A Fixes
ID Number | Severity | Links to More Info | Description |
1173853 | 1-Blocking | BT1173853 | Packet loss caused by failure of internal hardware bus |
1169193 | 1-Blocking | Unable to move tenants to provisioned or configured state with storage size specified as 76 in 1.2.0 after upgrading from 1.2.0 to 1.3.0 | |
1141801 | 1-Blocking | F5OS-A Intel CPU vulnerability CVE-2021-33060 | |
1135125 | 1-Blocking | Reading data from wrong socket leads to LACPD restart. | |
1123685 | 1-Blocking | Occasionally Selinux modules are getting corrupted when the system reboots | |
1121889-2 | 1-Blocking | ConfD encryption key can lock up the TPM module | |
1117277-2 | 1-Blocking | Occasional issue observed when tenant deployed on r2xxx/r4xxx series | |
1117237-2 | 1-Blocking | FPGA bit files are not updated to the latest version after a live upgrade | |
1112141-2 | 1-Blocking | 10G/25G/40G burst support in rSeries appliance | |
1169341-1 | 2-Critical | BT1169341 | Using MAC Masquerade in a BIG-IP tenant causes traffic issues when re-deploying the tenant |
1166277 | 2-Critical | System downgrade is not possible with tenants in deployed state. | |
1162609 | 2-Critical | F5 r2600/r2800/r4600/r4800 devices unable to establish LACP link or send LLDP to some switches | |
1145753 | 2-Critical | QKView obfuscation step can cause excessive disk usage | |
1141577 | 2-Critical | WebUI crashes when a new SSL/TLS private key is generated | |
1137121 | 2-Critical | Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0 | |
1136361 | 2-Critical | RJ45 interface links once at 1G | |
1136213 | 2-Critical | Network Manager crashes while processing an L2 Listener Request on R2x00 or R4x00 | |
1135849-1 | 2-Critical | telemetry.db grew to 50G and caused error "database disk image is malformed" | |
1135661-2 | 2-Critical | Ability to configure LDAP chase-referrals option | |
1135233-1 | 2-Critical | BT1135233 | Updating LDAP configuration on Auth Settings screen on the webUI fails to preserve the existing bind password |
1134737 | 2-Critical | CVE-2021-42740 - The shell-quote package before 1.7.3 for Node.js allows command injection | |
1134729 | 2-Critical | CVE-2022-0686 - Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8 | |
1134725 | 2-Critical | CVE-2020-15256 - Prototype pollution vulnerability found in `object-path` <= 0.11.4 | |
1134721 | 2-Critical | CVE-2021-44906 - Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js | |
1134717 | 2-Critical | CVE-2021-23436 - Package immer before 9.0.6. has a type confusion issue | |
1134705 | 2-Critical | CVE-2021-26707 - The merge-deep library before 3.0.3 for Node.js can be tricked | |
1134701 | 2-Critical | CVE-2022-0691 - Authorization Bypass Through User-Controlled Key in NPM url-parse | |
1134685 | 2-Critical | CVE-2022-1650 - Exposure of Sensitive Information to an Unauthorized Actor in GitHub... | |
1134681 | 2-Critical | CVE-2021-3757 - immer is vulnerable to Improperly Controlled Modification of Object Prototype... | |
1134677 | 2-Critical | CVE-2021-42581 - ** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier | |
1134673 | 2-Critical | CVE-2021-3918 - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype... | |
1132733-1 | 2-Critical | BT1132733 | LDAP config tried to configure blank bind password |
1131993 | 2-Critical | Not able to set severity from CLI/webUI for some services. | |
1125761 | 2-Critical | appliance-orch-manager coredump | |
1117649-2 | 2-Critical | rSeries Appliance inoperable after powering down from Linux while configured for Appliance mode | |
1117621-2 | 2-Critical | After an appliance upgrade from 1.0.1 to 1.1.1, a tenant in Provisioned state may show inconsistent CLI status★ | |
1117461 | 2-Critical | CVE-2021-3538 satori/go.uuid: predictable UUIDs generated via insecure randomness | |
1116869-1 | 2-Critical | BT1116869 | Tcpdump on F5OS does not capture packets of certain sizes |
1116185-1 | 2-Critical | Removing multiple images simultaneously from the webUI causes an error | |
1114485-1 | 2-Critical | K3s cluster goes to unhealthy state when system is rebooted after changing hostname. | |
1111549-1 | 2-Critical | BT1111549 | System import functionality is unstable if PXE install source is not imported★ |
1109021-2 | 2-Critical | BT1109021 | CLI commands are not logged in audit.log |
1108509 | 2-Critical | Unable to fetch appliance fan speed using SNMP | |
1105001-1 | 2-Critical | BT1105001 | Large tar/gz/iso file download via the restconf API fails. |
1101237-1 | 2-Critical | When configured for SNMP, the system does not properly report a sysObjectID for the F5OS system | |
1099437-1 | 2-Critical | Nic-manager core file | |
1099197 | 2-Critical | Packet loss caused by failure of internal hardware bus | |
1090753 | 2-Critical | NSO and ASW XBAR packet drops on 10G, 25G, and 40G interfaces. | |
1090521 | 2-Critical | BT1090521 | Tenant deployment may fail if the memory configured is an odd number. |
1090089 | 2-Critical | NTP service does not work on rSeries appliances | |
1088565-1 | 2-Critical | BT1088565 | Various services may stop working on a system controller if the LCD is malfunctioning |
1085925-1 | 2-Critical | SSH connection cannot be allowed/blocked based on source IP address | |
1072209-3 | 2-Critical | BT1072209 | Packets are dropped on VELOS when a masquerade MAC is on a shared VLAN |
1068517-2 | 2-Critical | BT1068517 | VLAN connectivity among F5OS tenants is lost |
1055329-2 | 2-Critical | BT1055329 | VLAN shared between two tenants might not pass traffic to tenant with non-default CMP hash. |
945537-2 | 3-Major | BT945537 | STP Validation for forward-delay, max-age, and hello-time fields |
1166201-1 | 3-Major | Opensource Updates | |
1154129 | 3-Major | Missing port-speed option for management interface on Appliance | |
1145841 | 3-Major | WebUI fails to delete an LACP LAG that does not have the corresponding LACP interface | |
1143769 | 3-Major | Updating LDAP configuration on Auth Settings screen on the webUI having no TLS key updates it to empty string. | |
1141753 | 3-Major | User manager containers should not mount /var/log/tally as /tmp | |
1141593 | 3-Major | tmstat-merged log messages for invalid argument | |
1137725 | 3-Major | nslcd start/run script may fail or log alarming messages | |
1137669 | 3-Major | BT1137669 | Potential mis-forwarding of packets caused by stale internal hardware acceleration configuration |
1137309 | 3-Major | NSLCD does not restart if it dies or exits | |
1136829-1 | 3-Major | BT1136829 | Blank server error popup appears over unauthorized popup for operator user |
1136777 | 3-Major | Monitoring agent service is missing telemetry inputs after its restart | |
1135865 | 3-Major | Remotely authenticated user who is a member of multiple roles that include invalid roles is not allowed to log in | |
1135861 | 3-Major | Remote user with no valid role is allowed to log in. | |
1135281-1 | 3-Major | BT1135281 | Blank LDAP tls_key causes error |
1134733 | 3-Major | CVE-2021-37701 - Vulnerability in the npm package "tar" (aka node-tar) | |
1134713 | 3-Major | CVE-2020-7660 - arbitrary code injection in serialize-javascript prior to 3.1.0 | |
1134709 | 3-Major | CVE-2021-23434 - A type confusion vulnerability in object-path before 0.11.6. | |
1134697 | 3-Major | CVE-2018-19827 - In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr Class | |
1134693 | 3-Major | CVE-2021-32804 - Insufficient path sanitization in node-tar | |
1134689 | 3-Major | CVE-2021-37713 - node-tar file creation/overwrite vulnerability | |
1134669 | 3-Major | CVE-2021-32803 - node-tar uses insufficient symlink protection | |
1134665 | 3-Major | CVE-2018-11698 - An out-of-bounds discovered in LibSass through 3.5.4. | |
1134649 | 3-Major | CVE-2021-37712 - node-tar file creation/overwrite vulnerability | |
1134633 | 3-Major | CVE-2018-11694 - A NULL pointer dereference issue in LibSass through 3.5.4. | |
1134289 | 3-Major | Diagnostic Controller Panic messages getting logged in platform.log at startup | |
1134141 | 3-Major | Uploading qkview to iHealth may fail on long iHealth user names | |
1134033 | 3-Major | Continuous Diagnostic Controller Event Queue errors are printed in platform.log | |
1132973 | 3-Major | Live upgrade to F5OS-A-1.3.0 will not work if STP is not configured correctly. | |
1132617 | 3-Major | WS-2021-0200 - DoS in YAML from versions v2.2.0 to v2.2.2 | |
1125349-1 | 3-Major | BT1125349 | Changing the root password in appliance mode is unlocking root account |
1123329 | 3-Major | Tagged LLDP PDUs (VLAN ID 1) are sent on appliance devices. | |
1117577 | 3-Major | Management interface is not accessible if core system daemons are not running | |
1117417-2 | 3-Major | Database config restore failed on rSeries appliance | |
1114437 | 3-Major | Ambiguous error message when user configures duplicate IP port combination | |
1114369 | 3-Major | Error log "Failed to execute iptable cmd: ," getting generated when trying to add same port to allow list | |
1114173 | 3-Major | LOP Controller RX error: unknown | |
1112533-1 | 3-Major | Status LED color always stays amber | |
1112229-1 | 3-Major | File download API changes to support file download from the webUI | |
1111533 | 3-Major | PSU status undeterminable under "show system events" output | |
1111237-1 | 3-Major | BT1111237 | Logrotate parameters do not get updated by software upgrade |
1110429-1 | 3-Major | BT1110429 | Duplicate service-instance entries in chassis partition |
1109029-1 | 3-Major | Host Logs in F5OS-A not being rotated | |
1106881-3 | 3-Major | BT1106881 | F5OS with an AFM license provisioned may provide incorrect AFM stats to a BIG-IP tenant |
1104569 | 3-Major | On upgrading, the correct webUI changes are not reflected | |
1104541 | 3-Major | MIBs directory content is not accessible | |
1103001 | 3-Major | Tenants fail to come up after a live upgrade from pre-1.1.0 version to 1.1.0 on the r4xxx appliances★ | |
1101365 | 3-Major | Delay in tenant deployment with tenant image corruption error | |
1100305-2 | 3-Major | Tcpdump capture of packets with interface-based filtering fails on r5000 and r10000 appliances | |
1099469 | 3-Major | Control plane starvation on a fully loaded rSeries system | |
1097925-1 | 3-Major | Resolving CVEs on F5OS-A 1.1.0 | |
1097833 | 3-Major | BT1097833 | Debug messages logged in platform.log |
1092049 | 3-Major | CVE-2020-7774 - The package y18n before 3.2.2, 4.0.1 and 5.0.5, allows unsafe operations. | |
1091641-2 | 3-Major | BT1091641 | NTP (chrony) packet authentication is not fully implemented on VELOS |
1090145-1 | 3-Major | BT1090145 | VLAN-Listener incorrectly updated on Network Manager component restart |
1089721 | 3-Major | Prefix length support to allow multiple IP addresses | |
1086749-1 | 3-Major | Interface speeds are not reported correctly when linked at a slower speed | |
1085149-1 | 3-Major | Customer requires auth token session to be configurable | |
1084817-3 | 3-Major | BT1084817 | Container api-svc-gateway crashes due to certificate issues partition database |
1083993-1 | 3-Major | BT1083993 | File import should check that the target doesn't exist |
1083077-1 | 3-Major | LACP trunks are not configured automatically in BIG-IP tenant running on F5OS chassis/appliances | |
1082513 | 3-Major | LACP waitOnAlertFd Errors | |
1077149-1 | 3-Major | The fpga-tables CLI command results in syntax error in configuration mode | |
1075361-1 | 3-Major | Messages log has a very high number of "error" and "fail" entries | |
1074093 | 3-Major | Admin console is displayed when SSH login with a new root user★ | |
1074001 | 3-Major | service:overall-health attribute reports OK when the service state is unhealthy | |
1073581-2 | 3-Major | BT1073581 | Removing a 'patch' version of services might remove the associated 'base' version as well |
1062765-1 | 3-Major | Tenant Status shows error "Insufficient f5.com/qat" | |
1062309-1 | 3-Major | "Failed unmounting" errors during shutdown. | |
1056453-1 | 3-Major | Tenant datapath will not work if the tenant is named "stpd". | |
1053793-1 | 3-Major | QKView list and status results are difficult to parse | |
1040461-3 | 3-Major | BT1040461 | Permissions of some QKView control files do not follow standards |
1137889-1 | 4-Minor | BT1137889 | CLI "show interfaces summary" command doesn't provide a summary |
1134957 | 4-Minor | ldapsearch not available to use on F5OS devices | |
1134625-1 | 4-Minor | BT1134625 | webUI session timeout popup referring to browser time instead of server time |
1132745 | 4-Minor | Improve user readability during file upload on partition or controller | |
1116169 | 4-Minor | WebUI does not inform users that file transfer status may take some time to return depending on various factors like network speed | |
1104745-1 | 4-Minor | Request for a webUI option to clear/reset the STP mode configuration | |
1102137-2 | 4-Minor | Diagnostics ihealth upload qkview-file does not auto-complete with available qkview file names | |
1137361 | 5-Cosmetic | Enabling LDAP may produce a log message with the usage help for the kill command |
Cumulative fix details for F5OS-A v1.3.2 that are included in this release
945537-2 : STP Validation for forward-delay, max-age, and hello-time fields
Links to More Info: BT945537
Component: F5OS-A
Symptoms:
One or more forwarding-delay, max-age, or hello-time fields are configured and are not mirrored as operational data, or
One or more forwarding-delay, max-age, or hello-time fields are configured, and the configuration is not reflected in the spanning-tree BPDUs.
Conditions:
When configuring STP, use this formula for the forwarding-delay, max-age, and hello-time fields for STP, RSTP, and MSTP configurations:
2 * (hello-time + 1)) <= max-age && max-age <= (2 * (forwarding-delay - 1
Impact:
Any configuration that does not match the expected formula will not propagate to spanning tree BPDUs.
Workaround:
Configure the forward-delay, max-age, and hello-time fields using this formula:
2 * (hello-time + 1)) <= max-age && max-age <= (2 * (forwarding-delay - 1
Fix:
Fixed an issue where a user could configure the forward-delay, max-age, and hello-time fields for STP so that the expected formula was not met. Entering an invalid configuration displays an error.
1226429-3 : Log messages in /var/log/message
Component: F5OS-A
Symptoms:
When the snmpget operation is performed on IF-MIB, the message "DEBUG cannot reply twice on the same call" appears in /var/log/message. The issue is that the DEBUG is enabled in one of the services container so this DEBUG message is logging in /var/log/message.
Conditions:
One of the reproduction steps is to perform the snmpget operation on IF-MIB.
Impact:
No known impact on the functionality. They are DEBUG messages only.
Workaround:
No workaround. The debug messages stops when the snmpget operation is completed.
Fix:
Removed unwanted debug enable from the service container.
1204481-1 : System may flap external links multiple times during startup or links may fail to come up at all
Component: F5OS-A
Symptoms:
When the system boots up, the interfaces may flap (go up and down) several times in quick succession before coming up and stabilizing.
In some cases, the interfaces fail to come up at all.
If a peer switch is configured to detect excessive link flaps, it may put the port in an err-disable state and prevent the link from coming up.
Conditions:
-- r5000 or r10000 Series appliance
Impact:
If the peer switch triggers a link-flap detection feature, the ports may remain offline until an administrator manually recovers the port on that switch.
Workaround:
There is no workaround for this issue on the rSeries appliance.
An administrator can mitigate this issue by doing one of the following:
- configuring the peer switch to automatically try to recover ports that are disabled for excessive link flapping
- increasing the number of link flaps required in a certain interval before the port is put in a disabled state
Fix:
Disable sending of remote-fault signaling to peer device while the system is booting up.
1196085-1 : Disabling and re-enabling a port on rSeries can leave the port in a DOWN state
Component: F5OS-A
Symptoms:
Disabling a port and then re-enabling it can result in the port staying DOWN.
Conditions:
Port Disable followed by Port Enable. The condition is aggravated when the port "enable" follows the "disable" too quickly. For example port "enable" within 15 seconds of the port "disable".
Impact:
Port stays DOWN and traffic is impacted.
Workaround:
There is no guaranteed workaround.
Sometimes disabling/re-enabling the port on the other side will bring the port back up.
Also, waiting 30-45 seconds before re-enabling the port minimizes the risk of this issue occurring.
Fix:
Improve port "disable" such that subsequent port "enable" does not leave the port DOWN.
1196073-1 : Front panel port initialization failures can leave a port permanently DOWN
Component: F5OS-A
Symptoms:
Failure of port initialization during system start-up or as a result of port re-initialization (port disable/enable).
Conditions:
Front panel port being initialized.
Impact:
Link stays DOWN and traffic is disrupted.
Workaround:
1) Disable then enable the link on the rSeries device.
2) Disable then enable the link on the peer device.
Fix:
Correct error handling of port initialization failures.
1190969-1 : Memory leak in system-image-agent service
Component: F5OS-A
Symptoms:
Memory usage by system-image-agent on the rSeries host F5OS-A operating system is sometimes higher than expected.
When larger than approximately 2GB (r2xxx/r4xxx) or 4GB (other rSeries), this may create enough memory pressure to affect scheduling of tenant vCPU, causing various tenant symptoms that indicate lower performance. These may include (list is not exhaustive):
- dropping sporadic packets
- tmm reporting clock advanced in /var/log/ltm logs
- cores of tenant daemons
- unexpected restart of tenants
- restart of F5OS-A processes
- sluggish manageability of tenant or rSeries host
When the hypervisor layer is nearly out of memory, the Linux kernel may trigger the out-of-memory killer which may terminate processes, including those that are tenants. If this happens then OOM-killer logs showing ImageAgent with high RSS (~500,000 or more) will be present in host QKView logs in:
Files > Log > messages logs in iHealth view of rSeries host qkview
qkview/subpackages/host-qkview/qkview/filesystem/var/log/messages
eg
kernel: xxxx invoked oom-killer: ...
kernel: [ pid ] uid tgid total_vm rss nr_ptes swapents oom_score_adj name
kernel: [ 4321] 0 4321 696934 512846 1111 126261 0 ImageAgent
This indicates ImageAgent uses 512846 4KB pages in resident memory and 126216 4KB pages of swap (so approximately 2GB of resident and 0.5GB of swap). If not leaking, it should be very small.
Conditions:
When system-image-agent service is idle, there is a periodic memory leak. Rate of leak increases with the repeated image management related operations.
Impact:
Poor performance or unstable tenants: possible restarts, including of host rSeries.
Workaround:
While there is no workaround, the issue can be mitigated. If the leaking ImageAgent process can be restarted before it gets too big, it should be possible to avoid symptoms. It is best to restart it before it reaches 1GB in resident memory use (RES or RSS, depending on utility).
On iHealth you can view this in a host QKView under Commands, open system_image_agent folder and click on top. Look at the value under RES column for a row with command of /confd/bin/ImageAgent
Restarting the process should not affect traffic service.
To restart the system image agent, log into the host rSeries system as root and run:
docker restart system_image_agent
(Note underscores, not hyphens)
After this, there will be various log messages from image-agent in /var/F5/system/log/platform.log:
image-agent[10]: priority="Notice" version=1.0 msgid=0x2001000000000001 msg="Image Agent starting". <---
image-agent[10]: priority="Info" version=1.0 msgid=0x6602000000000005 msg="DB is not ready".
image-agent[10]: priority="Info" version=1.0 msgid=0x6602000000000005 msg="DB is not ready".
image-agent[10]: priority="Info" version=1.0 msgid=0x6602000000000006 msg="DB state monitor started".
image-agent[10]: priority="Info" version=1.0 msgid=0x2005000000000001 msg="Image file added" FILE="BIGIP-15.1.6.1-0.0.10.ALL-F5OS.qcow2.zip.bundle".
image-agent[10]: priority="Info" version=1.0 msgid=0x6602000000000003 msg="DB state is now Active". <---
Fix:
Leak scenarios have been fixed.
1186105-1 : rSeries logs multiple UP/DOWN link transitions during system start up.
Component: F5OS-A
Symptoms:
As the rSeries platform starts up and initializes its front-panel interfaces, multiple UP/DOWN link transitions are logged.
Conditions:
rSeries system startup.
Impact:
Confusing log messages regarding link transitions.
Workaround:
None
Fix:
Improve logging so only one DOWN/UP transition is logged at start-up.
1186101-1 : Front panel interfaces are not disabled on system reboot
Component: F5OS-A
Symptoms:
Peer device will not see its links go DOWN until the system or blade starts to reboot.
Conditions:
-- r5000, r10000 series appliance
-- CX410 chassis
Impact:
Unwanted traffic could egress the system unexpectedly.
Workaround:
There is no workaround for this issue.
Fix:
Detect that the system is rebooting and proactively disable the front-panel interfaces.
1185369-1 : F5OS rSeries appliances will not launch tenants after upgrade to F5OS-A 1.3.0
Component: F5OS-A
Symptoms:
After an upgrade to F5OS-A 1.3.0, the system will not be able to deploy tenants. Even if the system software is reverted to the previous version, the issue remains.
The system may report a tenant status such as the following:
- Tenant deployment failed - Server is not responding
- 0/1 nodes are available: 1 node(s) didn't match Pod's node affinity/selector.
The "show cluster cluster-status" command will report that the cluster is not ready:
cluster cluster-status summary-status "1 Appliance is NOT ready, K3S cluster is NOT ready."
There will be error messages in /var/log/messages that mention "x509: certificate signed by unknown authority", for instance:
k3s: E1102 16:50:48.340717 44106 kuberuntime_manager.go:790] "CreatePodSandbox for pod failed" err="rpc error: code = Unknown desc = failed to setup network for sandbox \"5ba7aa29305335ce0b6a87b48a570b292f90e1f42f2a2b4ae4fff90a96a55df7\": Multus: [kube-system/klipper-lb-8cht8]: error getting pod: Get \"https://[100.75.0.1]:443/api/v1/namespaces/kube-system/pods/klipper-lb-8cht8?timeout=1m0s\": x509: certificate signed by unknown authority" pod="kube-system/klipper-lb-8cht8"
Conditions:
- F5OS rSeries appliance
- System upgraded to F5OS-A 1.3.0 for the first time
Impact:
The system is unable to deploy tenants. Even if the system is reverted to the previous software version, the issue remains and the system will be unable to launch tenants.
Workaround:
Once a system is affected, the fix is to reinstall the Kubernetes cluster. This procedure will take about 10 minutes and will not affect the configuration or data of the tenants.
1. Log in to the rSeries appliance CLI with the root account.
2. To identify if the setup is in an error state, check for the string “x509: certificate signed by unknown authority” in /var/log/messages, or K3S cluster is not healthy and running.
3. Change all deployed tenants to a provisioned state.
4. Stop the appliance_orchestration_manager service by running the following command:
systemctl stop appliance_orchestration_manager_container
5. Uninstall K3S by running the following commands:
k3s-uninstall.sh
rm /var/omd/* /tmp/omd/tokens/* /tmp/omd/appliance-ansible-host
6. Start the appliance_orchestration_manager service by running the following command:
systemctl start appliance_orchestration_manager_container
7. Wait about 10 minutes.
8. From the F5OS CLI (log in as admin), check the cluster status:
show cluster install-status ; show cluster cluster-status
The cluster-status should be "K3S cluster is initialized and ready for use".
From a root shell, check that "kubectl get pods -A" shows running containers in both the "kube-system" and "kubevirt" namespaces.
Fix:
N/A
1173853 : Packet loss caused by failure of internal hardware bus
Links to More Info: BT1173853
Component: F5OS-A
Symptoms:
All or 50% of from-network packets arriving at a front panel port are dropped in hardware prior to delivery to tenant(s) running on the CPU. Packet loss is caused by CRC errors on an internal bus connecting two hardware components leading to eventual failure of the bus.
Conditions:
Issue occurs randomly, but is most commonly seen soon after bootup when packets first start to be handled by fastL4 hardware acceleration, hardware per-virtual server syn cookie protection, or AFM hardware protection.
Impact:
Total loss of from-network to CPU packets on r5900, r5800, and r5600 appliances, and either total loss or loss of 50% of from-network to CPU packets on r10900, r10800, and r10600 appliances. The r4800, r4600, r2800, and r2600 appliances are unaffected.
Workaround:
Reboot the appliance and disable fastL4 acceleration, per-virtual syn cookie hardware protection, and AFM hardware protection before re-enabling ingress traffic.
Fix:
This issue has been corrected.
1169341-1 : Using MAC Masquerade in a BIG-IP tenant causes traffic issues when re-deploying the tenant
Links to More Info: BT1169341
Component: F5OS-A
Symptoms:
If the tenant has configured MAC Masquerade, when the tenant is moved to a Configured or Provisioned state, then back to Deployed, the tenant may experience loss of traffic.
Conditions:
The tenant has configured MAC Masquerade and redeploys the tenant.
Impact:
The tenant may experience loss of datapath traffic.
Workaround:
N/A
Fix:
Using MAC Masquerade in a BIG-IP tenant no longer causes traffic issues.
1169193 : Unable to move tenants to provisioned or configured state with storage size specified as 76 in 1.2.0 after upgrading from 1.2.0 to 1.3.0
Component: F5OS-A
Symptoms:
Not able to move tenants to a provisioned or configured state with storage size specified with 76GB in 1.2.0 and moved to 1.3.0.
Conditions:
Deploy tenant in 1.2.0 with 76GB specified storage size and upgrade the F5OS to 1.3.0 and try to change running state of tenant to configured or provisioned.
Impact:
Once upgraded to 1.3.0 will not be able to change running state of tenant to provisioned or configured. In deployed state it is not possible to resize.
Workaround:
When tenant running state is being updated to provisioned or configured, the storage size must be greater than the default size of that image.
Fix:
Tenants can be moved to provisioned or configured state.
1166277 : System downgrade is not possible with tenants in deployed state.
Component: F5OS-A
Symptoms:
Tenants stuck in pending phase or tenant pods are missing.
Conditions:
Tenants deployed in 1.3.0 will be stuck in the pending phase when the system is downgraded to 1.2.0.
Impact:
Tenants will not be in a running state.
Workaround:
Move tenants to configured/provisioned state.
1166201-1 : Opensource Updates
Component: F5OS-A
Symptoms:
Opensource libraries used in previous versions were potentially susceptible to:
CVE-2016-4658
CVE-2017-18342
CVE-2018-25032
CVE-2019-15605
CVE-2019-17498
CVE-2019-20044
CVE-2020-10531
CVE-2020-12321
CVE-2020-24489
CVE-2020-25710
CVE-2020-8625
CVE-2021-20233
CVE-2021-20271
CVE-2021-2388
CVE-2021-25214
CVE-2021-25217
CVE-2021-27219
CVE-2021-27803
CVE-2021-30465
CVE-2021-3156
CVE-2021-3538
CVE-2021-3621
CVE-2021-4034
CVE-2021-42574
CVE-2021-43527
CVE-2021-44142
CVE-2022-1227
CVE-2022-1271
CVE-2022-23852
CVE-2022-24407
CVE-2022-24903
CVE-2022-2526
CVE-2022-2738
CVE-2022-29154
CVE-2022-34169
CVE-2022-40674
CVE-20919-8696
Conditions:
This addresses different problems. Multiple common vulnerabilities are fixed.
Impact:
Strengthens System Security
Fix:
Multiple common vulnerabilities are fixed to make system more secure.
RPM libraries have been upgraded to the following versions.
rpm-4.11.3-48.el7_9.x86_64
rpm-build-libs-4.11.3-48.el7_9.x86_64
rpm-libs-4.11.3-48.el7_9.x86_64
rpm-python-4.11.3-48.el7_9.x86_64
rsync-3.1.2-11.el7_9.x86_64
java-1.8.0-openjdk-headless-1:1.8.0.342.b07-1.el7_9.x86_64
tzdata-2022a-1.el7.noarch
tzdata-java-2022a-1.el7.noarch
systemd-219-78.el7_9.7.x86_64
systemd-libs-219-78.el7_9.7.x86_64
systemd-sysv-219-78.el7_9.7.x86_64
podman-1.6.4-36.el7_9.x86_64
runc-1.0.0-69.rc10.el7_9.x86_64
expat-2.1.0-15.el7_9.x86_64
1162609 : F5 r2600/r2800/r4600/r4800 devices unable to establish LACP link or send LLDP to some switches
Component: F5OS-A
Symptoms:
LACP and LLDP messages transmitted from an F5OS r2x00/r4x00 appliance to a peer switch have an incorrect length, and are ignored by some switches.
This can result in LACP aggregate links configured between an F5OS appliance and peer switch to fail to establish.
For example, Extreme Networks switches may produce a message similar to this:
<Erro:LACP.RxPDUSizExcd> Slot-2: Received PDU LACP size exceeded. Incoming Port: 1:1 PDU size: 132 required size: 128
Juniper hardware may produce messages similar to this:
kernel: xe-1/1/1: received pdu - length mismatch for lacp : len 128, pdu 124 like 1
LLDP packets sent from the F5OS device may not be accepted or correctly interpreted by the connected switch.
Conditions:
-- rSeries r2600/r2800/r4600/r4800-series appliance
-- LACP trunk (aggregate link) configured
(or)
-- LLDP advertising enabled
Impact:
Unable to establish an LACP trunk between the F5OS r2600/r2800/r4600/r4800 and a network switch.
Workaround:
Configure the LAG using a static configuration (that is, no LACP) on both sides, if possible.
Fix:
Fixed code to trim extra 4 bytes going in the BPDUs.
1154129 : Missing port-speed option for management interface on Appliance
Component: F5OS-A
Symptoms:
There is no option to change the port speed on the management interface of the Appliance through the CLI. An error displays when you attempt to disable auto-negotiation or when you try to change the port speed from the webUI (after disabling from
the CLI).
Conditions:
Always
Impact:
Port speed cannot be configured for the management interface on Appliance.
Workaround:
No workaround.
Fix:
Current schema changes allow port speed to be configured for management interface on Appliance.
1145841 : WebUI fails to delete an LACP LAG that does not have the corresponding LACP interface
Component: F5OS-A
Symptoms:
WebUI fails to delete an LACP LAG that does not have the corresponding LACP interface.
Conditions:
The LACP interface for the LACP LAG does not exist.
Impact:
Unable to delete the LAG on webUI.
Workaround:
Users can either delete the LAG from the CLI or create the LACP interface for the LAG and then delete it from webUI.
Fix:
With this fix, the user will be able to delete an LACP LAG even if it does not have the corresponding LACP interface.
1145753 : QKView obfuscation step can cause excessive disk usage
Component: F5OS-A
Symptoms:
QKView performs the obfuscation steps for capturing files, which can create temporary files the same size as the captured files. If a sufficiently large file is captured, this may cause a disk full error.
Conditions:
QKView captures a very large file and obfuscates it.
Impact:
System may be unusable.
Workaround:
Before executing QKView, scan the system for extraordinarily large log files and delete them. One example is telemetry.db.
Fix:
This bug fix truncates the file to a maximum size of 0.5 GB (or a size defined by the maxfilesize argument) before performing obfuscation. This limits the chance for a disk full error.
1144177-1 : CLI idle-time is not persistently configurable
Component: F5OS-A
Symptoms:
The default CLI idle-timeout is set in a non-user-modifiable configuration file, and must be set each time the user logs in.
Conditions:
The user desires to set an persistent idle-timeout to a value other than the pre-set default, or to disable it.
Impact:
User cannot select a default idle-timeout other than the predefined default.
Workaround:
None.
Fix:
A configuration setting has been added to the configuration database as "system settings config idle-timeout" so that the administrator can configure a default idle-timeout for the CLI. The setting applies to the particular system instance (controller, partition, or appliance).
Behavior Change:
Administrator can configure the default CLI timeout value, so that it applies to all user sessions.
1143769 : Updating LDAP configuration on Auth Settings screen on the webUI having no TLS key updates it to empty string.
Component: F5OS-A
Symptoms:
When the LDAP configuration on Auth Settings is updated via the webUI, with TLS key not previously configured, it is updated to be an empty string. This is resulting in empty string encryption.
Conditions:
Add/Modify LDAP configuration on Auth Settings screen.
Impact:
TLS key is set to empty string and is encrypted.
Workaround:
One of the following:
-- Use the F5OS CLI to modify authentication settings, rather than using the webUI.
-- Use the webUI to edit authentication settings only when the TLS key is already configured, meaning, there is an encrypted value already present in TLS key field.
Fix:
Updating LDAP configuration when the TLS key is not configured will not create a TLS key with empty string.
1141801 : F5OS-A Intel CPU vulnerability CVE-2021-33060
Component: F5OS-A
Symptoms:
There are no visible symptoms.
Conditions:
The issue is present in BIOS versions 2.00.114.1 and earlier.
Impact:
Out-of-bounds write in the BIOS firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access. (CVE-2021-33060)
Workaround:
As local access is required to exploit this vulnerability, you can mitigate this by restricting access to the affected F5 product (on the host OS and in a container or tenant) to only trusted users.
Fix:
Resolve Intel CPU vulnerability CVE-2021-33060
1141753 : User manager containers should not mount /var/log/tally as /tmp
Component: F5OS-A
Symptoms:
Unnecessary files left in /var/log.
Conditions:
When qkview is captured.
Impact:
Unnecessary files left in /var/log and collected by qkview as a result of a container using /var/log/tally as a temporary space.
Workaround:
N/A
Fix:
User manager does not mount /var/log/tally anymore.
1141593 : tmstat-merged log messages for invalid argument
Component: F5OS-A
Symptoms:
Repeated log messages from tmstat-agent about invalid arguments from fzmq_handle_to_socket_thread_safe.
Conditions:
VELOS appliance.
Impact:
Fills log files and could obcsure or roll over more important log messages.
Workaround:
N/A
Fix:
Not relevant to appliances.
1141577 : WebUI crashes when a new SSL/TLS private key is generated
Component: F5OS-A
Symptoms:
The webUI crashes when a new SSL/TLS certificate is created in the Certificate Management tab.
The HTTP server has to restart to read the newly-created private keys (encrypted or un encrypted) from a configuration file. Before the HTTP server restarts, all active client connections will be closed. This will cause the webUI to crash, and the server will be unreachable temporarily.
Conditions:
No configuration changes required.
Impact:
The webUI crashes and the TCP connection with the HTTP server will be closed.
Workaround:
The user has to reestablish the connection to the server after waiting a few seconds.
Fix:
No fix required.
1137889-1 : CLI "show interfaces summary" command doesn't provide a summary
Links to More Info: BT1137889
Component: F5OS-A
Symptoms:
The "show interfaces" command is quite cluttered when displaying the state of both physical and virtual (aggregate) interfaces, making it difficult to get a high-level summary of all interfaces.
The "show interfaces interface full" command displays a confusing subset of interface states, when the intent of "full" was to display all state fields, including the duplicate "name" column.
Conditions:
The administrator attempts to use the "show interfaces" command to diagnose networking problems.
Impact:
Difficult to diagnose interface configuration/connectivity problems.
Workaround:
None
Fix:
The new "summary" option for "show interfaces" displays a brief subset of the most important interface state information.
appliance-1# show interfaces interface state summary
OPER
NAME TYPE MTU ENABLED STATUS
---------------------------------------------
1.0 ethernetCsmacd 9600 true UP
2.0 ethernetCsmacd 9600 true UP
3.0 ethernetCsmacd 9600 true UP
4.0 ethernetCsmacd 9600 true UP
5.0 ethernetCsmacd 9600 true UP
6.0 ethernetCsmacd 9600 true UP
7.0 ethernetCsmacd 9600 true UP
8.0 ethernetCsmacd 9600 true UP
mgmt ethernetCsmacd - true UP
1137725 : nslcd start/run script may fail or log alarming messages
Component: F5OS-A
Symptoms:
The script that watches and restarts the nslcd process could sometimes fail to do so, and would sometimes log messages that appeared alarming.
Conditions:
Changing authentication settings that affect nslcd.
Impact:
The messages were benign, but the occasional failure to restart nslcd on config change could cause authentication changes to fail to propagate to the running process.
Workaround:
Restarting the name-service-ldap container is likely to solve the issue.
Fix:
The nslcd start/run script was rewritten to minimize alarming log messages and reliably start and restart the process when expected.
1137669 : Potential mis-forwarding of packets caused by stale internal hardware acceleration configuration
Links to More Info: BT1137669
Component: F5OS-A
Symptoms:
Because configuration entries added to the internal ePVA hardware acceleration tables may become stuck, packets arriving from front panel ports may be handled by stale entries resulting in unexpected forwarding behavior. The stale entries may also prevent TMM from offloading new connections to ePVA.
Conditions:
The most likely cause for entries to become stuck is either a reboot of tenant or restart of TMM while it has active connections offloaded to ePVA without also rebooting the entire appliance.
Impact:
Packets may be forwarded to unexpected destinations, and/or new connections are unable to be offloaded to ePVA.
Workaround:
Don't reboot or restart TMM without also rebooting the entire appliance.
Fix:
Packets are behaving as expected.
1137361 : Enabling LDAP may produce a log message with the usage help for the kill command
Component: F5OS-A
Symptoms:
If the nslcd process is being restarted but was not previously running, this message could be issued.
Conditions:
The nslcd process is being restarted because of a configuration change but was not previously running.
Impact:
Alarming log messages. Potential failure to restart nslcd, resulting in failures in remote authentication.
Workaround:
Restarting the name-service-ldap container is likely to resolve the issue.
Fix:
The nslcd run/start script was rewritten to make it more robust, while reducing the chance for unnecessarily alarming log messages.
1137309 : NSLCD does not restart if it dies or exits
Component: F5OS-A
Symptoms:
If the NSLCD process is terminated for any reason, the process is not restarted.
Conditions:
LDAP authentication is enabled and the NSLCD process is terminated or unexpectedly exits.
Impact:
LDAP authentication will be unavailable.
Workaround:
The process can be restarted by manually restarting the container using the command docker restart name-service-ldap.
Fix:
The NSLCD process will now restart if it is terminated.
1137121 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0
Component: F5OS-A
Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".
Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.
Impact:
Tenants will not start and are unusable.
Workaround:
To work around this issue, perform one of these actions:
1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".
Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.
1136829-1 : Blank server error popup appears over unauthorized popup for operator user
Links to More Info: BT1136829
Component: F5OS-A
Symptoms:
When an operator user performs any operation that makes a REST call that is unauthorized for the operator role, a blank server error popup appears behind the unauthorized popup.
Conditions:
When the logged in user is in an operator role and performs an unauthorized action.
Impact:
A blank server error popup is seen behind an unauthorized popup, which is unnecessary.
Workaround:
NA
Fix:
Tested that only the unauthorized popup is visible when the operator user performs any unauthorized action.
1136777 : Monitoring agent service is missing telemetry inputs after its restart
Component: F5OS-A
Symptoms:
When diagnostic event queue is getting flooded due to watch dog closure issue, we are seeing failure in telemetry input reload.
Conditions:
Only seen when the diagnostic event log gets flooded due to watch dog closure issue and followed by monitoring service restart.
Impact:
Diagnostic agent service will not get any latest measurements.
Workaround:
N/A
Fix:
Monitoring agent service is reloading all telemetry inputs after its restart.
1136361 : RJ45 interface links once at 1G
Component: F5OS-A
Symptoms:
The RJ45 interfaces on F5 r2000 and r4000 platforms link at 1G only once. If the link goes down, the interfaces cannot reestablish a link at 1G.
Conditions:
When an RJ45 interface that is 10G/1G capable is connected to a 1G port on F5 r2000 and r4000 platforms.
Impact:
The RJ45 interface won't achieve a link.
Workaround:
To clear the no-link condition, reboot or power cycle the platform. The RJ45 link will then come up at 1G, but only once.
Fix:
The RJ45 interfaces on F5 r2000 and r4000 platforms are now able to re-establish a 1G link.
1136213 : Network Manager crashes while processing an L2 Listener Request on R2x00 or R4x00
Component: F5OS-A
Symptoms:
Network Manager crashes and a core file will be generated asynchronously.
Conditions:
When an L2 Listener Request is received on the platform, which is not expected to be received in the case of R2x00 or R4x00 platforms.
Impact:
Network Manager crashes generating a core file.
Workaround:
N/A
Fix:
Network Manager no longer crashes.
1135865 : Remotely authenticated user who is a member of multiple roles that include invalid roles is not allowed to log in
Component: F5OS-A
Symptoms:
Users on systems have a role assigned to them. This role is one of a predefined set which includes the admin role. A remote user with multiple roles, some of which are not in this predefined set, is configured on a remote authentication server (LDAP, tacplus or RADIUS). Such a user was treated different based on mode of access (GUI or ssh) and the remote authentication method. Sometimes the user can log in, sometimes not.
Conditions:
A user has to configured on a remote authentication server (LDAP, tacplus or RADIUS) with multiple group IDs, some of which are not assigned to any role in our system.
That remote authentication method has to be configured as an authentication method on our system.
User supplies the correct password and tries to log in. The user may or may not be allowed into the system, depending on method of access and remote authentication method.
Impact:
When a remote user has multiple roles which include invalid roles, the behavior of the system was inconsistent.
Workaround:
Removing the invalid group ID from the remote server will fix the issue.
Fix:
When a remote user belongs to multiple roles, some of which are invalid ones, only the valid roles are considered for authorization. Also, this is consistently done across methods of access (GUI, ssh, etc.) and across all remote authentication methods (LDAP, tacplus, RADIUS, etc.).
1135861 : Remote user with no valid role is allowed to log in.
Component: F5OS-A
Symptoms:
Under certain circumstances when remote authentication (ldap, tacplus, or radius) is configured, a remote user may be able to log in with low privileges when they should not.
Conditions:
An improperly configured user profile.
Remote authentication configured on F5OS.
Impact:
A User without a valid role is let into the system with low privileges.
Workaround:
None
Fix:
Only users with valid group per /etc/group will be allowed
1135849-1 : telemetry.db grew to 50G and caused error "database disk image is malformed"
Component: F5OS-A
Symptoms:
As we received multiple RAS events continuously while monitoring, the telemetry.db size grew to 50G.
Conditions:
If the hardware is in issue state, we can see more events getting generated, which will increase the telemetry.db size.
Impact:
File system will not be accessible as telemetry.db is consuming more space.
Workaround:
Delete the telemetry.db file and restart the platform-monitor service.
Fix:
This fix truncates the telemetry.db to a size of 500 MB or less.
1135661-2 : Ability to configure LDAP chase-referrals option
Component: F5OS-A
Symptoms:
By default, our LDAP implementation was set to chase LDAP referrals. This could be expensive and make lookups very slow in large organizations with multiple layers of LDAP servers.
Conditions:
LDAP enabled in very large LDAP organizations with multiple levels of servers.
Impact:
The default of chasing referrals in the above conditions could result in slow LDAP lookups and timeouts.
Fix:
A chase referrals option was added to LDAP configuration. The default is still enabled, but now it can be easily disabled:
system aaa authentication ldap chase-referrals false
1135281-1 : Blank LDAP tls_key causes error
Links to More Info: BT1135281
Component: F5OS-A
Symptoms:
When using the CLI or older webUI, it was possible to enter an "empty" tls_key. This would cause nslcd to be incorrectly configured.
Conditions:
LDAP configured. Blank LDAP tls_key entered:
system aaa authentication ldap tls_key ""
Impact:
A blank tls_key would fail to work correctly when configuring authentication or talking to the LDAP server.
Workaround:
Explicitly set the bind password to unset:
no system aaa authentication ldap tls_key
Fix:
Fixed authentication so any form of "empty" tls_key results in the tls_key being unset.
1135233-1 : Updating LDAP configuration on Auth Settings screen on the webUI fails to preserve the existing bind password
Links to More Info: BT1135233
Component: F5OS-A
Symptoms:
When the LDAP configuration on Auth Settings is updated via webUI, the unchanged/existing bind password is replaced by an empty string, resulting in LDAP authentication failure.
Conditions:
Modify existing LDAP configuration on Auth Settings screen.
Impact:
Bind password is not preserved.
Workaround:
One of the following:
-- Use the F5OS CLI to modify authentication settings, rather than using the webUI.
-- When editing authentication settings in the webUI, always re-enter the bind password.
Fix:
Updating LDAP configuration preserves existing/unchanged bind password, will not result in LDAP authentication failure.
1135125 : Reading data from wrong socket leads to LACPD restart.
Component: F5OS-A
Symptoms:
Reading an update from the ConfD subscription socket
leads to LACPD container restart.
Conditions:
Reading an update from the ConfD subscription socket.
Impact:
This issue leads to LACPD container restart.
Workaround:
N/A
Fix:
Read data from read socket, not from subscription socket.
1134957 : ldapsearch not available to use on F5OS devices
Component: F5OS-A
Symptoms:
ldapsearch is a crucial utility for troubleshooting LDAP remote authentication. However, it wasn't available on any F5OS devices, and therefore, couldn't be utilized.
Conditions:
The utility could not be found searching on the base OS using the command: "find / -name '*ldapsearch*'"
It also could not be found within the name-service-ldap container, using the command: "docker exec -it name-service-ldap ldapsearch"
Impact:
Troubleshooting is made more difficult.
Fix:
ldapsearch has now been installed and can be accessed using the name-service-ldap container. To do this, you can run the command: "docker exec -it name-service-ldap bash".
1134737 : CVE-2021-42740 - The shell-quote package before 1.7.3 for Node.js allows command injection
Component: F5OS-A
Symptoms:
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
Conditions:
N/A
Impact:
N/A
Workaround:
None.
Fix:
Upgraded to shell-quote version 1.7.3.
1134733 : CVE-2021-37701 - Vulnerability in the npm package "tar" (aka node-tar)
Component: F5OS-A
Symptoms:
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/` characters as path separators, however `\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.
Conditions:
N/A
Impact:
N/A
Workaround:
None
Fix:
Upgraded to tar v6.1.11.
1134729 : CVE-2022-0686 - Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8
Component: F5OS-A
Symptoms:
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.
Conditions:
N/A
Impact:
N/A
Workaround:
None.
Fix:
Upgraded url-parse to v1.5.10.
1134725 : CVE-2020-15256 - Prototype pollution vulnerability found in `object-path` <= 0.11.4
Component: F5OS-A
Symptoms:
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.
Conditions:
N/A
Impact:
N/A
Workaround:
None.
Fix:
Upgraded react-scripts to version 4.0.0 which doesn't require object-path.
1134721 : CVE-2021-44906 - Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js
Component: F5OS-A
Symptoms:
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js.
Conditions:
N/A
Impact:
N/A
Workaround:
None.
Fix:
Upgraded minimist to version 1.2.6.
1134717 : CVE-2021-23436 - Package immer before 9.0.6. has a type confusion issue
Component: F5OS-A
Symptoms:
This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.
Conditions:
N/A
Impact:
N/A
Workaround:
None
Fix:
Upgraded immer to version 9.0.6.
1134713 : CVE-2020-7660 - arbitrary code injection in serialize-javascript prior to 3.1.0
Component: F5OS-A
Symptoms:
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".
Conditions:
N/A
Impact:
N/A
Workaround:
None.
Fix:
Upgraded 'react-scripts' to version 4.0.0 which uses 'serialize-javascript' versions - 4.0.0 and 5.0.1.
1134709 : CVE-2021-23434 - A type confusion vulnerability in object-path before 0.11.6.
Component: F5OS-A
Symptoms:
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.
Conditions:
N/A
Impact:
N/A
Workaround:
None
Fix:
Upgraded react-scripts to version 4.0.0 which do not require object-path.
1134705 : CVE-2021-26707 - The merge-deep library before 3.0.3 for Node.js can be tricked
Component: F5OS-A
Symptoms:
The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.
Conditions:
N/A
Impact:
N/A
Workaround:
None
Fix:
Upgraded react-scripts to v4.0.0 which don't require merge-deep dependency.
1134701 : CVE-2022-0691 - Authorization Bypass Through User-Controlled Key in NPM url-parse
Component: F5OS-A
Symptoms:
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.
Conditions:
N/A
Impact:
N/A
Workaround:
None
Fix:
Upgraded to url-parse v1.5.10
1134697 : CVE-2018-19827 - In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr Class
Component: F5OS-A
Symptoms:
In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service or possibly have another unspecified impact.
Conditions:
N/A
Impact:
N/A
Workaround:
None
Fix:
Replaced node-sass with sass.
1134693 : CVE-2021-32804 - Insufficient path sanitization in node-tar
Component: F5OS-A
Symptoms:
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
Conditions:
N/A
Impact:
N/A
Workaround:
None.
Fix:
Upgraded tar to version 6.1.11.
1134689 : CVE-2021-37713 - node-tar file creation/overwrite vulnerability
Component: F5OS-A
Symptoms:
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\path`. If the drive letter does not match the extraction target, for example `D:\extraction\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.
Conditions:
N/A
Impact:
N/A
Workaround:
None
Fix:
Upgraded to tar v6.1.11.
1134685 : CVE-2022-1650 - Exposure of Sensitive Information to an Unauthorized Actor in GitHub...
Component: F5OS-A
Symptoms:
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.
Conditions:
N/A
Impact:
N/A
Workaround:
None.
Fix:
Upgraded eventsource to v1.1.2.
1134681 : CVE-2021-3757 - immer is vulnerable to Improperly Controlled Modification of Object Prototype...
Component: F5OS-A
Symptoms:
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Conditions:
N/A
Impact:
N/A
Workaround:
None
Fix:
Upgraded immer to v9.0.6.
1134677 : CVE-2021-42581 - ** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier
Component: F5OS-A
Symptoms:
** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes.
Conditions:
N/A
Impact:
N/A
Workaround:
None.
Fix:
Upgraded Ramda to 0.27.1.
1134673 : CVE-2021-3918 - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype...
Component: F5OS-A
Symptoms:
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Conditions:
N/A
Impact:
N/A
Workaround:
None.
Fix:
Replaced node-sass with sass which doesn't require json-schema dependency.
1134669 : CVE-2021-32803 - node-tar uses insufficient symlink protection
Component: F5OS-A
Symptoms:
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
Conditions:
N/A
Impact:
N/A
Workaround:
None
Fix:
Upgraded to tar v6.1.11.
1134665 : CVE-2018-11698 - An out-of-bounds discovered in LibSass through 3.5.4.
Component: F5OS-A
Symptoms:
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Conditions:
N/A
Impact:
N/A
Workaround:
None.
Fix:
Replaced node-sass with sass.
1134649 : CVE-2021-37712 - node-tar file creation/overwrite vulnerability
Component: F5OS-A
Symptoms:
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.
Conditions:
N/A
Impact:
N/A
Workaround:
None.
Fix:
Upgraded node-tar to version 6.1.11.
1134633 : CVE-2018-11694 - A NULL pointer dereference issue in LibSass through 3.5.4.
Component: F5OS-A
Symptoms:
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Conditions:
rSeries GUI uses node-sass dependency which is a wrapper around LibSass. Hence the NULL pointer dereference issue in LibSass could be potentially leveraged by an attacker via node-sass.
Impact:
The issue could be leveraged by an attacker to cause a denial of service (application crash) or possibly have other impact.
Workaround:
None
Fix:
rSeries GUI has shifted from node-sass to a sass dependency which is not dependent on LibSass.
1134625-1 : webUI session timeout popup referring to browser time instead of server time
Links to More Info: BT1134625
Component: F5OS-A
Symptoms:
If the browser time is not in parity with the server time then the session timeout popup is showing up early (before the token expires) or sometimes not showing up even when the token actually expires.
Conditions:
When the user browser and the server times are not in sync.
Impact:
The user sees incorrect session timeout popup or does not see session timeout popup when the token actually expires.
Workaround:
NA
Fix:
This issue is fixed and verified that the timer for the popup is set correctly.
1134289 : Diagnostic Controller Panic messages getting logged in platform.log at startup
Component: F5OS-A
Symptoms:
On startup, receiving the Info messages from LOP for all bits and some of them are not relevant to system type. This is causing panic logs from diagnostic agent service.
Conditions:
This occurs only during startup.
Impact:
No functionality impact.
Workaround:
N/A
Fix:
Diagnostic agent will not panic and log any panic messages during the system startup.
1134141 : Uploading qkview to iHealth may fail on long iHealth user names
Component: F5OS-A
Symptoms:
When an iHealth username/email is entered into the configuration for the iHealth upload feature, if it is sufficiently long (over 16 characters), there may be an authentication error when attempting to upload.
Conditions:
iHealth username/email exceeds 16 characters.
Impact:
Unable to upload to iHealth.f5.com via F5OS-A or F5OS-C webUI.
Workaround:
Use the file export feature to download the qkview file from the device to a PC, and then use the PC to upload the qkview file to iHealth.f5.com.
Fix:
Feature has been fixed in F5OS-C 1.6.0 and F5OS-A 1.3.0.
1134033 : Continuous Diagnostic Controller Event Queue errors are printed in platform.log
Component: F5OS-A
Symptoms:
Flooding of logs continuously in platform.log.
Conditions:
Whenever the watchdog timer is closed, this issue occurs.
Impact:
Event Queue is getting flooded.
Workaround:
N/A
Fix:
Provided watchdog timer fix to avoid the event log flooding.
1132973 : Live upgrade to F5OS-A-1.3.0 will not work if STP is not configured correctly.
Component: F5OS-A
Symptoms:
System database compatibility checks will fail with STP misconfigurations.
Conditions:
Live upgrades to F5OS-A-1.3.0 will not work if STP is not configured correctly.
Impact:
System database compatibility checks will fail.
Workaround:
STP cannot be enabled on individual LAG members. To perform a live upgrade to F5OS-A-1.3.0, the user must correct the STP configurations by removing the STP from the interface which is assigned to aggregation-id.
1132745 : Improve user readability during file upload on partition or controller
Component: F5OS-A
Symptoms:
When the user starts uploading a tenant image file, the file transfer status in the image import status table displays after a few seconds rather than immediately.
Conditions:
On the tenant images screen, when the user has started a file upload from his local machine.
Impact:
User is notified of file upload status after some time, which might lead the user to think that file upload has not started until he sees the status.
Workaround:
None.
Fix:
A new banner was added at the top of the page saying "File upload is initializing, the transfer status will appear momentarily.", which appears as soon as the user starts the file upload. After a few seconds the message on the banner will change to "File upload in progress, please do not refresh the page.", informing user that refreshing the page will cancel the upload process.
1132733-1 : LDAP config tried to configure blank bind password
Links to More Info: BT1132733
Component: F5OS-A
Symptoms:
When using the CLI or older webUI, it was possible to enter an "empty" password. This would cause nslcd to be incorrectly configured.
Conditions:
LDAP configured. Blank LDAP bind password entered:
system aaa authentication ldap bindpw ""
Impact:
A blank password was highly unlikely to be the intended result and would fail to work correctly when configuring authentication or talking to the LDAP server.
Workaround:
Explicitly set the bind password to unset:
no system aaa authentication ldap bindpw
Fix:
Fixed authentication so any form of "empty" password results in the password being unset.
1132617 : WS-2021-0200 - DoS in YAML from versions v2.2.0 to v2.2.2
Component: F5OS-A
Symptoms:
YAML in versions v2.2.0 to v2.2.2 is vulnerable to a denial of service attack.
Conditions:
N/A
Impact:
N/A
Workaround:
There is currently no workaround for this issue.
Fix:
YAML v2.2.0 - v2.2.2 has been removed and upgraded to YAML v3.0.0 in F5OS-A v1.3.0 or later, which resolves WS-2021-0200.
1131993 : Not able to set severity from CLI/webUI for some services.
Component: F5OS-A
Symptoms:
Not able to set severity for following services from CLI/webUI in F5OS-A.
R5R10: - Utils-agent, partition-common(system-common), tcam-manager
R2R4: - Utils-agent, partition-common.
Conditions:
Try to change severity for following services:
R5R10: Utils-agent, partition-common(system-common), tcam-manager
R2R4: Utils-agent, partition-common.
Impact:
Not able to change severity as these services are not listed in ConfD CLI as well as webUI.
Workaround:
N/A
Fix:
Severity can now be set from CLI/webUI for all services.
1125761 : appliance-orch-manager coredump
Component: F5OS-A
Symptoms:
appliance-orch-manager(omd) polls node, events and system pods status and update the status into ConfD. During K3S response processing, OMD failed to handle a few exceptions. Because of that, OMD coredump is observed.
Conditions:
Intermittently OMD core dumps if K3S response is not as expected.
Impact:
Intermittent OMD core dumps.
Workaround:
N/A
Fix:
If OMD core dumps, systemd will bring up the process automatically. No action is expected from user.
However, if any OMD core dumps are observed, contact F5 support.
1125349-1 : Changing the root password in appliance mode is unlocking root account
Links to More Info: BT1125349
Component: F5OS-A
Symptoms:
If the password of root is changed in appliance mode, it disables appliance mode.
Conditions:
Appliance mode is enabled.
Root password is changed using set-password API.
Impact:
Appliance mode is disabled.
Workaround:
Toggle appliance mode to enable it again.
Fix:
Appliance mode is not disabled and displays a message: "Info: The password has changed but appliance mode is enabled that blocks root login."
1123685 : Occasionally Selinux modules are getting corrupted when the system reboots
Component: F5OS-A
Symptoms:
In rSeries appliances, if Selinux modules are corrupted
-> Virt-handler pod crashes continuously.
-> Tenant will be in pending state.
-> Semodule file size is 0 in dir "/etc/selinux/targeted/active/modules/400/"
Conditions:
If interruption happens during Selinux modules building on system bootup, the interruption can be an abrupt power off.
Impact:
-> Virt-handler pod is crashing continuously.
-> Tenant functionality is impacted.
Workaround:
None.
Fix:
Identify and remove the corrupted Selinux files and rebuild them while the system is booting up.
1123329 : Tagged LLDP PDUs (VLAN ID 1) are sent on appliance devices.
Component: F5OS-A
Symptoms:
VLAN ID 1 is seen in LLDP PDU coming from appliances.
Conditions:
LLDP is enabled and RXTX is configured to send and receive LLDP PDU.
Impact:
Tagged VLAN ID 1 is coming in LLDP PDU.
Workaround:
N/A
Fix:
Fixed issue by adding required VLAN at F5OS.
1122593-1 : No options to control system power via LCD menu
Component: F5OS-A
Symptoms:
The front-panel LCD on rSeries appliances does not provide a way to control system power to the host operating system.
Conditions:
One of the following rSeries appliances:
- r2000 / r4000
- r5000 / r10000
Impact:
The system LCD panel provides no way to power on/off the device.
Workaround:
The system power can be controlled via the AOM.
Fix:
The system LCD now provides a Power On control in the System menu.
Behavior Change:
In the older release, the system power can be controlled via the AOM. In the current release, it is being addressed.
The system LCD now provides a Power On control in the System menu.
1122081 : BIG-IP tenants created before F5OS-C 1.5.1 or F5OS-A 1.3.0 may be allocated a smaller disk than required
Links to More Info: BT1122081
Component: F5OS-A
Symptoms:
If the BIG-IP tenant disk space is fully used by creating multiple software volumes within the tenant, it will generate disk errors.
Conditions:
- A tenant originally deployed from an “ALL-F5OS” tenant image (i.e., BIGIP-15.1.6.1-0.0.10.ALL-F5OS.qcow2.zip.bundle) originally created from one of the following:
-- 14.1.5 or above in the 14.1.x branch of code
-- 15.1.6.1 or above in the 15.1.x branch of code
- The tenant is configured to use 76G of disk space (the default)
Impact:
Software installs within the tenant may fail.
Workaround:
Beginning in F5OS-A 1.3.0, the system detects the minimum size of a disk created from a tenant image file, and enforces that minimum on newly-created tenants.
If a customer has a tenant affected by this issue and upgrades their system to F5OS-A 1.3.0 or later, set the tenant to "configured", and then deploy the tenant again.
If the disk size is not right, the system will show the minimum size, then adjust the tenant disk size to what is advised by the system or larger.
From 1.4.0, user does not need to adjust the size unless the user needs a bigger size.
The right/minimum size will be auto-allocated when the state is changed.
Fix:
The tenant disk size will be detected and auto-allocated.
Behavior Change:
There are two behaviors.
1.3.x: If the disk size is smaller than it has to be, it warns the user and doesn't start the tenant until the user specifies the right/minimum size.
1.4.0: It auto increases the size to the right/minimum size if the user didn't specify the disk size.
1121889-2 : ConfD encryption key can lock up the TPM module
Component: F5OS-A
Symptoms:
Due to an error that happens rarely in the HAL layer, the encryption key mechanism can misinterpret such an error as a valid identifier for the system. This causes the TPM to lock up, using that identifier, but then the actual identifier no longer unlocks the TPM.
Conditions:
This happens rarely but when it does, the system-manager cannot read the encryption keys and will not start ConfD.
This will manifest itself as unable to start up the configuration by attempting to become admin.
Impact:
The system is unusable. Installing a new ISO does not help.
The TPM must be cleared to become unlocked. Once the TPM is cleared, a new key is generated so existing encryptions need to be re-encrypted. This is will require that the ConfD system database be reset to default.
Workaround:
The workaround is to do the following:
# docker exec system_platform-mgr tpm2_takeownership -c
# docker restart system_manager
# su admin
# config
# (config) system database reset-to-default proceed yes
# exit; exit
# docker restart system_api_svc_gateway
Fix:
The incorrect identifier is now ignored and the lockup is avoided.
Note that the fix does not unlock a locked system. The workaround will have to be applied first.
1117649-2 : rSeries Appliance inoperable after powering down from Linux while configured for Appliance mode
Component: F5OS-A
Symptoms:
If the rSeries device is powered down from Linux (for example, using 'halt -p', 'poweroff', or 'shutdown -h now') while in Appliance mode, the device becomes permanently disabled.
In this state, nothing external can be done to power on the Linux host, for example, cycling power, accessing the LCD Power on option, or pressing the Power button.
Trying to access the AOM menu from the serial console reports the following message:
AOM Command Menu - disabled for security purposes.
Conditions:
-- Appliance mode is enabled (this is the state the 'appliance-setup-wizard' sets when it runs to completion).
-- The host is powered down (for example, using 'halt -p', 'poweroff', or 'shutdown -h now')
Impact:
The AOM command menu is not available to power on the host. A power cycle of the appliance does not power on the host.
The disabled appliance must be replaced.
Workaround:
***Important!***
If the BIG-IP rSeries appliance is configured for Appliance mode, do not power off the device using commands such as 'halt -p', 'poweroff', or 'shutdown -h now'.
Instead, run 'halt' and then remove power from the system (for example, unplug, remove power brick, remove power from rack).
Note: If you have already encountered this issue, contact F5 Support :: https://www.f5.com/services/support to request an RMA. For more information, refer to K12882: Overview of the F5 RMA process :: https://support.f5.com/csp/article/K12882 .
Fix:
Appliance mode no longer disables the AOM menu, allowing access to power on the host command with console access to the appliance.
1117621-2 : After an appliance upgrade from 1.0.1 to 1.1.1, a tenant in Provisioned state may show inconsistent CLI status★
Component: F5OS-A
Symptoms:
After an appliance upgrade from 1.0.1 to 1.1.1, if the running-state of a tenant is configured in the Provisioned state, the operational status of the tenant may oscillate between "Ready to deploy" and "Allocating resources to the tenant is in progress" state in the partition CLI status.
Conditions:
A race condition exists after an appliance upgrade from 1.0.1 to 1.1.1, that may display an inaccurate tenant operational state when the tenant is configured as Provisioned.
Impact:
The tenant state constantly changes.
Workaround:
Configure the running-state of the tenant to Deployed.
1117577 : Management interface is not accessible if core system daemons are not running
Component: F5OS-A
Symptoms:
If the system management daemon (confd) is not able to run when the system starts up, the system will not configure its management IP address and will not have network connectivity.
Conditions:
rSeries appliance
Impact:
Management connectivity is lost, and the only way to access the system is via serial console.
Workaround:
An administrator can configure an IP address and default route for an rSeries appliance when logged in from the serial console using the "ip" command.
For instance, the following commands temporarily assign a management IP address of 198.51.100.100 to the appliance, and create a default route via a gateway of 198.51.100.254.
ip addr add 198.51.100.100/24 dev mgmt0-system
ip route add default via 198.51.100.254
Fix:
Configure IP workaround.
1117461 : CVE-2021-3538 satori/go.uuid: predictable UUIDs generated via insecure randomness
Component: F5OS-A
Symptoms:
Versions of satori/go.uuid have a flaw which allows for predictable UUIDs to be generated.
Conditions:
N/A
Impact:
N/A
Workaround:
There is currently no workaround for this CVE, however, later versions of F5OS-A have been updated to removed satori/go.uuid and replaced with gofrs/uuid, which is does not have this vulnerability.
Fix:
The satori/go.uuid package has been removed in F5OS-A 1.3.0 and later versions with gofrs/uuid.
1117417-2 : Database config restore failed on rSeries appliance
Component: F5OS-A
Symptoms:
System database config-restore will fail when there is mismatch in the system images between when the backup is taken and the current images present on the system.
Conditions:
The current system images that are present on the system (show system image) do not match the list of images that are stored in the backup file.
Impact:
Config restore fails.
Workaround:
Edit the configuration backup file and delete the <image> stanza, from:
<image xmlns="http://f5.com/yang/system/image">
to
</image>
Fix:
Configuration restore on rSeries appliances now works regardless of differences in the set of available system software images.
1117277-2 : Occasional issue observed when tenant deployed on r2xxx/r4xxx series
Component: F5OS-A
Symptoms:
The r2xxx/r4xxx appliance interface drivers are not created in time and lead to tenant deployment failure after the PXE boot, live upgrade, reboot, and port profile change.
Conditions:
Live upgrade from any version to v1.1.1 and PXE and on reboot and on port profile change.
Impact:
Occasionally tenant deployment fails to come up.
Workaround:
None
1117237-2 : FPGA bit files are not updated to the latest version after a live upgrade
Component: F5OS-A
Symptoms:
FPGA bit files are not updated to the latest version after a live upgrade.
Conditions:
Live upgrade to an ISO file.
Impact:
Unexpected behavior with tenant and traffic.
Workaround:
Run the following commands from the bash prompt:
1. /bin/systemctl stop appliance_orchestration_manager_container.service
2. /bin/systemctl stop platform-services-deployment.service
3. reboot
Once the system is rebooted, the correct bit files will be installed.
Fix:
Cleaned up the stale/old container volumes before bringing up the new containers.
1116869-1 : Tcpdump on F5OS does not capture packets of certain sizes
Links to More Info: BT1116869
Component: F5OS-A
Symptoms:
When using tcpdump on the F5OS host, packets of certain sizes may not be captured via tcpdump.
Conditions:
Tcpdump packets less than 1501 bytes and greater than 1483 bytes as well as several other ranges are affected by this issue.
Impact:
Tcpdumps may be incomplete.
Fix:
Packets of certain sizes are no longer dropped.
1116185-1 : Removing multiple images simultaneously from the webUI causes an error
Component: F5OS-A
Symptoms:
The image removal action handler takes the input and processes it one item at a time. From the CLI/RESTCONF interface, the user can provide one image at a time. But the webUI allows the user to select multiple images and click Delete to remove them in a single click. This was creating a backend handler issue that caused the image agent to crash.
Conditions:
When multiple images are selected and processed for removal from the webUI.
Impact:
In this situation, all subsequent image removal requests cause an error: "Error: application communication failure".
Workaround:
The issue is fixed in F5OS-A 1.2.0. To avoid this situation in other releases of F5OS-A, the user must select one image at a time for deletion from the webUI.
Restarting the image agent service recovers the system from this state.
Fix:
The issue is fixed by improving the image removal process.
1116169 : WebUI does not inform users that file transfer status may take some time to return depending on various factors like network speed
Component: F5OS-A
Symptoms:
The webUI does not inform users that file transfer status may take some time to return depending on various factors like network speed, which could lead to some confusion.
Conditions:
Occasional delay in fetching file transfer status due to network speed and other factors.
Impact:
Missing clarity on file transfer success/failure.
Workaround:
If the user is not able to see the file transfer status immediately they will be able to see it automatically within 15 seconds, as there is continuous polling for the API.
Fix:
Informative text on the file import/export displays to align user expectations.
1114485-1 : K3s cluster goes to unhealthy state when system is rebooted after changing hostname.
Component: F5OS-A
Symptoms:
When the system hostname is changed and the system is rebooted, all or some of the following symptoms may be encountered:
-- System-related pods in K3s are stuck in a failure state.
-- The K3s cluster shows more than one node.
-- OMD continuously cores.
Conditions:
The system is rebooted after the hostname is configured in confd.
Impact:
-- K3s cluster goes into an unhealthy state.
-- Tenant functionality is impacted.
Workaround:
None
Fix:
Changing the hostname via confd does not change the system hostname.
Configured hostname is reflected only in the bash and confd prompts.
When no hostname is configured, the bash prompt uses a default PS1 prompt.
1114437 : Ambiguous error message when user configures duplicate IP port combination
Component: F5OS-A
Symptoms:
A duplicate IP/port combination is not allowed in allowlist configuration. Allowlist is mainly used to allow traffic from specific source addresses.
The error message is generic and does not describe the problem.
Conditions:
An error is displayed when the user tries to configure the same IP and port as part of two different allowlist profiles.
Impact:
The error message is not descriptive, and the user might not be able to identify the issue immediately.
Workaround:
N/A
Fix:
A descriptive error message is displayed on the screen, informing the user about a duplicate IP and port.
1114369 : Error log "Failed to execute iptable cmd: ," getting generated when trying to add same port to allow list
Component: F5OS-A
Symptoms:
When an allowed IP for the same port is added more than once, this log is generated.
Conditions:
Add allowed IP for the same port more than once.
Impact:
No impact on functionality. The function to remove the default rule, which is failing, is being called every time.
Workaround:
N/A
Fix:
The log is no longer generated.
1114173 : LOP Controller RX error: unknown
Component: F5OS-A
Symptoms:
Within the platform.log file, one can see a large number of error messages with the text including "LOP Controller RX error: unknown".
Conditions:
When the LOP firmware is upgraded to a recent version, new messages around the PSU PMBus have been added. When the application software is rolled back to an older version, the HAL layer no longer recognizes those messages and reports an unknown message error.
Impact:
The issue does not impact the operation of the product.
Workaround:
Updating to a more recent version of the rSeries ISO will prevent the message from showing up in the platform.log file.
Fix:
Update to a more recent version of the rSeries ISO.
1112533-1 : Status LED color always stays amber
Component: F5OS-A
Symptoms:
The status LED is always amber.
Conditions:
This occurs during normal operation when the status LED should be green.
Impact:
Status LED may not change to green when system is operational.
Workaround:
None
Fix:
Added a diagnostic task that periodically monitors and sets status LED color to green.
1112229-1 : File download API changes to support file download from the webUI
Component: F5OS-A
Symptoms:
Header information is not effective to download files from the webUI.
Conditions:
X-Auth token is required to download from the webUI.
Impact:
Downloading files from the webUI fails.
Workaround:
None
1112141-2 : 10G/25G/40G burst support in rSeries appliance
Component: F5OS-A
Symptoms:
When a burst of traffic at 100Gb/s is sent to a 10G/25G/40G port, the burst size supported by the rSeries appliance depends on the buffer size. Once the buffer is full, packets are dropped.
Conditions:
-- Use of 10G/25G/40G ports.
-- A 100Gb/s burst of traffic occurs.
Impact:
This results in loss of egress packets.
Workaround:
None
Fix:
Improved the burst capability on rSeries appliances when 10G/25G/40G ports are used.
1111549-1 : System import functionality is unstable if PXE install source is not imported★
Links to More Info: BT1111549
Component: F5OS-A
Symptoms:
If a VELOS controller or rSeries appliance is PXE installed with a given ISO, and that ISO is not imported manually on the controller after the installation, future imports may fail or be left in an inconsistent state.
Conditions:
1. PXE install VELOS system controller or rSeries appliance
2. Fail to manually import ISO used for PXE install
3. Import other software
Impact:
Confusing import and upgrade failures under conditions that seem like they shouldn't produce issues.
Workaround:
After PXE installing a VELOS controller, make sure to manually import the ISO used for PXE install before importing any other platform software components.
Fix:
Better handling for cases where the ISO that is used for PXE install of VELOS controllers is not imported after the install.
1111533 : PSU status undeterminable under "show system events" output
Component: F5OS-A
Symptoms:
The "show system events" log messages are not clearly communicating PSU status.
Conditions:
The "show system events" command in ConfD always shows "Presence detected" when we assert and de-assert the power supply.
Impact:
User might not be able to conclude whether PSU is present and removed.
Workaround:
N/A
Fix:
User is now able to see "Absent" when PSU is physically removed and "Presence detected" when PSU is connected.
1111237-1 : Logrotate parameters do not get updated by software upgrade
Links to More Info: BT1111237
Component: F5OS-A
Symptoms:
If the parameters (frequency/size) for log file rotation are updated in a new software release, they are not updated on the target system during upgrade. The result is that the size of retained log messages depends on the upgrade history, not on the software version.
Conditions:
System that is live upgraded from any version to any other version prior to F5OS-C 1.5.0.
Impact:
When logfiles are collected by qkview, differing amounts of data may be gathered, perhaps omitting information that was intended to be collected.
Workaround:
None.
Fix:
The system updates the logrotate parameters during software install, so that the setting correspond to the software version, not the upgrade history.
1110429-1 : Duplicate service-instance entries in chassis partition
Links to More Info: BT1110429
Component: F5OS-A
Symptoms:
In rare circumstances, when viewing the partition service-instance entries, duplicate entries will exist for system level daemons like LACPD, L2FwdSvc, and SwRbcaster. The issue occurs rarely, and the user should only notice a cosmetic difference.
Conditions:
Adding blades to and removing blades from a partition may trigger the issue.
Impact:
Display is not correct.
Workaround:
Delete and recreate the affected partition.
Fix:
Duplicate service-instance entries will be removed in cases of a blade rebooting and a blade being added to a partition.
1109029-1 : Host Logs in F5OS-A not being rotated
Component: F5OS-A
Symptoms:
Log files under /var/log in host-os were able to grow in GBs.
Conditions:
Log files under /var/log not added in logrotate.
Impact:
Size of log files will grow in GBs, which will consume a significant amount of hard disk space.
Workaround:
N/A
Fix:
Host Logs in F5OS-A are now being rotated as expected.
1109021-2 : CLI commands are not logged in audit.log
Links to More Info: BT1109021
Component: F5OS-A
Symptoms:
CLI commands from ConfD are not getting logged in audit.log.
Conditions:
Execute commands using the ConfD CLI.
Impact:
CLI commands which are required for security compliance audit will not get logged in audiit.log file.
Workaround:
None
1108509 : Unable to fetch appliance fan speed using SNMP
Component: F5OS-A
Symptoms:
Unable to get appliance fan RPMs using SNMP (for example, snmpget/snmpwalk).
Conditions:
Appliance with management IP and allowlist configuration.
Impact:
User cannot fetch fan RPMs using SNMP; an SNMP walk will fail.
Workaround:
Fan speed can be fetched using CLI.
Fix:
Support to fetch fan details is added to the appliance code in 1.3.0, and data can now be fetched using SNMP.
1106881-3 : F5OS with an AFM license provisioned may provide incorrect AFM stats to a BIG-IP tenant
Links to More Info: BT1106881
Component: F5OS-A
Symptoms:
This is an intermittent problem where the affected BIG-IP tenant may receive incorrect statistics from the F5OS platform. This can cause the BIG-IP tenant to drop DNS traffic that should not be dropped.
Typically, the BIG-IP tenant will have periods of time where it receives the correct stats, and periods where it receives incorrect stats.
Conditions:
All of the below must be true:
-- Two or more BIG-IP tenants are deployed either on the same node in a partition or on the same appliance.
-- An AFM license is installed on the F5OS platform.
-- At least one tenant is receiving malformed DNS traffic.
Impact:
Clients that send DNS traffic to the affected BIG-IP tenant will not receive DNS responses when they should.
Workaround:
When AFM is provisioned for the system, deploying tenants on different nodes on a chassis based system or one tenant per appliance avoids the issue.
Fix:
BIG-IP tenants receive the correct platform statistics regardless of the node in which they are deployed.
1105001-1 : Large tar/gz/iso file download via the restconf API fails.
Links to More Info: BT1105001
Component: F5OS-A
Symptoms:
Downloading large tar/gz/iso files using the restconf API results in a corrupted file.
Conditions:
Large tar/gz/iso file download via the restconf API.
Impact:
Download fails, the downloaded file is corrupted.
Workaround:
None
Fix:
Fixed the code to download large tar/gz/iso files.
1104745-1 : Request for a webUI option to clear/reset the STP mode configuration
Component: F5OS-A
Symptoms:
On the webUI STP Configuration screen, the user does not have an option to clear STP mode once they have selected an STP mode.
Conditions:
User should have selected an STP mode.
Impact:
Once the STP mode is selected, the user does not have an option on the webUI to clear the selection.
Workaround:
None
Fix:
Added a new disabled option in STP mode selection. Selecting it will clear the previous STP mode selection.
1104569 : On upgrading, the correct webUI changes are not reflected
Component: F5OS-A
Symptoms:
On upgrading from one F5OS-A version to another, the appropriate webUI changes are not reflected, and the older changes still persist.
Conditions:
Upgrading from one F5OS-A version to another.
Impact:
Appropriate changes with respect to the version are not reflected on the webUI.
Workaround:
Refreshing the containers is a known workaround using /usr/libexec/platform-deployment stop and /usr/libexec/platform-deployment start.
Fix:
The fix is to clean up stale volumes so that new volumes are mounted after system reboot. A --remove-orphans flag was added to docker-compose down to remove volumes which were created in the previous run of docker-compose. Also, appliance_orchestration_manager was called to stop separately, as it was using a volume called config_vlogsev, which was also being used by other containers, because it is not a part of the platform.yml file. Also docker-compose down has been added before starting service in the beginning of the platform-deployment service to handle the scenario of upgrading from broken ISO to fix ISO.
1104541 : MIBs directory content is not accessible
Component: F5OS-A
Symptoms:
Directory contents are not accessible from ConfD API.
Conditions:
When file list ConfD API is used on MIBs directory, it is showing an invalid path.
Impact:
Will not be able to see directory content from ConfD API.
Workaround:
N/A
Fix:
The MIBs directory content is now accessible as expected.
1103001 : Tenants fail to come up after a live upgrade from pre-1.1.0 version to 1.1.0 on the r4xxx appliances★
Component: F5OS-A
Symptoms:
When a live upgrade is attempted from a pre-1.1.0 release to a 1.1.0 release on the r4xxx series of appliances, the tenants will not come up after the live upgrade.
The symptoms that will be seen are:
ICE driver may not load ( "lsmod | grep -i ice" will not show a line with 'ice' ), no VFs will be created, tenant deployment will fail.
Conditions:
-- An F5OS upgrade is performed on an r4xxx series appliance to version 1.1.0
-- The appliance was running pre-1.1.0 software
-- A license is installed
-- Tenants are attempted to be deployed
Impact:
Tenant deployment fails after live upgrade as the ICE driver is not loaded.
Workaround:
After the live upgrade, check that the tenant is failing to deploy.
Check that "lsmod | grep -i ice" does not show a line with 'ice'
reboot the system
Now rerun lsmod again. This should show the ice module line.
Fix:
Fixed in all versions after 1.1.0.
1102137-2 : Diagnostics ihealth upload qkview-file does not auto-complete with available qkview file names
Component: F5OS-A
Symptoms:
The ConfD command system diagnostics ihealth upload qkview-file is not tab-expandable, and you are not presented with the list of available qkview files.
Conditions:
Running "system diagnostics ihealth upload qkview-file <TAB>" to see the list of available qkview files.
Impact:
The available qkview files are not presented using tab autocomplete.
Workaround:
Run "system diagnostics qkview list" to obtain the list of available qkview files, and then manually type the desired qkview file name in when using the "system diagnostics ihealth upload qkview-file" command.
Fix:
Pressing <TAB> after system diagnostics ihealth upload qkview-file will produce a list of available files. Entering part of the name and <TAB> will auto-complete selecting a valid and available qkview file name.
1101365 : Delay in tenant deployment with tenant image corruption error
Component: F5OS-A
Symptoms:
The system posts an intermediate error message:
Tenant image corrupted - Update the tenant config with proper image.
This error auto-recovers within 20 seconds.
Conditions:
Observed intermittently while bringing up the tenant.
Impact:
There is a delay in tenant deployment with an intermediate error on the CLI console.
Workaround:
None
1101237-1 : When configured for SNMP, the system does not properly report a sysObjectID for the F5OS system
Component: F5OS-A
Symptoms:
F5OS systems may not be detected by SolarWinds or other management systems due to the wrong sysObjectID configuration in SNMP.
Conditions:
SNMP
Impact:
F5OS systems may not be detected by SolarWinds or other management systems due to the wrong sysObjectID configuration in SNMP.
Fix:
The sysObjectIDs are correct now.
1100305-2 : Tcpdump capture of packets with interface-based filtering fails on r5000 and r10000 appliances
Component: F5OS-A
Symptoms:
On r5000 and r10000, running a tcpdump as follows:
appliance-1# system diagnostics tcpdump -nni 1.0
to filter packets traversing interface 1.0 only, will fail.
The error seen will be "errbuf ERROR:Interface configuration failed. Please retry tcpdump: pcap_loop: Interface configuration failed. Please retry."
and the client will terminate.
Retrying the client will not help, contrary to the message.
Conditions:
Tcpdump capture is started on an r5000 and r10000 device and the option to filter packets based on an interface ("-i" option) is chosen.
Impact:
Tcpdump cannot work in the interface filtering mode.
It will operate in the other modes; only the interface filtering option causes it to be unable to start.
Workaround:
1) Start a tcpdump capture with no interface filter
"system diagnostics tcpdump" or
"system diagnostics tcpdump -nni 0.0"
Packets will be captured from all interfaces, and further (non-interface) filters can be used to narrow down capture
For example:
"system diagnostics tcpdump host 1.1.1.1 and port 80" or
"system diagnostics tcpdump vlan 200"
2) Restart the tcpdump container. This would make the -i option available again.
1099469 : Control plane starvation on a fully loaded rSeries system
Component: F5OS-A
Symptoms:
When an rSeries appliance is running to maximum capacity, and CPU load is 100%, the control plane does not get enough cycles to perform operations.
Conditions:
When an rSeries appliance is running to maximum capacity.
Impact:
The control plane does not get enough cycles to perform operations.
Workaround:
echo 2048 > /sys/fs/cgroup/cpu/kubepods/cpu.shares
Fix:
cpu.shares is set to 2048 on boot to boost its CPU shares.
1099437-1 : Nic-manager core file
Component: F5OS-A
Symptoms:
During a power down sequence the l2-agent may generate a core file. The system comes back up without any issue.
Conditions:
System power loss.
Impact:
Core file is generated.
Workaround:
None
Fix:
A fix has been added to detect and prevent creating an l2-agent core file during a power down.
1099197 : Packet loss caused by failure of internal hardware bus
Component: F5OS-A
Symptoms:
All or 50% of from-network packets arriving at a front panel port are dropped in hardware prior to delivery to tenant(s) running on the CPU. Packet loss is caused by CRC errors on an internal bus connecting two hardware components leading to eventual failure of the bus.
Conditions:
Issue occurs randomly, but most commonly seen soon after bootup when packets first start to be handled by fastL4 hardware acceleration, hardware per-virtual server syn cookie protection, or AFM hardware protection.
Impact:
Total loss of from-network to CPU packets on r5900, r5800, and r5600 appliances, and either total loss or loss of 50% of from-network to CPU packets on r10900, r10800, and r10600 appliances. r4800, r4600, r2800, and r2600 appliances are unaffected.
Workaround:
Reboot the appliance and disable fastL4 acceleration, per-virtual syn cookie hardware protection, and AFM hardware protection before re-enabling ingress traffic.
Fix:
This issue has been corrected.
1097925-1 : Resolving CVEs on F5OS-A 1.1.0
Component: F5OS-A
Symptoms:
F5OS-A 1.1.0 is vulnerable to the CVEs mentioned in the bug.
CVE-2021-27219
CVE-2021-43527
CVE-2022-23852
CVE-2020-10531
CVE-2022-24407
CVE-2018-1000805
CVE-2021-44142
CVE-2020-12321
CVE-2020-24489
CVE-2021-42574
CVE-2020-8625
Impact:
F5OS-A 1.1.0 is vulnerable to the CVEs mentioned in the bug.
1097833 : Debug messages logged in platform.log
Links to More Info: BT1097833
Component: F5OS-A
Symptoms:
When performing an ISO install on the hardware, some services log debug messages to platform.log until ConfD comes up.
Conditions:
This occurs during an ISO install.
Impact:
Unnecessary debug logs are logged to platform.log.
Workaround:
None
1096885-1 : Tenant image filename with special characters allowed to import, but tenant deployment fails
1092049 : CVE-2020-7774 - The package y18n before 3.2.2, 4.0.1 and 5.0.5, allows unsafe operations.
Component: F5OS-A
Symptoms:
The package y18n before 3.2.2, 4.0.1 and 5.0.5, allows unsafe operations.
Conditions:
This affects the package y18n before 3.2.2, 4.0.1, and 5.0.5.
Impact:
N/A
Workaround:
None
Fix:
This has been fixed by upgrading 'react-scripts' to version 4.0.0 and thus 'y18n' to v4.0.3 and replacing 'node-sass' with 'sass' which doesn't require 'y18n'.
1091641-2 : NTP (chrony) packet authentication is not fully implemented on VELOS
Links to More Info: BT1091641
Component: F5OS-A
Symptoms:
It is not possible to enable NTP packet authentication.
Conditions:
Running a version of F5OS-C earlier than 1.5.0.
Impact:
NTP packet authentication is not available.
Workaround:
None
Fix:
Added support for NTP packet authentication.
1090753 : NSO and ASW XBAR packet drops on 10G, 25G, and 40G interfaces.
Component: F5OS-A
Symptoms:
Unexpected egress packet drops can be seen in XBAR for 10G, 25G, and 40G ports.
This is a packet burst congestion issue that overflows XBAR egress buffers. The issue is seen mainly on 10G ports.
Conditions:
This issue can happen when customers are using the 10G, 25G, or 40G front panel interfaces.
Impact:
The impact is egress packets dropped at 10G, 25G, and 40G front panel interfaces.
Workaround:
The workaround for this issue is to upgrade to NSO bitfile version nso_1ST210EU2F50E2VG_v70.2.10.11_d22.06.23.00.bit and ASW bitfile version asw_1ST280EU2F50E2VG_v71.2.12.11_d22.06.15.00.bit. These bitfiles and newer include added packet buffer memory in the XBAR.
The added packet buffer memory greatly improves the packet drop issue, but does not resolve it completely. In testing, packet drops were still seen as system throughput approached 190Gb.
Fix:
The initial fix for this issue is to add memory to the 10G, 25G, and 40G output buffers. Memory was increased from 4Mb to 8Mb.
The added packet buffer memory greatly improves the packet drop issue, but does not resolve it completely. In testing, packet drops were still seen as system throughput approached 190Gb.
1090521 : Tenant deployment may fail if the memory configured is an odd number.
Links to More Info: BT1090521
Component: F5OS-A
Symptoms:
1. Tenant deployment fails.
2. System may go into bad state.
Conditions:
When memory configured for a tenant is set to an odd number.
Impact:
Tenant deployment fails.
Workaround:
This issue has been fixed in F5OS-A 1.2.0.
1090145-1 : VLAN-Listener incorrectly updated on Network Manager component restart
Links to More Info: BT1090145
Component: F5OS-A
Symptoms:
When the Network Manager component is restarted, VLAN Listener entries can be incorrectly updated to each tenant's default Service ID.
Conditions:
Network Manager restarts can happen due to system controller restarts, partition upgrades, or a manual restart.
Impact:
Some traffic could incorrectly follow the default Port Hash disaggregation algorithm. For example, if a VLAN has been set to use the IPPORT disaggregation algorithm, this reset can cause some of the traffic to revert to using the default Port Hash algorithm.
Workaround:
Inside the affected tenants, the cmp-hash field can be changed back to default, then changed back to the desired setting.
1090089 : NTP service does not work on rSeries appliances
Component: F5OS-A
Symptoms:
The NTP service does not work on rSeries appliances that run F5OS-A.
Running chronyc ntpdata returns "501 Not authorized"
Conditions:
-- rSeries appliance running F5OS-A
-- NTP configured
Impact:
NTP functionality does not work.
Workaround:
Change directory ownership to chrony using below command:
chown chrony:chrony /var/run/chrony
Fix:
Update ownership for "/var/run/chrony" directory and removed unwanted configuration from "chrony.conf".
1089721 : Prefix length support to allow multiple IP addresses
Component: F5OS-A
Symptoms:
Prefix length was not supported previously, and users had to configure one IP per command in order to support multiple source IPs.
Conditions:
Always
Impact:
Multiple source IP addresses cannot be allowed using a single command.
Workaround:
NA
Fix:
This improvement supports the configuration of prefix length to allow multiple IP addresses using a single command.
Prefix length is an additional parameter in the existing configuration command.
1088565-1 : Various services may stop working on a system controller if the LCD is malfunctioning
Links to More Info: BT1088565
Component: F5OS-A
Symptoms:
Various services may become unresponsive or not work correctly.
Conditions:
LCD is not working or host cannot communicate with the LCD.
Impact:
Any functionality that interacts with platform-hal could be impacted.
Workaround:
Recover or repair the LCD. Rebooting the affected system controller can also help temporarily.
Fix:
Fixed a leak that occurs when platform-hal cannot communicate with the LCD.
1086749-1 : Interface speeds are not reported correctly when linked at a slower speed
Component: F5OS-A
Symptoms:
RSeries 2xxx/4xxx interfaces support linking at certain speeds slower than the portgroup speed, but the interface speed is reported as higher.
For example:
-- A portgroup in 25G mode accepts a 10G SFP and link at 10G. The interface speed is reported as 25G.
-- A portgroup in 25G mode can link at 1G. The interface speed is reported as 25G.
-- A portgroup in 10G mode can link at 1G. The interface speed is reported as 10G.
Conditions:
This occurs when using an SFP that only supports a slower speed, or when connecting a 10G copper port to a 1G capable device.
Impact:
The interface speed reported in the webUI/CLI is higher than the actual link speed.
Workaround:
You can determine the actual link speed using ethtool, for example:
-- For port 1.0, use ethtool x557_1.
-- For port 5.0, use ethtool sfp_5.
Fix:
Now reports correct interface speeds.
1085925-1 : SSH connection cannot be allowed/blocked based on source IP address
Component: F5OS-A
Symptoms:
There is no command in F5OS-A or F5OS-C that can be used to allow SSH connection only from specific (or range) IP addresses.
SSH connections are allowed from all source IP addresses.
Conditions:
F5 rSeries or VELOS platform
Impact:
Malicious users might be able to connect (SSH) to F5OS-A or F5OS-C device.
Workaround:
None
Fix:
The existing command "system allowed-ips allowed-ip ..." is enhanced to support SSH. The command can be used to specify source IP addresses that can establish SSH connection.
1085149-1 : Customer requires auth token session to be configurable
Component: F5OS-A
Symptoms:
The restconf token session was not configurable in both F5OS-C and F5OS-A.
Conditions:
F5OS-C or F5OS-A webUI.
Impact:
The customer experienced a fixed session timeout within one hour and the customer has to log in again to the webUI session.
Workaround:
N/A
Fix:
This issue is fixed in F5OS-C 1.6.0 and F5OS-A 1.3.0. Now the token session timeout is configurable for up to one day.
1084817-3 : Container api-svc-gateway crashes due to certificate issues partition database
Links to More Info: BT1084817
Component: F5OS-A
Symptoms:
The api-svc-gateway container crashes when a bad self-signed certificate or key is published to partition database.
Conditions:
A corrupted certificate/key causes the issue.
Impact:
The api-svc-gateway service crashes.
Workaround:
Run the following command:
(config) # system database reset-to-default proceed
Fix:
In the scenario this happens, api-svc-gateway now:
* detects when it cannot set up an SSL connection using these credentials
* logs an error
* sets health status to unhealthy with appropriate error and severity
* tries to start a GRPC server with only insecure credentials
1083993-1 : File import should check that the target doesn't exist
Links to More Info: BT1083993
Component: F5OS-A
Symptoms:
File import will fail if the same file name already exists.
Conditions:
Importing a file that already exists on the file system.
Impact:
An error occurs if the file already exists.
Workaround:
None
1083077-1 : LACP trunks are not configured automatically in BIG-IP tenant running on F5OS chassis/appliances
Component: F5OS-A
Symptoms:
When an LACP trunk is configured on an F5OS chassis/appliance and only the native VLAN is attached, the LACP trunk will not be automatically configured on the BIG-IP tenant.
Conditions:
This behavior is observed only when the LACP trunk is attached to a native VLAN.
Impact:
LACP trunk configuration will not be applied to the BIG-IP tenant automatically when only a native VLAN is attached to it on the platform.
Workaround:
Configure the LACP trunk in the BIG-IP tenant manually.
Fix:
LACP trunks are now configured automatically in BIG-IP tenant running on F5OS chassis/appliances, as expected.
1082513 : LACP waitOnAlertFd Errors
Component: F5OS-A
Symptoms:
The system posts error messages in the platform.log:
LacpdHeartBeatsClient::run() waitOnAlertFd Error!
Conditions:
This occurs at startup, reboot, and upgrade.
Impact:
There is no functional impact; you can safely ignore these messages.
Workaround:
None
Fix:
Reduced the frequency of LACP waitOnAlertFd error messages.
1077149-1 : The fpga-tables CLI command results in syntax error in configuration mode
Component: F5OS-A
Symptoms:
When in configuration mode on the CLI and entering the fpga-tables path, a syntax error is encountered. For example:
r5900-2(config)# fpga-tables ?
Possible completions:
<cr>
r5900-2(config)# fpga-tables
-----------------------------^
syntax error: incomplete path
r5900-2(config)#
Conditions:
Performing CLI commands in the fpga-tables path while in configuration mode.
Impact:
The fpga-tables are intended to be operational data only. Configuration of the fpga-tables path is not supported, so the impact is cosmetic. The error can be ignored.
Workaround:
The error can be ignored.
1075693-1 : CVE-2021-22543 Linux Kernel Vulnerability
Links to More Info: K01217337
1075361-1 : Messages log has a very high number of "error" and "fail" entries
Component: F5OS-A
Symptoms:
During system bring up/reboot, various fail and error logs are seen from multiple software components.
Conditions:
During system boot up or if we perform multiple reboots we may see various errors/failures in log messages.
Impact:
User will see error/fail messages, while System bring up/reboot.
Workaround:
N/A
Fix:
Fixed the error/fail logs for few components.
1074093 : Admin console is displayed when SSH login with a new root user★
Component: F5OS-A
Symptoms:
Non-root user is allowed to get root role. If any such user exist, they get an admin console instead of root console.
Conditions:
A new non-root user is created with root role.
Example :
appliance-1(config)# system aaa authentication users user user_test config username user_test role root
Impact:
non-root user with role root is restricted.
Note: In case of live upgrade from previous to current release, any non-root user with root role may cause upgrade to fail (as non-root users with root role are restricted), and you will need to either delete these users or do a bare metal install before performing a live upgrade.
Fix:
Current fix prevents creation of a non-root user with root role.
1074001 : service:overall-health attribute reports OK when the service state is unhealthy
Component: F5OS-A
Symptoms:
service:overall-health value is reported as OK, when state is unhealthy.
Conditions:
When service state is unhealthy, service:overall-health attribute is not updated.
Impact:
service:overall-health is not reporting service state properly.
Workaround:
N/A
Fix:
Updated the service:overall-health attribute.
1073581-2 : Removing a 'patch' version of services might remove the associated 'base' version as well
Links to More Info: BT1073581
Component: F5OS-A
Symptoms:
Removing a 'patch' version (X.Y.Z, Z>0) of a platform ISO or services might, under certain conditions, lead to the unexpected removal of the 'base' version (X.Y.0) associated with that patch.
Conditions:
1. A 'patch' ISO is imported when the 'base' associated with the patch is not already imported (example: An F5OS-C 1.2.2 ISO is imported, and F5OS-C1.2.0 is not already imported).
2. Some time later, the F5OS-C 1.2.2 ISO is removed. This also removes the 1.2.0 services.
Impact:
F5OS-C removes software that wasn't explicitly chosen to be removed.
Workaround:
To work around this issue, import the 'base' version ISO (X.Y.0) before importing any patches. If this is done, removal of a 'patch' will not remove the 'base'. If a 'base' was already removed accidentally, re-importing the 'base' ISO will also make it available again.
Fix:
N/A
1072209-3 : Packets are dropped on VELOS when a masquerade MAC is on a shared VLAN
Links to More Info: BT1072209
Component: F5OS-A
Symptoms:
On the VELOS platform, any packets destined to a masquerade MAC address are dropped when the masquerade MAC is located on a shared VLAN (a VLAN shared between multiple F5OS tenants).
On rSeries hardware platforms, all traffic for this MAC is first handled by the software-rebroadcaster and is replicated to all tenants sharing that VLAN.
Conditions:
-- A masquerade MAC is configured on a shared VLAN.
-- Traffic to the MAC address is initiated, that is, ping a floating self-IP.
-- The packets are dropped on ingress.
Impact:
Connectivity issues.
Workaround:
Configure a static FDB entry at the partition level.
Fix:
Packets are no longer dropped when a masquerade MAC is on a shared VLAN.
1068517-2 : VLAN connectivity among F5OS tenants is lost
Links to More Info: BT1068517
Component: F5OS-A
Symptoms:
Inbound ARP broadcasts on VLANs shared by tenants on VELOS or rSeries system are not received, and shared VLAN connectivity among tenants is lost.
Conditions:
A high volume of DLF packets are handled by the software rebroadcaster
Impact:
Loss of connectivity on VLANs shared among tenants.
Workaround:
On a VELOS system, restart the sw_rbcast container on the affected blade:
# docker restart partition_sw_rbcast
On an rSeries appliance, restart the sw_rbcast container on the appliance:
# docker restart system_sw_rbcast
Fix:
This issue no longer occurs.
1062765-1 : Tenant Status shows error "Insufficient f5.com/qat"
Component: F5OS-A
Symptoms:
Some unhealthy events intermittently occur that are related to "Insufficient f5.com/qat" inside ConfD. But the tenant is actually healthy and functional.
Conditions:
Intermittently on a system upgrade. Tenant status might show failed messages in ConfD.
Impact:
No impact, the tenant is actually healthy and functional.
Workaround:
No workaround necessary.
Fix:
Issue fixed in F5OS-A 1.3.0 release.
1062309-1 : "Failed unmounting" errors during shutdown.
Component: F5OS-A
Symptoms:
"Failed unmounting" errors are seen during the shutdown, because of unmounting of temporary directories, which are created during the SW import.
[FAILED] Failed unmounting /var/images/R5R10/1.0.0-10192.
[FAILED] Failed unmounting /var/export/chass...mounts/iso/R5R10/1.0.0-10192/m3.
[FAILED] Failed unmounting /var/export/chass...unts/services/R5R10/1.0.0-10192.
Conditions:
The "Failed unmounting" errors are seen when a system is rebooted.
Impact:
Error statements are seen in the shutdown logs. They can be ignored.
1056453-1 : Tenant datapath will not work if the tenant is named "stpd".
Component: F5OS-A
Symptoms:
If a tenant is created with the name "stpd", there will be a conflict with a system component. The datapath will not function correctly.
Conditions:
A tenant is created with the name "stpd".
Impact:
The datapath for the tenant will not function.
Workaround:
Change the name of the tenant.
Fix:
N/A
1055329-2 : VLAN shared between two tenants might not pass traffic to tenant with non-default CMP hash.
Links to More Info: BT1055329
Component: F5OS-A
Symptoms:
If two tenants on a VELOS chassis are configured with a shared VLAN, one tenant might not pass traffic if it has a non-default CMP hash configured for that VLAN.
Conditions:
-- VELOS chassis
-- Configure a VLAN shared between two or more tenants
-- In one tenant, configure a non-default CMP hash for the VLAN
Impact:
No connectivity.
Workaround:
After configuring a non-default cmp hash, run "docker restart partition_sw_rbcast" on each blade.
Fix:
Fixed operation of shared VLAN when cmp hash is not the default.
1053793-1 : QKView list and status results are difficult to parse
Component: F5OS-A
Symptoms:
The QKView list and status commands return output that can be difficult to read.
Example 1 :: running the command: system diagnostics qkview list:
frodo# system diagnostics qkview list
result {"Qkviews":[{"Filename":"appliance-1.qkview","Date":"2022-06-15T22:59:57.704997979Z","Size":320434703},{"Filename":"cancelme.tar.canceled","Date":"2022-04-28T17:22:10.411870757Z","Size":3734340},{"Filename":"duplicate.qkview","Date":"2022-08-10T20:40:10.966027168Z","Size":490039715},{"Filename":"test.qkview","Date":"2022-06-15T23:21:23.068041954Z","Size":321199668},{"Filename":"test2.qkview","Date":"2022-07-13T19:01:32.712663042Z","Size":416706874},{"Filename":"teststatus.qkview","Date":"2022-08-23T23:27:19.283797639Z","Size":530892644}]}
resultint 0
This output is easier to parse:
FILENAME SIZE CREATED ON
------------------------------------------------------------------
teststatus.qkview 530892644 2022-08-23T23:27:19.283797639Z
duplicate.qkview 490039715 2022-08-10T20:40:10.966027168Z
test2.qkview 416706874 2022-07-13T19:01:32.712663042Z
test.qkview 321199668 2022-06-15T23:21:23.068041954Z
appliance-1.qkview 320434703 2022-06-15T22:59:57.704997979Z
cancelme.tar.canceled 3734340 2022-04-28T17:22:10.411870757Z
Example 2 :: running the command: system diagnostics qkview status:
result {"Busy":false,"Percent":100,"Status":"complete","Message":"Completed collection.","Filename":"teststatus.qkview"}
resultint 0
This output is easier to parse:
system diagnostics qkview state status capture-in-progress false
system diagnostics qkview state status percentage 100
system diagnostics qkview state status status-msg "Completed collection."
system diagnostics qkview state status filename teststatus.qkview
Conditions:
- Running "system diagnostics qkview list" within the CLI
- Running "system diagnostics qkview status" within the CLI
Impact:
Formatting of output makes troubleshooting more difficult.
Workaround:
None
Fix:
QKView output formatting is improved and easier to read, utilizing new commands.
To see a list of QKView files, use the following command within the CLI:
show system diagnostics qkview state files
To see the current status of a captured QKView, use the following command within the CLI:
show system diagnostics qkview state status
1040461-3 : Permissions of some QKView control files do not follow standards
Links to More Info: BT1040461
Component: F5OS-A
Symptoms:
Permissions of some QKView control files do not follow standards.
Conditions:
Viewing permissions of QKView files.
Impact:
Some do not follow standards.
Workaround:
None
Fix:
Permissions of all QKView control files now follow the standards.
Known Issues in F5OS-A v1.3.x
F5OS-A Issues
ID Number | Severity | Links to More Info | Description |
1184917-3 | 2-Critical | On rSeries, the MAC masquerade feature is only supported on BIG-IP tenants 15.1.6 and later | |
1168573 | 2-Critical | Tenants failing to come up with error address already in use | |
1156125 | 2-Critical | Tenant status shows error "Liveness probe failed:" in ConfD after reboot | |
1155549 | 2-Critical | iavf/i40evf reset triggers kernel bug at drivers/pci/msi.c:357 | |
1144401 | 2-Critical | F5OS-A kubectl/docker related information missing in qkview | |
1110217-2 | 2-Critical | BT1110217 | System controller is not responding when the disk is out of space |
1109525-1 | 2-Critical | K3s cluster is unhealthy when the system date or time is changed | |
1188141 | 3-Major | Tenant launch gets stuck due to un-initialization of VFs under one or more PF | |
1188101 | 3-Major | Incorrect LCD-UI after upgrade to 1.3.1 | |
1185557-2 | 3-Major | Upgrading to F5OS-A v1.3.1 requires increasing the minimum tenant Virtual Disk Size to 77GB from 76GB of to allow editing of existing tenants in the webUI | |
1166905 | 3-Major | Port speed is configurable from restconf for data port interfaces on Appliance devices. | |
1136557 | 3-Major | F5OS config restore fails if .iso or components vary between two devices. | |
1135109 | 3-Major | AAA server group name and type are not displayed on ConfD | |
1132473 | 3-Major | VELOS shows in the wording for "show services service " table on rSeries | |
1120945 | 3-Major | Downgrade to 1.0.1 failed with tenant configuration | |
1110181 | 3-Major | Downgrade from F5OS-A 1.3.0 or later to any release before F5OS-A 1.3.0 with tenants having more than one service can cause redirects | |
1084153 | 3-Major | Tenant deployment will fail when we move tenant (deployed with max vCPU) from provisioned to deployed | |
1083921 | 3-Major | VLAN name change is not allowed once a tenant is launched | |
1080437 | 3-Major | VerifyDmesg test failure | |
1062129 | 3-Major | Tenants are in pending state forever. |
Known Issue details for F5OS-A v1.3.x
1188141 : Tenant launch gets stuck due to un-initialization of VFs under one or more PF
Component: F5OS-A
Symptoms:
On r2x00/r4x00 based systems, tenant launch gets stuck with an error in ConfD tenant status leaf:
"error adding container to network \"sriov-net3-tenant1\": SRIOV-CNI failed to load netconf: LoadConf(): failed to get VF information: \"lstat /sys/bus/pci/devices/0000:ec:00.7/physfn/net: no such file or directory"
The VFs(aka, SR-IOV Based Virtual Functions) were not seen under a PF(aka, SR-IOV based Physical Function) when run following the command.
Command: `ip link show <PF>`
PF can be, `x557_1`, `x557_2`, `x557_3`, `x557_4`, `sfp_5`, `sfp_6`, `sfp_7`, `sfp_8`.
For example, the faulty PF(x557_4 in this case) has no VFs listed compared to the healthy PF(x557_1 in this case),
# ip link show x557_4
18: x557_4: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
link/ether 14:a9:d0:01:56:8a brd ff:ff:ff:ff:ff:ff
# ip link show x557_1
15: x557_1: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
link/ether 14:a9:d0:01:56:87 brd ff:ff:ff:ff:ff:ff
vf 2 MAC 00:00:00:00:11:02, spoof checking on, link-state auto, trust off
vf 2 MAC 00:00:00:00:11:02, spoof checking on, link-state auto, trust off
vf 2 MAC 00:00:00:00:11:02, spoof checking on, link-state auto, trust off
vf 2 MAC 00:00:00:00:11:02, spoof checking on, link-state auto, trust off
Conditions:
On r4x00 or r2x00 based systems:
1. ConfD tenant status leaf reports "LoadConf(): failed to get VF information".
2. The VFs were not created under one or more PFs.
3. One of the files from "x557_1", "x557_2", "x557_3", "x557_4", "sfp_5", "sfp_6", "sfp_7", "sfp_8" missed from "/sys/class/net" directory.
For suppose when x557_4 is a faulty PF(aka, SR-IOV based Physical Function), then `/sys/class/net` shouldn't list x557_4 in its directory.
[root@appliance-1 ~]# ls /sys/class/net/x557_4
ls: cannot access /sys/class/net/x557_4: No such file or directory
[root@appliance-1 ~]#
Impact:
Tenant launch will be unsuccessful and is not able to connect to the tenant console or over tenant's management connection.
Workaround:
Workaround #1
===============
1. Move the tenant(s)' running-state in ConfD to provisioned.
2. Run "/usr/omd/scripts/config_ice_vfs.sh" script when "/sys/class/net" starts to show missing PF from the list above.
3. Run "kubectl rollout restart daemonset kube-sriov-device-plugin-amd64 -n kube-system".
4. Move the tenant(s)' running-state in ConfD to deployed.
Workaround #2 (only when second step takes too long)
==================================================
1. From second step in Workaround #1, if the PF wasn't detected in "/sys/class/net" even after a 20 minute duration, reboot the host to trigger the device probing.
1188101 : Incorrect LCD-UI after upgrade to 1.3.1
Component: F5OS-A
Symptoms:
An upgrade to F5OS-A 1.3.1 entails LCD-UI upgrade. This is not reflected correctly in platform inventory where the version displayed is the one before LCD-UI upgrade.
Conditions:
The issue is seen when AFU triggers LCD-UI upgrade. No issue when LCD-UI is not upgraded.
Impact:
LCD-UI is upgraded successfully to the desired version but the version displayed as part of platform inventory ("show components component properties property") is not correct.
Workaround:
The next reboot will update platform inventory with the correct LCD-UI firmware version.
1185557-2 : Upgrading to F5OS-A v1.3.1 requires increasing the minimum tenant Virtual Disk Size to 77GB from 76GB of to allow editing of existing tenants in the webUI
Component: F5OS-A
Symptoms:
After upgrading to F5OS-A v1.3.1 from an earlier version, when you attempt to edit the attributes and parameters of an existing tenant, the Save button on the screen will not become selectable.
Conditions:
Applies to upgrading from an earlier F5OS-A version to F5OS-A v1.3.1 and preexisting configured, provisioned, or deployed tenants are present.
Impact:
If the Virtual Disk Size for any of the preexisting tenants is not increased to a minimum Virtual Disk Size of 77GB you will be unable to edit and save the tenant configuration via the webUI.
Workaround:
Increase the minimum tenant Virtual Disk Size to 77GB on the Add/Edit Tenant screen in addition to any other configuration elements and the Save button will become enabled. Alternatively, tenants can be edited via the CLI interface.
1184917-3 : On rSeries, the MAC masquerade feature is only supported on BIG-IP tenants 15.1.6 and later
Component: F5OS-A
Symptoms:
The MAC masquerade feature is only supported on BIG-IP tenant versions 15.1.6 and later. Using the feature in an HA pair can cause traffic to fail over incorrectly between the pair.
Conditions:
MAC masquerade is used on rSeries with BIG-IP tenant versions other than 15.1.6 and later.
Impact:
Traffic may be degraded on a failover between an HA pair.
Workaround:
Upgrade BIG-IP tenant version to 15.1.6 or later.
1168573 : Tenants failing to come up with error address already in use
Component: F5OS-A
Symptoms:
rSeries tenants fail to come up with an error address already in use when tenants are deployed, without waiting for the system to complete the downgrade process from 1.3.0 to 1.2.0.
Conditions:
rSeries appliance takes up to 8 minutes to properly downgrade from 1.3.0 to 1.2.0.
The user will observe this issue if they deployed the tenant before the downgrade procedure.
Impact:
Tenants will land in an error state (address already in use) and cannot be recovered unless the system is rebooted.
Workaround:
User should wait at least 8 minutes for the downgrade to complete before deploying the tenants.
1166905 : Port speed is configurable from restconf for data port interfaces on Appliance devices.
Component: F5OS-A
Symptoms:
User can set port speed for data ports using restconf.
This is applicable for only Appliance devices.
Conditions:
This is user configuration, and restconf access is required to configure the system.
Impact:
There is no impact, but the user is not advised to configure port speed as it is internal to the system.
Workaround:
N/A
1156125 : Tenant status shows error "Liveness probe failed:" in ConfD after reboot
Component: F5OS-A
Symptoms:
Some unhealthy events intermittently occur that are related to "Liveness probe failed:" inside ConfD. But the tenant is actually healthy and functional.
Conditions:
Intermittently on system reboots. Tenant status might show failed messages in ConfD.
Impact:
No impact, tenant is actually healthy and functional.
Workaround:
None
1155549 : iavf/i40evf reset triggers kernel bug at drivers/pci/msi.c:357
Component: F5OS-A
Symptoms:
vmcore-dmesg.txt core will be generated and available in /var/crash with following trace:
[ 3686.956609] [<ffffffff8ae10435>] pci_disable_msix+0x35/0x40
[ 3686.990468] [<ffffffffc0862323>] iavf_reset_interrupt_capability+0x23/0x40 [iavf]
[ 3687.035753] [<ffffffffc0862ff7>] iavf_remove+0x147/0x350 [iavf]
[ 3687.071682] [<ffffffff8adf076e>] pci_device_remove+0x3e/0xd0
[ 3687.106053] [<ffffffff8aed6b12>] __device_release_driver+0x82/0x110
[ 3687.144063] [<ffffffff8aed6bc3>] device_release_driver+0x23/0x30
[ 3687.180512] [<ffffffff8ade7ac4>] pci_stop_bus_device+0x84/0xa0
Conditions:
On shutdown, disabling already disabled iavf device.
Impact:
There is no impact.
Workaround:
N/A
1144401 : F5OS-A kubectl/docker related information missing in qkview
Component: F5OS-A
Symptoms:
Kubectl/docker information on the system is not collected as part of qkview.
Conditions:
Kubectl/docker information on the system is missed in qkview whenever qkview is triggered on the system.
Impact:
Kubectl/docker information on the system is not collected as part of qkview.
Workaround:
No workaround.
1136557 : F5OS config restore fails if .iso or components vary between two devices.
Component: F5OS-A
Symptoms:
If the .iso or components in the backup file do not match the ones in the restore file, the restore operation fails with admin access denied error:
Error: Database config-restore failed.
Conditions:
Take a config backup from one device and restore it on another device on where .iso or components vary.
Impact:
Configuration restore fails.
Workaround:
Ensure that .iso and components match when performing backup and restore between devices.
1135109 : AAA server group name and type are not displayed on ConfD
Component: F5OS-A
Symptoms:
When a server group is created on an appliance, "show system aaa server-groups" does not display the name and type of the server group.
Conditions:
When a AAA server group is created (LDAP/RADIUS/TACACS).
Impact:
appliance-1# show system aaa server-groups
NAME NAME TYPE
------------------------
ldap-group - - ----> Name and type are not displayed
Workaround:
N/A
1132473 : VELOS shows in the wording for "show services service " table on rSeries
Component: F5OS-A
Symptoms:
When the user runs "show services service" on rSeries:
appliance-1# show services service
Possible completions:
9 Service id is unique and generated by Network Manager
displaylevel Depth to show
| Output modifiers
<cr>
Possible match completions:
ipv6-prefix-length Networking mask used by disaggregator algorithms
tenant_name Tenant name associated with each Service
tier1_dag_profile sDAG on VELOS <--
tier2_dag_profile eDAG on VELOS <--
You can see "VELOS" in the description; this text is incorrect. It should either say "rSeries" or no platform at all.
Conditions:
Run "show service service".
Impact:
No functional impact.
Workaround:
N/A
1120945 : Downgrade to 1.0.1 failed with tenant configuration
Component: F5OS-A
Symptoms:
When an appliance system has tenants configured already, attempting to downgrade to version 1.0.1 fails, and the appliance will not become operational.
Conditions:
During the downgrade process, the system goes for a reboot and attempts to come up in 1.0.1 release. During this bring-up process, the tenant configuration validation fails, which causes the system to fail to become operational.
Impact:
Downgrade to 1.0.1 is not possible if tenants are already configured.
Workaround:
Remove all tenants and then perform the downgrade to 1.0.1.
1110217-2 : System controller is not responding when the disk is out of space
Links to More Info: BT1110217
Component: F5OS-A
Symptoms:
System becomes unresponsive when the disk runs out of space. This could happen when multiple qkview logs are generated and stored on the disk.
Conditions:
When the disk runs out of space, some of the applications either stop or restart. If the application restarts, it does so improperly.
Impact:
The controller on which the disk has run out of space will not come up properly. A controller restart is required.
Workaround:
Clean up the unwanted files from the disk and trigger the controller reboot with the below options.
Recovery options
1. Restarting all containers from the affected controller using "systemctl restart platform-services-deployment.service"
2. Use the CLI of another controller and reboot the standby controller using the API "system reboot controllers controller standby" command
1110181 : Downgrade from F5OS-A 1.3.0 or later to any release before F5OS-A 1.3.0 with tenants having more than one service can cause redirects
Component: F5OS-A
Symptoms:
From F5OS-A 1.3.0 or later releases have new DAG capability to enable "dag-adjust" and "ipv6-prefix-length" settings in combination with BIG-IP tenant version 15.1.8 and later.
If we downgrade F5OS-A 1.3.0 or later to older releases before F5OS-A 1.3.0 and have a BIG-IP tenant software version 15.1.8 or later, the platform creates duplicate service entries. Due to a mismatch in the DAG profile in the platform and tenant, there will be packet redirects.
Conditions:
Downgrading F5OS-A 1.3.0 or later to any older release before F5OS-1.3.0 with BIG-IP tenant software version 15.1.8 or later.
Impact:
Performance degrade due to packet redirects.
Workaround:
Workaround steps:
1. Backup the tenant's configuration that experienced this issue -> https://support.f5.com/csp/article/K13132
2. Copy the configuration off the tenant to some other host
3. Take note of the affected tenant's partition configuration -> show running-config tenants tenant <name>
4. Delete the affected tenant in the partition
5. Recreate the tenant with the same configuration noted in step #3
6. Copy the tenant config backup taken in step #1 back to the tenant and reload the configuration
1109525-1 : K3s cluster is unhealthy when the system date or time is changed
Component: F5OS-A
Symptoms:
When the system date is changed, some of the k3s cluster certificates becomes invalid, and pods enter into an unknown/non-operational state.
Once the system date and time are made current, most pods will be recovered.
Some of the virt-controller/virt-operator/virt-api kubevirt pods are in a failed state but tenant functionality is not affected.
Conditions:
System date and time is changed back and forth.
Impact:
Some of the k3s pods go into a failed/non-operational state.
Workaround:
Re-spinning the certificates will restore the pods.
Delete the pods to trigger a re-spin of certificates that are in a terminating or crashed state.
The orchestration manager will start the pod with a new certificate.
Command to delete the pod:
#kubectl delete pod <pod-name> -n <name-space>
1084153 : Tenant deployment will fail when we move tenant (deployed with max vCPU) from provisioned to deployed
Component: F5OS-A
Symptoms:
Tenant deployment will fail when moved (deployed with max vCPU) from provisioned to deployed while the old resources are still terminating in the system.
Conditions:
When the same tenant is redeployed immediately, the appliance cannot allocate resources as the old resources were not released to the system yet. This issue is observed only on r2k/r4k but not on r5k/r10k.
Impact:
Tenant deployment will be stuck in a pending state forever.
Workaround:
Move the tenant to provisioned state and wait for the tenant resources to terminate completely in the system and then move it to a deployed state.
1083921 : VLAN name change is not allowed once a tenant is launched
Component: F5OS-A
Symptoms:
When you change the VLAN name on a rseries (R2x00 or R4x00) Appliance, the BIG-IP tenant does not honor the name change.
Conditions:
-- One or more tenants are running on a rSeries (R4x00 or R2x00) platform.
-- A VLAN name is changed for a VLAN that is in use by a running tenant.
Impact:
Changing the VLAN name after a tenant is launched and reassigning that VLAN removes the interface in TMM.
Workaround:
Set the VLAN name to the initial name that the tenant used when it was launched. Or, if you need to change the name of the VLAN, delete the tenant and redeploy.
1080437 : VerifyDmesg test failure
Component: F5OS-A
Symptoms:
An error message is seen as dmesg output:
Failed to allocate irq -2147483648: -107
Conditions:
The error message is seen sometimes when restarting/rebooting device is complete.
Impact:
The error message does not impact any functionality as after the allocation of irq for SMBUS is failed, it would switch to polling mode.
Workaround:
NA
1062129 : Tenants are in pending state forever.
Component: F5OS-A
Symptoms:
Tenants never enter into running state.
Conditions:
If a tenant request contains more vCPUs greater than available vCPUs on the system.
Impact:
-- Tenants go into pending state forever.
-- Empty CPUs are listed under tenants state in confd.
Workaround:
Always follow defined product License capability to configure vCPUs for a tenant.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/