945537-2 : STP Validation for forward-delay, max-age, and hello-time fields

Links to More Info: BT945537

Component: F5OS-A

Symptoms:
One or more forwarding-delay, max-age, or hello-time fields are configured and are not mirrored as operational data, or

One or more forwarding-delay, max-age, or hello-time fields are configured, and the configuration is not reflected in the spanning-tree BPDUs.

Conditions:
When configuring STP, use this formula for the forwarding-delay, max-age, and hello-time fields for STP, RSTP, and MSTP configurations:

2 * (hello-time + 1)) <= max-age && max-age <= (2 * (forwarding-delay - 1

Impact:
Any configuration that does not match the expected formula will not propagate to spanning tree BPDUs.

Workaround:
Configure the forward-delay, max-age, and hello-time fields using this formula:

2 * (hello-time + 1)) <= max-age && max-age <= (2 * (forwarding-delay - 1

Fix:
Fixed an issue where a user could configure the forward-delay, max-age, and hello-time fields for STP so that the expected formula was not met. Entering an invalid configuration displays an error.

1226429-3 : Log messages in /var/log/message

Component: F5OS-A

Symptoms:
When the snmpget operation is performed on IF-MIB, the message "DEBUG cannot reply twice on the same call" appears in /var/log/message. The issue is that the DEBUG is enabled in one of the services container so this DEBUG message is logging in /var/log/message.

Conditions:
One of the reproduction steps is to perform the snmpget operation on IF-MIB.

Impact:
No known impact on the functionality. They are DEBUG messages only.

Workaround:
No workaround. The debug messages stops when the snmpget operation is completed.

Fix:
Removed unwanted debug enable from the service container.

1204481-1 : System may flap external links multiple times during startup or links may fail to come up at all

Component: F5OS-A

Symptoms:
When the system boots up, the interfaces may flap (go up and down) several times in quick succession before coming up and stabilizing.

In some cases, the interfaces fail to come up at all.

If a peer switch is configured to detect excessive link flaps, it may put the port in an err-disable state and prevent the link from coming up.

Conditions:
-- r5000 or r10000 Series appliance

Impact:
If the peer switch triggers a link-flap detection feature, the ports may remain offline until an administrator manually recovers the port on that switch.

Workaround:
There is no workaround for this issue on the rSeries appliance.

An administrator can mitigate this issue by doing one of the following:

- configuring the peer switch to automatically try to recover ports that are disabled for excessive link flapping
- increasing the number of link flaps required in a certain interval before the port is put in a disabled state

Fix:
Disable sending of remote-fault signaling to peer device while the system is booting up.

1196085-1 : Disabling and re-enabling a port on rSeries can leave the port in a DOWN state

Component: F5OS-A

Symptoms:
Disabling a port and then re-enabling it can result in the port staying DOWN.

Conditions:
Port Disable followed by Port Enable. The condition is aggravated when the port "enable" follows the "disable" too quickly. For example port "enable" within 15 seconds of the port "disable".

Impact:
Port stays DOWN and traffic is impacted.

Workaround:
There is no guaranteed workaround.

Sometimes disabling/re-enabling the port on the other side will bring the port back up.

Also, waiting 30-45 seconds before re-enabling the port minimizes the risk of this issue occurring.

Fix:
Improve port "disable" such that subsequent port "enable" does not leave the port DOWN.

1196073-1 : Front panel port initialization failures can leave a port permanently DOWN

Component: F5OS-A

Symptoms:
Failure of port initialization during system start-up or as a result of port re-initialization (port disable/enable).

Conditions:
Front panel port being initialized.

Impact:
Link stays DOWN and traffic is disrupted.

Workaround:
1) Disable then enable the link on the rSeries device.
2) Disable then enable the link on the peer device.

Fix:
Correct error handling of port initialization failures.

1190969-1 : Memory leak in system-image-agent service

Component: F5OS-A

Symptoms:
Memory usage by system-image-agent on the rSeries host F5OS-A operating system is sometimes higher than expected.

When larger than approximately 2GB (r2xxx/r4xxx) or 4GB (other rSeries), this may create enough memory pressure to affect scheduling of tenant vCPU, causing various tenant symptoms that indicate lower performance. These may include (list is not exhaustive):

  - dropping sporadic packets
  - tmm reporting clock advanced in /var/log/ltm logs
  - cores of tenant daemons
  - unexpected restart of tenants
  - restart of F5OS-A processes
  - sluggish manageability of tenant or rSeries host

When the hypervisor layer is nearly out of memory, the Linux kernel may trigger the out-of-memory killer which may terminate processes, including those that are tenants. If this happens then OOM-killer logs showing ImageAgent with high RSS (~500,000 or more) will be present in host QKView logs in:

Files > Log > messages logs in iHealth view of rSeries host qkview
qkview/subpackages/host-qkview/qkview/filesystem/var/log/messages

eg
 kernel: xxxx invoked oom-killer: ...

 kernel: [ pid ] uid tgid total_vm rss nr_ptes swapents oom_score_adj name

  kernel: [ 4321] 0 4321 696934 512846 1111 126261 0 ImageAgent

This indicates ImageAgent uses 512846 4KB pages in resident memory and 126216 4KB pages of swap (so approximately 2GB of resident and 0.5GB of swap). If not leaking, it should be very small.

Conditions:
When system-image-agent service is idle, there is a periodic memory leak. Rate of leak increases with the repeated image management related operations.

Impact:
Poor performance or unstable tenants: possible restarts, including of host rSeries.

Workaround:
While there is no workaround, the issue can be mitigated. If the leaking ImageAgent process can be restarted before it gets too big, it should be possible to avoid symptoms. It is best to restart it before it reaches 1GB in resident memory use (RES or RSS, depending on utility).

On iHealth you can view this in a host QKView under Commands, open system_image_agent folder and click on top. Look at the value under RES column for a row with command of /confd/bin/ImageAgent

Restarting the process should not affect traffic service.

To restart the system image agent, log into the host rSeries system as root and run:

 
   docker restart system_image_agent

 
(Note underscores, not hyphens)

After this, there will be various log messages from image-agent in /var/F5/system/log/platform.log:

 
 image-agent[10]: priority="Notice" version=1.0 msgid=0x2001000000000001 msg="Image Agent starting". <---
 image-agent[10]: priority="Info" version=1.0 msgid=0x6602000000000005 msg="DB is not ready".
 image-agent[10]: priority="Info" version=1.0 msgid=0x6602000000000005 msg="DB is not ready".
 image-agent[10]: priority="Info" version=1.0 msgid=0x6602000000000006 msg="DB state monitor started".
 image-agent[10]: priority="Info" version=1.0 msgid=0x2005000000000001 msg="Image file added" FILE="BIGIP-15.1.6.1-0.0.10.ALL-F5OS.qcow2.zip.bundle".
 image-agent[10]: priority="Info" version=1.0 msgid=0x6602000000000003 msg="DB state is now Active". <---

Fix:
Leak scenarios have been fixed.

1186105-1 : rSeries logs multiple UP/DOWN link transitions during system start up.

Component: F5OS-A

Symptoms:
As the rSeries platform starts up and initializes its front-panel interfaces, multiple UP/DOWN link transitions are logged.

Conditions:
rSeries system startup.

Impact:
Confusing log messages regarding link transitions.

Workaround:
None

Fix:
Improve logging so only one DOWN/UP transition is logged at start-up.

1186101-1 : Front panel interfaces are not disabled on system reboot

Component: F5OS-A

Symptoms:
Peer device will not see its links go DOWN until the system or blade starts to reboot.

Conditions:
-- r5000, r10000 series appliance
-- CX410 chassis

Impact:
Unwanted traffic could egress the system unexpectedly.

Workaround:
There is no workaround for this issue.

Fix:
Detect that the system is rebooting and proactively disable the front-panel interfaces.

1185369-1 : F5OS rSeries appliances will not launch tenants after upgrade to F5OS-A 1.3.0

Component: F5OS-A

Symptoms:
After an upgrade to F5OS-A 1.3.0, the system will not be able to deploy tenants. Even if the system software is reverted to the previous version, the issue remains.

The system may report a tenant status such as the following:

- Tenant deployment failed - Server is not responding
- 0/1 nodes are available: 1 node(s) didn't match Pod's node affinity/selector.

The "show cluster cluster-status" command will report that the cluster is not ready:

cluster cluster-status summary-status "1 Appliance is NOT ready, K3S cluster is NOT ready."

There will be error messages in /var/log/messages that mention "x509: certificate signed by unknown authority", for instance:

k3s: E1102 16:50:48.340717 44106 kuberuntime_manager.go:790] "CreatePodSandbox for pod failed" err="rpc error: code = Unknown desc = failed to setup network for sandbox ＼"5ba7aa29305335ce0b6a87b48a570b292f90e1f42f2a2b4ae4fff90a96a55df7＼": Multus: [kube-system/klipper-lb-8cht8]: error getting pod: Get ＼"https://[100.75.0.1]:443/api/v1/namespaces/kube-system/pods/klipper-lb-8cht8?timeout=1m0s＼": x509: certificate signed by unknown authority" pod="kube-system/klipper-lb-8cht8"

Conditions:
- F5OS rSeries appliance
- System upgraded to F5OS-A 1.3.0 for the first time

Impact:
The system is unable to deploy tenants. Even if the system is reverted to the previous software version, the issue remains and the system will be unable to launch tenants.

Workaround:
Once a system is affected, the fix is to reinstall the Kubernetes cluster. This procedure will take about 10 minutes and will not affect the configuration or data of the tenants.

1. Log in to the rSeries appliance CLI with the root account.

2. To identify if the setup is in an error state, check for the string “x509: certificate signed by unknown authority” in /var/log/messages, or K3S cluster is not healthy and running.

3. Change all deployed tenants to a provisioned state.

4. Stop the appliance_orchestration_manager service by running the following command:

systemctl stop appliance_orchestration_manager_container

5. Uninstall K3S by running the following commands:

k3s-uninstall.sh
rm /var/omd/* /tmp/omd/tokens/* /tmp/omd/appliance-ansible-host

6. Start the appliance_orchestration_manager service by running the following command:

systemctl start appliance_orchestration_manager_container

7. Wait about 10 minutes.

8. From the F5OS CLI (log in as admin), check the cluster status:

    show cluster install-status ; show cluster cluster-status

The cluster-status should be "K3S cluster is initialized and ready for use".

From a root shell, check that "kubectl get pods -A" shows running containers in both the "kube-system" and "kubevirt" namespaces.

Fix:
N/A

1173853 : Packet loss caused by failure of internal hardware bus

Links to More Info: BT1173853

Component: F5OS-A

Symptoms:
All or 50% of from-network packets arriving at a front panel port are dropped in hardware prior to delivery to tenant(s) running on the CPU. Packet loss is caused by CRC errors on an internal bus connecting two hardware components leading to eventual failure of the bus.

Conditions:
Issue occurs randomly, but is most commonly seen soon after bootup when packets first start to be handled by fastL4 hardware acceleration, hardware per-virtual server syn cookie protection, or AFM hardware protection.

Impact:
Total loss of from-network to CPU packets on r5900, r5800, and r5600 appliances, and either total loss or loss of 50% of from-network to CPU packets on r10900, r10800, and r10600 appliances. The r4800, r4600, r2800, and r2600 appliances are unaffected.

Workaround:
Reboot the appliance and disable fastL4 acceleration, per-virtual syn cookie hardware protection, and AFM hardware protection before re-enabling ingress traffic.

Fix:
This issue has been corrected.

1169341-1 : Using MAC Masquerade in a BIG-IP tenant causes traffic issues when re-deploying the tenant

Links to More Info: BT1169341

Component: F5OS-A

Symptoms:
If the tenant has configured MAC Masquerade, when the tenant is moved to a Configured or Provisioned state, then back to Deployed, the tenant may experience loss of traffic.

Conditions:
The tenant has configured MAC Masquerade and redeploys the tenant.

Impact:
The tenant may experience loss of datapath traffic.

Workaround:
N/A

Fix:
Using MAC Masquerade in a BIG-IP tenant no longer causes traffic issues.

1169193 : Unable to move tenants to provisioned or configured state with storage size specified as 76 in 1.2.0 after upgrading from 1.2.0 to 1.3.0

Component: F5OS-A

Symptoms:
Not able to move tenants to a provisioned or configured state with storage size specified with 76GB in 1.2.0 and moved to 1.3.0.

Conditions:
Deploy tenant in 1.2.0 with 76GB specified storage size and upgrade the F5OS to 1.3.0 and try to change running state of tenant to configured or provisioned.

Impact:
Once upgraded to 1.3.0 will not be able to change running state of tenant to provisioned or configured. In deployed state it is not possible to resize.

Workaround:
When tenant running state is being updated to provisioned or configured, the storage size must be greater than the default size of that image.

Fix:
Tenants can be moved to provisioned or configured state.

1166277 : System downgrade is not possible with tenants in deployed state.

Component: F5OS-A

Symptoms:
Tenants stuck in pending phase or tenant pods are missing.

Conditions:
Tenants deployed in 1.3.0 will be stuck in the pending phase when the system is downgraded to 1.2.0.

Impact:
Tenants will not be in a running state.

Workaround:
Move tenants to configured/provisioned state.

1166201-1 : Opensource Updates

Component: F5OS-A

Symptoms:
Opensource libraries used in previous versions were potentially susceptible to:
CVE-2016-4658
CVE-2017-18342
CVE-2018-25032
CVE-2019-15605
CVE-2019-17498
CVE-2019-20044
CVE-2020-10531
CVE-2020-12321
CVE-2020-24489
CVE-2020-25710
CVE-2020-8625
CVE-2021-20233
CVE-2021-20271
CVE-2021-2388
CVE-2021-25214
CVE-2021-25217
CVE-2021-27219
CVE-2021-27803
CVE-2021-30465
CVE-2021-3156
CVE-2021-3538
CVE-2021-3621
CVE-2021-4034
CVE-2021-42574
CVE-2021-43527
CVE-2021-44142
CVE-2022-1227
CVE-2022-1271
CVE-2022-23852
CVE-2022-24407
CVE-2022-24903
CVE-2022-2526
CVE-2022-2738
CVE-2022-29154
CVE-2022-34169
CVE-2022-40674
CVE-20919-8696

Conditions:
This addresses different problems. Multiple common vulnerabilities are fixed.

Impact:
Strengthens System Security

Fix:
Multiple common vulnerabilities are fixed to make system more secure.

RPM libraries have been upgraded to the following versions.
rpm-4.11.3-48.el7_9.x86_64
rpm-build-libs-4.11.3-48.el7_9.x86_64
rpm-libs-4.11.3-48.el7_9.x86_64
rpm-python-4.11.3-48.el7_9.x86_64
rsync-3.1.2-11.el7_9.x86_64
java-1.8.0-openjdk-headless-1:1.8.0.342.b07-1.el7_9.x86_64
tzdata-2022a-1.el7.noarch
tzdata-java-2022a-1.el7.noarch
systemd-219-78.el7_9.7.x86_64
systemd-libs-219-78.el7_9.7.x86_64
systemd-sysv-219-78.el7_9.7.x86_64
podman-1.6.4-36.el7_9.x86_64
runc-1.0.0-69.rc10.el7_9.x86_64
expat-2.1.0-15.el7_9.x86_64

1162609 : F5 r2600/r2800/r4600/r4800 devices unable to establish LACP link or send LLDP to some switches

Component: F5OS-A

Symptoms:
LACP and LLDP messages transmitted from an F5OS r2x00/r4x00 appliance to a peer switch have an incorrect length, and are ignored by some switches.

This can result in LACP aggregate links configured between an F5OS appliance and peer switch to fail to establish.

For example, Extreme Networks switches may produce a message similar to this:

<Erro:LACP.RxPDUSizExcd> Slot-2: Received PDU LACP size exceeded. Incoming Port: 1:1 PDU size: 132 required size: 128

Juniper hardware may produce messages similar to this:

kernel: xe-1/1/1: received pdu - length mismatch for lacp : len 128, pdu 124 like 1

LLDP packets sent from the F5OS device may not be accepted or correctly interpreted by the connected switch.

Conditions:
-- rSeries r2600/r2800/r4600/r4800-series appliance

-- LACP trunk (aggregate link) configured
(or)
-- LLDP advertising enabled

Impact:
Unable to establish an LACP trunk between the F5OS r2600/r2800/r4600/r4800 and a network switch.

Workaround:
Configure the LAG using a static configuration (that is, no LACP) on both sides, if possible.

Fix:
Fixed code to trim extra 4 bytes going in the BPDUs.

1154129 : Missing port-speed option for management interface on Appliance

Component: F5OS-A

Symptoms:
There is no option to change the port speed on the management interface of the Appliance through the CLI. An error displays when you attempt to disable auto-negotiation or when you try to change the port speed from the webUI (after disabling from
the CLI).

Conditions:
Always

Impact:
Port speed cannot be configured for the management interface on Appliance.

Workaround:
No workaround.

Fix:
Current schema changes allow port speed to be configured for management interface on Appliance.

1145841 : WebUI fails to delete an LACP LAG that does not have the corresponding LACP interface

Component: F5OS-A

Symptoms:
WebUI fails to delete an LACP LAG that does not have the corresponding LACP interface.

Conditions:
The LACP interface for the LACP LAG does not exist.

Impact:
Unable to delete the LAG on webUI.

Workaround:
Users can either delete the LAG from the CLI or create the LACP interface for the LAG and then delete it from webUI.

Fix:
With this fix, the user will be able to delete an LACP LAG even if it does not have the corresponding LACP interface.

1145753 : QKView obfuscation step can cause excessive disk usage

Component: F5OS-A

Symptoms:
QKView performs the obfuscation steps for capturing files, which can create temporary files the same size as the captured files. If a sufficiently large file is captured, this may cause a disk full error.

Conditions:
QKView captures a very large file and obfuscates it.

Impact:
System may be unusable.

Workaround:
Before executing QKView, scan the system for extraordinarily large log files and delete them. One example is telemetry.db.

Fix:
This bug fix truncates the file to a maximum size of 0.5 GB (or a size defined by the maxfilesize argument) before performing obfuscation. This limits the chance for a disk full error.

1144177-1 : CLI idle-time is not persistently configurable

Component: F5OS-A

Symptoms:
The default CLI idle-timeout is set in a non-user-modifiable configuration file, and must be set each time the user logs in.

Conditions:
The user desires to set an persistent idle-timeout to a value other than the pre-set default, or to disable it.

Impact:
User cannot select a default idle-timeout other than the predefined default.

Workaround:
None.

Fix:
A configuration setting has been added to the configuration database as "system settings config idle-timeout" so that the administrator can configure a default idle-timeout for the CLI. The setting applies to the particular system instance (controller, partition, or appliance).

Behavior Change:
Administrator can configure the default CLI timeout value, so that it applies to all user sessions.

1143769 : Updating LDAP configuration on Auth Settings screen on the webUI having no TLS key updates it to empty string.

Component: F5OS-A

Symptoms:
When the LDAP configuration on Auth Settings is updated via the webUI, with TLS key not previously configured, it is updated to be an empty string. This is resulting in empty string encryption.

Conditions:
Add/Modify LDAP configuration on Auth Settings screen.

Impact:
TLS key is set to empty string and is encrypted.

Workaround:
One of the following:

-- Use the F5OS CLI to modify authentication settings, rather than using the webUI.

-- Use the webUI to edit authentication settings only when the TLS key is already configured, meaning, there is an encrypted value already present in TLS key field.

Fix:
Updating LDAP configuration when the TLS key is not configured will not create a TLS key with empty string.

1141801 : F5OS-A Intel CPU vulnerability CVE-2021-33060

Component: F5OS-A

Symptoms:
There are no visible symptoms.

Conditions:
The issue is present in BIOS versions 2.00.114.1 and earlier.

Impact:
Out-of-bounds write in the BIOS firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access. (CVE-2021-33060)

Workaround:
As local access is required to exploit this vulnerability, you can mitigate this by restricting access to the affected F5 product (on the host OS and in a container or tenant) to only trusted users.

Fix:
Resolve Intel CPU vulnerability CVE-2021-33060

1141753 : User manager containers should not mount /var/log/tally as /tmp

Component: F5OS-A

Symptoms:
Unnecessary files left in /var/log.

Conditions:
When qkview is captured.

Impact:
Unnecessary files left in /var/log and collected by qkview as a result of a container using /var/log/tally as a temporary space.

Workaround:
N/A

Fix:
User manager does not mount /var/log/tally anymore.

1141593 : tmstat-merged log messages for invalid argument

Component: F5OS-A

Symptoms:
Repeated log messages from tmstat-agent about invalid arguments from fzmq_handle_to_socket_thread_safe.

Conditions:
VELOS appliance.

Impact:
Fills log files and could obcsure or roll over more important log messages.

Workaround:
N/A

Fix:
Not relevant to appliances.

1141577 : WebUI crashes when a new SSL/TLS private key is generated

Component: F5OS-A

Symptoms:
The webUI crashes when a new SSL/TLS certificate is created in the Certificate Management tab.

The HTTP server has to restart to read the newly-created private keys (encrypted or un encrypted) from a configuration file. Before the HTTP server restarts, all active client connections will be closed. This will cause the webUI to crash, and the server will be unreachable temporarily.

Conditions:
No configuration changes required.

Impact:
The webUI crashes and the TCP connection with the HTTP server will be closed.

Workaround:
The user has to reestablish the connection to the server after waiting a few seconds.

Fix:
No fix required.

1137889-1 : CLI "show interfaces summary" command doesn't provide a summary

Links to More Info: BT1137889

Component: F5OS-A

Symptoms:
The "show interfaces" command is quite cluttered when displaying the state of both physical and virtual (aggregate) interfaces, making it difficult to get a high-level summary of all interfaces.

The "show interfaces interface full" command displays a confusing subset of interface states, when the intent of "full" was to display all state fields, including the duplicate "name" column.

Conditions:
The administrator attempts to use the "show interfaces" command to diagnose networking problems.

Impact:
Difficult to diagnose interface configuration/connectivity problems.

Workaround:
None

Fix:
The new "summary" option for "show interfaces" displays a brief subset of the most important interface state information.

appliance-1# show interfaces interface state summary
                                     OPER
NAME TYPE MTU ENABLED STATUS
---------------------------------------------
1.0 ethernetCsmacd 9600 true UP
2.0 ethernetCsmacd 9600 true UP
3.0 ethernetCsmacd 9600 true UP
4.0 ethernetCsmacd 9600 true UP
5.0 ethernetCsmacd 9600 true UP
6.0 ethernetCsmacd 9600 true UP
7.0 ethernetCsmacd 9600 true UP
8.0 ethernetCsmacd 9600 true UP
mgmt ethernetCsmacd - true UP

1137725 : nslcd start/run script may fail or log alarming messages

Component: F5OS-A

Symptoms:
The script that watches and restarts the nslcd process could sometimes fail to do so, and would sometimes log messages that appeared alarming.

Conditions:
Changing authentication settings that affect nslcd.

Impact:
The messages were benign, but the occasional failure to restart nslcd on config change could cause authentication changes to fail to propagate to the running process.

Workaround:
Restarting the name-service-ldap container is likely to solve the issue.

Fix:
The nslcd start/run script was rewritten to minimize alarming log messages and reliably start and restart the process when expected.

1137669 : Potential mis-forwarding of packets caused by stale internal hardware acceleration configuration

Links to More Info: BT1137669

Component: F5OS-A

Symptoms:
Because configuration entries added to the internal ePVA hardware acceleration tables may become stuck, packets arriving from front panel ports may be handled by stale entries resulting in unexpected forwarding behavior. The stale entries may also prevent TMM from offloading new connections to ePVA.

Conditions:
The most likely cause for entries to become stuck is either a reboot of tenant or restart of TMM while it has active connections offloaded to ePVA without also rebooting the entire appliance.

Impact:
Packets may be forwarded to unexpected destinations, and/or new connections are unable to be offloaded to ePVA.

Workaround:
Don't reboot or restart TMM without also rebooting the entire appliance.

Fix:
Packets are behaving as expected.

1137361 : Enabling LDAP may produce a log message with the usage help for the kill command

Component: F5OS-A

Symptoms:
If the nslcd process is being restarted but was not previously running, this message could be issued.

Conditions:
The nslcd process is being restarted because of a configuration change but was not previously running.

Impact:
Alarming log messages. Potential failure to restart nslcd, resulting in failures in remote authentication.

Workaround:
Restarting the name-service-ldap container is likely to resolve the issue.

Fix:
The nslcd run/start script was rewritten to make it more robust, while reducing the chance for unnecessarily alarming log messages.

1137309 : NSLCD does not restart if it dies or exits

Component: F5OS-A

Symptoms:
If the NSLCD process is terminated for any reason, the process is not restarted.

Conditions:
LDAP authentication is enabled and the NSLCD process is terminated or unexpectedly exits.

Impact:
LDAP authentication will be unavailable.

Workaround:
The process can be restarted by manually restarting the container using the command docker restart name-service-ldap.

Fix:
The NSLCD process will now restart if it is terminated.

1137121 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0

Component: F5OS-A

Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".

Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.

Impact:
Tenants will not start and are unusable.

Workaround:
To work around this issue, perform one of these actions:

1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".

Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.

1136829-1 : Blank server error popup appears over unauthorized popup for operator user

Links to More Info: BT1136829

Component: F5OS-A

Symptoms:
When an operator user performs any operation that makes a REST call that is unauthorized for the operator role, a blank server error popup appears behind the unauthorized popup.

Conditions:
When the logged in user is in an operator role and performs an unauthorized action.

Impact:
A blank server error popup is seen behind an unauthorized popup, which is unnecessary.

Workaround:
NA

Fix:
Tested that only the unauthorized popup is visible when the operator user performs any unauthorized action.

1136777 : Monitoring agent service is missing telemetry inputs after its restart

Component: F5OS-A

Symptoms:
When diagnostic event queue is getting flooded due to watch dog closure issue, we are seeing failure in telemetry input reload.

Conditions:
Only seen when the diagnostic event log gets flooded due to watch dog closure issue and followed by monitoring service restart.

Impact:
Diagnostic agent service will not get any latest measurements.

Workaround:
N/A

Fix:
Monitoring agent service is reloading all telemetry inputs after its restart.

1136361 : RJ45 interface links once at 1G

Component: F5OS-A

Symptoms:
The RJ45 interfaces on F5 r2000 and r4000 platforms link at 1G only once. If the link goes down, the interfaces cannot reestablish a link at 1G.

Conditions:
When an RJ45 interface that is 10G/1G capable is connected to a 1G port on F5 r2000 and r4000 platforms.

Impact:
The RJ45 interface won't achieve a link.

Workaround:
To clear the no-link condition, reboot or power cycle the platform. The RJ45 link will then come up at 1G, but only once.

Fix:
The RJ45 interfaces on F5 r2000 and r4000 platforms are now able to re-establish a 1G link.

1136213 : Network Manager crashes while processing an L2 Listener Request on R2x00 or R4x00

Component: F5OS-A

Symptoms:
Network Manager crashes and a core file will be generated asynchronously.

Conditions:
When an L2 Listener Request is received on the platform, which is not expected to be received in the case of R2x00 or R4x00 platforms.

Impact:
Network Manager crashes generating a core file.

Workaround:
N/A

Fix:
Network Manager no longer crashes.

1135865 : Remotely authenticated user who is a member of multiple roles that include invalid roles is not allowed to log in

Component: F5OS-A

Symptoms:
Users on systems have a role assigned to them. This role is one of a predefined set which includes the admin role. A remote user with multiple roles, some of which are not in this predefined set, is configured on a remote authentication server (LDAP, tacplus or RADIUS). Such a user was treated different based on mode of access (GUI or ssh) and the remote authentication method. Sometimes the user can log in, sometimes not.

Conditions:
A user has to configured on a remote authentication server (LDAP, tacplus or RADIUS) with multiple group IDs, some of which are not assigned to any role in our system.
That remote authentication method has to be configured as an authentication method on our system.
User supplies the correct password and tries to log in. The user may or may not be allowed into the system, depending on method of access and remote authentication method.

Impact:
When a remote user has multiple roles which include invalid roles, the behavior of the system was inconsistent.

Workaround:
Removing the invalid group ID from the remote server will fix the issue.

Fix:
When a remote user belongs to multiple roles, some of which are invalid ones, only the valid roles are considered for authorization. Also, this is consistently done across methods of access (GUI, ssh, etc.) and across all remote authentication methods (LDAP, tacplus, RADIUS, etc.).

1135861 : Remote user with no valid role is allowed to log in.

Component: F5OS-A

Symptoms:
Under certain circumstances when remote authentication (ldap, tacplus, or radius) is configured, a remote user may be able to log in with low privileges when they should not.

Conditions:
An improperly configured user profile.
Remote authentication configured on F5OS.

Impact:
A User without a valid role is let into the system with low privileges.

Workaround:
None

Fix:
Only users with valid group per /etc/group will be allowed

1135849-1 : telemetry.db grew to 50G and caused error "database disk image is malformed"

Component: F5OS-A

Symptoms:
As we received multiple RAS events continuously while monitoring, the telemetry.db size grew to 50G.

Conditions:
If the hardware is in issue state, we can see more events getting generated, which will increase the telemetry.db size.

Impact:
File system will not be accessible as telemetry.db is consuming more space.

Workaround:
Delete the telemetry.db file and restart the platform-monitor service.

Fix:
This fix truncates the telemetry.db to a size of 500 MB or less.

1135661-2 : Ability to configure LDAP chase-referrals option

Component: F5OS-A

Symptoms:
By default, our LDAP implementation was set to chase LDAP referrals. This could be expensive and make lookups very slow in large organizations with multiple layers of LDAP servers.

Conditions:
LDAP enabled in very large LDAP organizations with multiple levels of servers.

Impact:
The default of chasing referrals in the above conditions could result in slow LDAP lookups and timeouts.

Fix:
A chase referrals option was added to LDAP configuration. The default is still enabled, but now it can be easily disabled:
system aaa authentication ldap chase-referrals false

1135281-1 : Blank LDAP tls_key causes error

Links to More Info: BT1135281

Component: F5OS-A

Symptoms:
When using the CLI or older webUI, it was possible to enter an "empty" tls_key. This would cause nslcd to be incorrectly configured.

Conditions:
LDAP configured. Blank LDAP tls_key entered:
system aaa authentication ldap tls_key ""

Impact:
A blank tls_key would fail to work correctly when configuring authentication or talking to the LDAP server.

Workaround:
Explicitly set the bind password to unset:
no system aaa authentication ldap tls_key

Fix:
Fixed authentication so any form of "empty" tls_key results in the tls_key being unset.

1135233-1 : Updating LDAP configuration on Auth Settings screen on the webUI fails to preserve the existing bind password

Links to More Info: BT1135233

Component: F5OS-A

Symptoms:
When the LDAP configuration on Auth Settings is updated via webUI, the unchanged/existing bind password is replaced by an empty string, resulting in LDAP authentication failure.

Conditions:
Modify existing LDAP configuration on Auth Settings screen.

Impact:
Bind password is not preserved.

Workaround:
One of the following:

-- Use the F5OS CLI to modify authentication settings, rather than using the webUI.

-- When editing authentication settings in the webUI, always re-enter the bind password.

Fix:
Updating LDAP configuration preserves existing/unchanged bind password, will not result in LDAP authentication failure.

1135125 : Reading data from wrong socket leads to LACPD restart.

Component: F5OS-A

Symptoms:
Reading an update from the ConfD subscription socket
leads to LACPD container restart.

Conditions:
Reading an update from the ConfD subscription socket.

Impact:
This issue leads to LACPD container restart.

Workaround:
N/A

Fix:
Read data from read socket, not from subscription socket.

1134957 : ldapsearch not available to use on F5OS devices

Component: F5OS-A

Symptoms:
ldapsearch is a crucial utility for troubleshooting LDAP remote authentication. However, it wasn't available on any F5OS devices, and therefore, couldn't be utilized.

Conditions:
The utility could not be found searching on the base OS using the command: "find / -name '*ldapsearch*'"

It also could not be found within the name-service-ldap container, using the command: "docker exec -it name-service-ldap ldapsearch"

Impact:
Troubleshooting is made more difficult.

Fix:
ldapsearch has now been installed and can be accessed using the name-service-ldap container. To do this, you can run the command: "docker exec -it name-service-ldap bash".

1134737 : CVE-2021-42740 - The shell-quote package before 1.7.3 for Node.js allows command injection

Component: F5OS-A

Symptoms:
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded to shell-quote version 1.7.3.

1134733 : CVE-2021-37701 - Vulnerability in the npm package "tar" (aka node-tar)

Component: F5OS-A

Symptoms:
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `＼` and `/` characters as path separators, however `＼` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded to tar v6.1.11.

1134729 : CVE-2022-0686 - Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8

Component: F5OS-A

Symptoms:
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.8.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded url-parse to v1.5.10.

1134725 : CVE-2020-15256 - Prototype pollution vulnerability found in `object-path` <= 0.11.4

Component: F5OS-A

Symptoms:
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and setting the option `includeInheritedProps: true`, or by using the default `withInheritedProps` instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of `set()` in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the `includeInheritedProps: true` options or the `withInheritedProps` instance if using a version >= 0.11.0.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded react-scripts to version 4.0.0 which doesn't require object-path.

1134721 : CVE-2021-44906 - Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js

Component: F5OS-A

Symptoms:
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded minimist to version 1.2.6.

1134717 : CVE-2021-23436 - Package immer before 9.0.6. has a type confusion issue

Component: F5OS-A

Symptoms:
This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "__proto__" || p === "constructor") in applyPatches_ returns false if p is ['__proto__'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded immer to version 9.0.6.

1134713 : CVE-2020-7660 - arbitrary code injection in serialize-javascript prior to 3.1.0

Component: F5OS-A

Symptoms:
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded 'react-scripts' to version 4.0.0 which uses 'serialize-javascript' versions - 4.0.0 and 5.0.1.

1134709 : CVE-2021-23434 - A type confusion vulnerability in object-path before 0.11.6.

Component: F5OS-A

Symptoms:
This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded react-scripts to version 4.0.0 which do not require object-path.

1134705 : CVE-2021-26707 - The merge-deep library before 3.0.3 for Node.js can be tricked

Component: F5OS-A

Symptoms:
The merge-deep library before 3.0.3 for Node.js can be tricked into overwriting properties of Object.prototype or adding new properties to it. These properties are then inherited by every object in the program, thus facilitating prototype-pollution attacks against applications using this library.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded react-scripts to v4.0.0 which don't require merge-deep dependency.

1134701 : CVE-2022-0691 - Authorization Bypass Through User-Controlled Key in NPM url-parse

Component: F5OS-A

Symptoms:
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded to url-parse v1.5.10

1134697 : CVE-2018-19827 - In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr Class

Component: F5OS-A

Symptoms:
In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service or possibly have another unspecified impact.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Replaced node-sass with sass.

1134693 : CVE-2021-32804 - Insufficient path sanitization in node-tar

Component: F5OS-A

Symptoms:
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded tar to version 6.1.11.

1134689 : CVE-2021-37713 - node-tar file creation/overwrite vulnerability

Component: F5OS-A

Symptoms:
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some＼path`. If the drive letter does not match the extraction target, for example `D:＼extraction＼dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded to tar v6.1.11.

1134685 : CVE-2022-1650 - Exposure of Sensitive Information to an Unauthorized Actor in GitHub...

Component: F5OS-A

Symptoms:
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded eventsource to v1.1.2.

1134681 : CVE-2021-3757 - immer is vulnerable to Improperly Controlled Modification of Object Prototype...

Component: F5OS-A

Symptoms:
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded immer to v9.0.6.

1134677 : CVE-2021-42581 - ** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier

Component: F5OS-A

Symptoms:
** DISPUTED ** Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded Ramda to 0.27.1.

1134673 : CVE-2021-3918 - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype...

Component: F5OS-A

Symptoms:
json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Replaced node-sass with sass which doesn't require json-schema dependency.

1134669 : CVE-2021-32803 - node-tar uses insufficient symlink protection

Component: F5OS-A

Symptoms:
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.

Conditions:
N/A

Impact:
N/A

Workaround:
None

Fix:
Upgraded to tar v6.1.11.

1134665 : CVE-2018-11698 - An out-of-bounds discovered in LibSass through 3.5.4.

Component: F5OS-A

Symptoms:
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Replaced node-sass with sass.

1134649 : CVE-2021-37712 - node-tar file creation/overwrite vulnerability

Component: F5OS-A

Symptoms:
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

Conditions:
N/A

Impact:
N/A

Workaround:
None.

Fix:
Upgraded node-tar to version 6.1.11.

1134633 : CVE-2018-11694 - A NULL pointer dereference issue in LibSass through 3.5.4.

Component: F5OS-A

Symptoms:
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.

Conditions:
rSeries GUI uses node-sass dependency which is a wrapper around LibSass. Hence the NULL pointer dereference issue in LibSass could be potentially leveraged by an attacker via node-sass.

Impact:
The issue could be leveraged by an attacker to cause a denial of service (application crash) or possibly have other impact.

Workaround:
None

Fix:
rSeries GUI has shifted from node-sass to a sass dependency which is not dependent on LibSass.

1134625-1 : webUI session timeout popup referring to browser time instead of server time

Links to More Info: BT1134625

Component: F5OS-A

Symptoms:
If the browser time is not in parity with the server time then the session timeout popup is showing up early (before the token expires) or sometimes not showing up even when the token actually expires.

Conditions:
When the user browser and the server times are not in sync.

Impact:
The user sees incorrect session timeout popup or does not see session timeout popup when the token actually expires.

Workaround:
NA

Fix:
This issue is fixed and verified that the timer for the popup is set correctly.

1134289 : Diagnostic Controller Panic messages getting logged in platform.log at startup

Component: F5OS-A

Symptoms:
On startup, receiving the Info messages from LOP for all bits and some of them are not relevant to system type. This is causing panic logs from diagnostic agent service.

Conditions:
This occurs only during startup.

Impact:
No functionality impact.

Workaround:
N/A

Fix:
Diagnostic agent will not panic and log any panic messages during the system startup.

1134141 : Uploading qkview to iHealth may fail on long iHealth user names

Component: F5OS-A

Symptoms:
When an iHealth username/email is entered into the configuration for the iHealth upload feature, if it is sufficiently long (over 16 characters), there may be an authentication error when attempting to upload.

Conditions:
iHealth username/email exceeds 16 characters.

Impact:
Unable to upload to iHealth.f5.com via F5OS-A or F5OS-C webUI.

Workaround:
Use the file export feature to download the qkview file from the device to a PC, and then use the PC to upload the qkview file to iHealth.f5.com.

Fix:
Feature has been fixed in F5OS-C 1.6.0 and F5OS-A 1.3.0.

1134033 : Continuous Diagnostic Controller Event Queue errors are printed in platform.log

Component: F5OS-A

Symptoms:
Flooding of logs continuously in platform.log.

Conditions:
Whenever the watchdog timer is closed, this issue occurs.

Impact:
Event Queue is getting flooded.

Workaround:
N/A

Fix:
Provided watchdog timer fix to avoid the event log flooding.

1132973 : Live upgrade to F5OS-A-1.3.0 will not work if STP is not configured correctly.

Component: F5OS-A

Symptoms:
System database compatibility checks will fail with STP misconfigurations.

Conditions:
Live upgrades to F5OS-A-1.3.0 will not work if STP is not configured correctly.

Impact:
System database compatibility checks will fail.

Workaround:
STP cannot be enabled on individual LAG members. To perform a live upgrade to F5OS-A-1.3.0, the user must correct the STP configurations by removing the STP from the interface which is assigned to aggregation-id.

1132745 : Improve user readability during file upload on partition or controller

Component: F5OS-A

Symptoms:
When the user starts uploading a tenant image file, the file transfer status in the image import status table displays after a few seconds rather than immediately.

Conditions:
On the tenant images screen, when the user has started a file upload from his local machine.

Impact:
User is notified of file upload status after some time, which might lead the user to think that file upload has not started until he sees the status.

Workaround:
None.

Fix:
A new banner was added at the top of the page saying "File upload is initializing, the transfer status will appear momentarily.", which appears as soon as the user starts the file upload. After a few seconds the message on the banner will change to "File upload in progress, please do not refresh the page.", informing user that refreshing the page will cancel the upload process.

1132733-1 : LDAP config tried to configure blank bind password

Links to More Info: BT1132733

Component: F5OS-A

Symptoms:
When using the CLI or older webUI, it was possible to enter an "empty" password. This would cause nslcd to be incorrectly configured.

Conditions:
LDAP configured. Blank LDAP bind password entered:
system aaa authentication ldap bindpw ""

Impact:
A blank password was highly unlikely to be the intended result and would fail to work correctly when configuring authentication or talking to the LDAP server.

Workaround:
Explicitly set the bind password to unset:
no system aaa authentication ldap bindpw

Fix:
Fixed authentication so any form of "empty" password results in the password being unset.

1132617 : WS-2021-0200 - DoS in YAML from versions v2.2.0 to v2.2.2

Component: F5OS-A

Symptoms:
YAML in versions v2.2.0 to v2.2.2 is vulnerable to a denial of service attack.

Conditions:
N/A

Impact:
N/A

Workaround:
There is currently no workaround for this issue.

Fix:
YAML v2.2.0 - v2.2.2 has been removed and upgraded to YAML v3.0.0 in F5OS-A v1.3.0 or later, which resolves WS-2021-0200.

1131993 : Not able to set severity from CLI/webUI for some services.

Component: F5OS-A

Symptoms:
Not able to set severity for following services from CLI/webUI in F5OS-A.
R5R10: - Utils-agent, partition-common(system-common), tcam-manager
R2R4: - Utils-agent, partition-common.

Conditions:
Try to change severity for following services:
R5R10: Utils-agent, partition-common(system-common), tcam-manager
R2R4: Utils-agent, partition-common.

Impact:
Not able to change severity as these services are not listed in ConfD CLI as well as webUI.

Workaround:
N/A

Fix:
Severity can now be set from CLI/webUI for all services.

1125761 : appliance-orch-manager coredump

Component: F5OS-A

Symptoms:
appliance-orch-manager(omd) polls node, events and system pods status and update the status into ConfD. During K3S response processing, OMD failed to handle a few exceptions. Because of that, OMD coredump is observed.

Conditions:
Intermittently OMD core dumps if K3S response is not as expected.

Impact:
Intermittent OMD core dumps.

Workaround:
N/A

Fix:
If OMD core dumps, systemd will bring up the process automatically. No action is expected from user.
However, if any OMD core dumps are observed, contact F5 support.

1125349-1 : Changing the root password in appliance mode is unlocking root account

Links to More Info: BT1125349

Component: F5OS-A

Symptoms:
If the password of root is changed in appliance mode, it disables appliance mode.

Conditions:
Appliance mode is enabled.
Root password is changed using set-password API.

Impact:
Appliance mode is disabled.

Workaround:
Toggle appliance mode to enable it again.

Fix:
Appliance mode is not disabled and displays a message: "Info: The password has changed but appliance mode is enabled that blocks root login."

1123685 : Occasionally Selinux modules are getting corrupted when the system reboots

Component: F5OS-A

Symptoms:
In rSeries appliances, if Selinux modules are corrupted
-> Virt-handler pod crashes continuously.
-> Tenant will be in pending state.
-> Semodule file size is 0 in dir "/etc/selinux/targeted/active/modules/400/"

Conditions:
If interruption happens during Selinux modules building on system bootup, the interruption can be an abrupt power off.

Impact:
-> Virt-handler pod is crashing continuously.
-> Tenant functionality is impacted.

Workaround:
None.

Fix:
Identify and remove the corrupted Selinux files and rebuild them while the system is booting up.

1123329 : Tagged LLDP PDUs (VLAN ID 1) are sent on appliance devices.

Component: F5OS-A

Symptoms:
VLAN ID 1 is seen in LLDP PDU coming from appliances.

Conditions:
LLDP is enabled and RXTX is configured to send and receive LLDP PDU.

Impact:
Tagged VLAN ID 1 is coming in LLDP PDU.

Workaround:
N/A

Fix:
Fixed issue by adding required VLAN at F5OS.

1122593-1 : No options to control system power via LCD menu

Component: F5OS-A

Symptoms:
The front-panel LCD on rSeries appliances does not provide a way to control system power to the host operating system.

Conditions:
One of the following rSeries appliances:
- r2000 / r4000
- r5000 / r10000

Impact:
The system LCD panel provides no way to power on/off the device.

Workaround:
The system power can be controlled via the AOM.

Fix:
The system LCD now provides a Power On control in the System menu.

Behavior Change:
In the older release, the system power can be controlled via the AOM. In the current release, it is being addressed.
The system LCD now provides a Power On control in the System menu.

1122081 : BIG-IP tenants created before F5OS-C 1.5.1 or F5OS-A 1.3.0 may be allocated a smaller disk than required

Links to More Info: BT1122081

Component: F5OS-A

Symptoms:
If the BIG-IP tenant disk space is fully used by creating multiple software volumes within the tenant, it will generate disk errors.

Conditions:
- A tenant originally deployed from an “ALL-F5OS” tenant image (i.e., BIGIP-15.1.6.1-0.0.10.ALL-F5OS.qcow2.zip.bundle) originally created from one of the following:
 -- 14.1.5 or above in the 14.1.x branch of code
 -- 15.1.6.1 or above in the 15.1.x branch of code

- The tenant is configured to use 76G of disk space (the default)

Impact:
Software installs within the tenant may fail.

Workaround:
Beginning in F5OS-A 1.3.0, the system detects the minimum size of a disk created from a tenant image file, and enforces that minimum on newly-created tenants.

If a customer has a tenant affected by this issue and upgrades their system to F5OS-A 1.3.0 or later, set the tenant to "configured", and then deploy the tenant again.

If the disk size is not right, the system will show the minimum size, then adjust the tenant disk size to what is advised by the system or larger.

From 1.4.0, user does not need to adjust the size unless the user needs a bigger size.
The right/minimum size will be auto-allocated when the state is changed.

Fix:
The tenant disk size will be detected and auto-allocated.

Behavior Change:
There are two behaviors.

1.3.x: If the disk size is smaller than it has to be, it warns the user and doesn't start the tenant until the user specifies the right/minimum size.

1.4.0: It auto increases the size to the right/minimum size if the user didn't specify the disk size.

1121889-2 : ConfD encryption key can lock up the TPM module

Component: F5OS-A

Symptoms:
Due to an error that happens rarely in the HAL layer, the encryption key mechanism can misinterpret such an error as a valid identifier for the system. This causes the TPM to lock up, using that identifier, but then the actual identifier no longer unlocks the TPM.

Conditions:
This happens rarely but when it does, the system-manager cannot read the encryption keys and will not start ConfD.

This will manifest itself as unable to start up the configuration by attempting to become admin.

Impact:
The system is unusable. Installing a new ISO does not help.
The TPM must be cleared to become unlocked. Once the TPM is cleared, a new key is generated so existing encryptions need to be re-encrypted. This is will require that the ConfD system database be reset to default.

Workaround:
The workaround is to do the following:

 # docker exec system_platform-mgr tpm2_takeownership -c
 # docker restart system_manager
 # su admin
 # config
 # (config) system database reset-to-default proceed yes
 # exit; exit
 # docker restart system_api_svc_gateway

Fix:
The incorrect identifier is now ignored and the lockup is avoided.

Note that the fix does not unlock a locked system. The workaround will have to be applied first.

1117649-2 : rSeries Appliance inoperable after powering down from Linux while configured for Appliance mode

Component: F5OS-A

Symptoms:
If the rSeries device is powered down from Linux (for example, using 'halt -p', 'poweroff', or 'shutdown -h now') while in Appliance mode, the device becomes permanently disabled.

In this state, nothing external can be done to power on the Linux host, for example, cycling power, accessing the LCD Power on option, or pressing the Power button.

Trying to access the AOM menu from the serial console reports the following message:
 AOM Command Menu - disabled for security purposes.

Conditions:
-- Appliance mode is enabled (this is the state the 'appliance-setup-wizard' sets when it runs to completion).

-- The host is powered down (for example, using 'halt -p', 'poweroff', or 'shutdown -h now')

Impact:
The AOM command menu is not available to power on the host. A power cycle of the appliance does not power on the host.

The disabled appliance must be replaced.

Workaround:
***Important!***

If the BIG-IP rSeries appliance is configured for Appliance mode, do not power off the device using commands such as 'halt -p', 'poweroff', or 'shutdown -h now'.

Instead, run 'halt' and then remove power from the system (for example, unplug, remove power brick, remove power from rack).

Note: If you have already encountered this issue, contact F5 Support :: https://www.f5.com/services/support to request an RMA. For more information, refer to K12882: Overview of the F5 RMA process :: https://support.f5.com/csp/article/K12882 .

Fix:
Appliance mode no longer disables the AOM menu, allowing access to power on the host command with console access to the appliance.

1117621-2 : After an appliance upgrade from 1.0.1 to 1.1.1, a tenant in Provisioned state may show inconsistent CLI status★

Component: F5OS-A

Symptoms:
After an appliance upgrade from 1.0.1 to 1.1.1, if the running-state of a tenant is configured in the Provisioned state, the operational status of the tenant may oscillate between "Ready to deploy" and "Allocating resources to the tenant is in progress" state in the partition CLI status.

Conditions:
A race condition exists after an appliance upgrade from 1.0.1 to 1.1.1, that may display an inaccurate tenant operational state when the tenant is configured as Provisioned.

Impact:
The tenant state constantly changes.

Workaround:
Configure the running-state of the tenant to Deployed.

1117577 : Management interface is not accessible if core system daemons are not running

Component: F5OS-A

Symptoms:
If the system management daemon (confd) is not able to run when the system starts up, the system will not configure its management IP address and will not have network connectivity.

Conditions:
rSeries appliance

Impact:
Management connectivity is lost, and the only way to access the system is via serial console.

Workaround:
An administrator can configure an IP address and default route for an rSeries appliance when logged in from the serial console using the "ip" command.

For instance, the following commands temporarily assign a management IP address of 198.51.100.100 to the appliance, and create a default route via a gateway of 198.51.100.254.

    ip addr add 198.51.100.100/24 dev mgmt0-system
    ip route add default via 198.51.100.254

Fix:
Configure IP workaround.

1117461 : CVE-2021-3538 satori/go.uuid: predictable UUIDs generated via insecure randomness

Component: F5OS-A

Symptoms:
Versions of satori/go.uuid have a flaw which allows for predictable UUIDs to be generated.

Conditions:
N/A

Impact:
N/A

Workaround:
There is currently no workaround for this CVE, however, later versions of F5OS-A have been updated to removed satori/go.uuid and replaced with gofrs/uuid, which is does not have this vulnerability.

Fix:
The satori/go.uuid package has been removed in F5OS-A 1.3.0 and later versions with gofrs/uuid.

1117417-2 : Database config restore failed on rSeries appliance

Component: F5OS-A

Symptoms:
System database config-restore will fail when there is mismatch in the system images between when the backup is taken and the current images present on the system.

Conditions:
The current system images that are present on the system (show system image) do not match the list of images that are stored in the backup file.

Impact:
Config restore fails.

Workaround:
Edit the configuration backup file and delete the <image> stanza, from:

    <image xmlns="http://f5.com/yang/system/image">
to
    </image>

Fix:
Configuration restore on rSeries appliances now works regardless of differences in the set of available system software images.

1117277-2 : Occasional issue observed when tenant deployed on r2xxx/r4xxx series

Component: F5OS-A

Symptoms:
The r2xxx/r4xxx appliance interface drivers are not created in time and lead to tenant deployment failure after the PXE boot, live upgrade, reboot, and port profile change.

Conditions:
Live upgrade from any version to v1.1.1 and PXE and on reboot and on port profile change.

Impact:
Occasionally tenant deployment fails to come up.

Workaround:
None

1117237-2 : FPGA bit files are not updated to the latest version after a live upgrade

Component: F5OS-A

Symptoms:
FPGA bit files are not updated to the latest version after a live upgrade.

Conditions:
Live upgrade to an ISO file.

Impact:
Unexpected behavior with tenant and traffic.

Workaround:
Run the following commands from the bash prompt:

1. /bin/systemctl stop appliance_orchestration_manager_container.service

2. /bin/systemctl stop platform-services-deployment.service

3. reboot

Once the system is rebooted, the correct bit files will be installed.

Fix:
Cleaned up the stale/old container volumes before bringing up the new containers.

1116869-1 : Tcpdump on F5OS does not capture packets of certain sizes

Links to More Info: BT1116869

Component: F5OS-A

Symptoms:
When using tcpdump on the F5OS host, packets of certain sizes may not be captured via tcpdump.

Conditions:
Tcpdump packets less than 1501 bytes and greater than 1483 bytes as well as several other ranges are affected by this issue.

Impact:
Tcpdumps may be incomplete.

Fix:
Packets of certain sizes are no longer dropped.

1116185-1 : Removing multiple images simultaneously from the webUI causes an error

Component: F5OS-A

Symptoms:
The image removal action handler takes the input and processes it one item at a time. From the CLI/RESTCONF interface, the user can provide one image at a time. But the webUI allows the user to select multiple images and click Delete to remove them in a single click. This was creating a backend handler issue that caused the image agent to crash.

Conditions:
When multiple images are selected and processed for removal from the webUI.

Impact:
In this situation, all subsequent image removal requests cause an error: "Error: application communication failure".

Workaround:
The issue is fixed in F5OS-A 1.2.0. To avoid this situation in other releases of F5OS-A, the user must select one image at a time for deletion from the webUI.

Restarting the image agent service recovers the system from this state.

Fix:
The issue is fixed by improving the image removal process.

1116169 : WebUI does not inform users that file transfer status may take some time to return depending on various factors like network speed

Component: F5OS-A

Symptoms:
The webUI does not inform users that file transfer status may take some time to return depending on various factors like network speed, which could lead to some confusion.

Conditions:
Occasional delay in fetching file transfer status due to network speed and other factors.

Impact:
Missing clarity on file transfer success/failure.

Workaround:
If the user is not able to see the file transfer status immediately they will be able to see it automatically within 15 seconds, as there is continuous polling for the API.

Fix:
Informative text on the file import/export displays to align user expectations.

1114485-1 : K3s cluster goes to unhealthy state when system is rebooted after changing hostname.

Component: F5OS-A

Symptoms:
When the system hostname is changed and the system is rebooted, all or some of the following symptoms may be encountered:
-- System-related pods in K3s are stuck in a failure state.
-- The K3s cluster shows more than one node.
-- OMD continuously cores.

Conditions:
The system is rebooted after the hostname is configured in confd.

Impact:
-- K3s cluster goes into an unhealthy state.
-- Tenant functionality is impacted.

Workaround:
None

Fix:
Changing the hostname via confd does not change the system hostname.

Configured hostname is reflected only in the bash and confd prompts.

When no hostname is configured, the bash prompt uses a default PS1 prompt.

1114437 : Ambiguous error message when user configures duplicate IP port combination

Component: F5OS-A

Symptoms:
A duplicate IP/port combination is not allowed in allowlist configuration. Allowlist is mainly used to allow traffic from specific source addresses.
The error message is generic and does not describe the problem.

Conditions:
An error is displayed when the user tries to configure the same IP and port as part of two different allowlist profiles.

Impact:
The error message is not descriptive, and the user might not be able to identify the issue immediately.

Workaround:
N/A

Fix:
A descriptive error message is displayed on the screen, informing the user about a duplicate IP and port.

1114369 : Error log "Failed to execute iptable cmd: ," getting generated when trying to add same port to allow list

Component: F5OS-A

Symptoms:
When an allowed IP for the same port is added more than once, this log is generated.

Conditions:
Add allowed IP for the same port more than once.

Impact:
No impact on functionality. The function to remove the default rule, which is failing, is being called every time.

Workaround:
N/A

Fix:
The log is no longer generated.

1114173 : LOP Controller RX error: unknown

Component: F5OS-A

Symptoms:
Within the platform.log file, one can see a large number of error messages with the text including "LOP Controller RX error: unknown".

Conditions:
When the LOP firmware is upgraded to a recent version, new messages around the PSU PMBus have been added. When the application software is rolled back to an older version, the HAL layer no longer recognizes those messages and reports an unknown message error.

Impact:
The issue does not impact the operation of the product.

Workaround:
Updating to a more recent version of the rSeries ISO will prevent the message from showing up in the platform.log file.

Fix:
Update to a more recent version of the rSeries ISO.

1112533-1 : Status LED color always stays amber

Component: F5OS-A

Symptoms:
The status LED is always amber.

Conditions:
This occurs during normal operation when the status LED should be green.

Impact:
Status LED may not change to green when system is operational.

Workaround:
None

Fix:
Added a diagnostic task that periodically monitors and sets status LED color to green.

1112229-1 : File download API changes to support file download from the webUI

Component: F5OS-A

Symptoms:
Header information is not effective to download files from the webUI.

Conditions:
X-Auth token is required to download from the webUI.

Impact:
Downloading files from the webUI fails.

Workaround:
None

1112141-2 : 10G/25G/40G burst support in rSeries appliance

Component: F5OS-A

Symptoms:
When a burst of traffic at 100Gb/s is sent to a 10G/25G/40G port, the burst size supported by the rSeries appliance depends on the buffer size. Once the buffer is full, packets are dropped.

Conditions:
-- Use of 10G/25G/40G ports.
-- A 100Gb/s burst of traffic occurs.

Impact:
This results in loss of egress packets.

Workaround:
None

Fix:
Improved the burst capability on rSeries appliances when 10G/25G/40G ports are used.

1111549-1 : System import functionality is unstable if PXE install source is not imported★

Links to More Info: BT1111549

Component: F5OS-A

Symptoms:
If a VELOS controller or rSeries appliance is PXE installed with a given ISO, and that ISO is not imported manually on the controller after the installation, future imports may fail or be left in an inconsistent state.

Conditions:
1. PXE install VELOS system controller or rSeries appliance
2. Fail to manually import ISO used for PXE install
3. Import other software

Impact:
Confusing import and upgrade failures under conditions that seem like they shouldn't produce issues.

Workaround:
After PXE installing a VELOS controller, make sure to manually import the ISO used for PXE install before importing any other platform software components.

Fix:
Better handling for cases where the ISO that is used for PXE install of VELOS controllers is not imported after the install.

1111533 : PSU status undeterminable under "show system events" output

Component: F5OS-A

Symptoms:
The "show system events" log messages are not clearly communicating PSU status.

Conditions:
The "show system events" command in ConfD always shows "Presence detected" when we assert and de-assert the power supply.

Impact:
User might not be able to conclude whether PSU is present and removed.

Workaround:
N/A

Fix:
User is now able to see "Absent" when PSU is physically removed and "Presence detected" when PSU is connected.

1111237-1 : Logrotate parameters do not get updated by software upgrade

Links to More Info: BT1111237

Component: F5OS-A

Symptoms:
If the parameters (frequency/size) for log file rotation are updated in a new software release, they are not updated on the target system during upgrade. The result is that the size of retained log messages depends on the upgrade history, not on the software version.

Conditions:
System that is live upgraded from any version to any other version prior to F5OS-C 1.5.0.

Impact:
When logfiles are collected by qkview, differing amounts of data may be gathered, perhaps omitting information that was intended to be collected.

Workaround:
None.

Fix:
The system updates the logrotate parameters during software install, so that the setting correspond to the software version, not the upgrade history.

1110429-1 : Duplicate service-instance entries in chassis partition

Links to More Info: BT1110429

Component: F5OS-A

Symptoms:
In rare circumstances, when viewing the partition service-instance entries, duplicate entries will exist for system level daemons like LACPD, L2FwdSvc, and SwRbcaster. The issue occurs rarely, and the user should only notice a cosmetic difference.

Conditions:
Adding blades to and removing blades from a partition may trigger the issue.

Impact:
Display is not correct.

Workaround:
Delete and recreate the affected partition.

Fix:
Duplicate service-instance entries will be removed in cases of a blade rebooting and a blade being added to a partition.

1109029-1 : Host Logs in F5OS-A not being rotated

Component: F5OS-A

Symptoms:
Log files under /var/log in host-os were able to grow in GBs.

Conditions:
Log files under /var/log not added in logrotate.

Impact:
Size of log files will grow in GBs, which will consume a significant amount of hard disk space.

Workaround:
N/A

Fix:
Host Logs in F5OS-A are now being rotated as expected.

1109021-2 : CLI commands are not logged in audit.log

Links to More Info: BT1109021

Component: F5OS-A

Symptoms:
CLI commands from ConfD are not getting logged in audit.log.

Conditions:
Execute commands using the ConfD CLI.

Impact:
CLI commands which are required for security compliance audit will not get logged in audiit.log file.

Workaround:
None

1108509 : Unable to fetch appliance fan speed using SNMP

Component: F5OS-A

Symptoms:
Unable to get appliance fan RPMs using SNMP (for example, snmpget/snmpwalk).

Conditions:
Appliance with management IP and allowlist configuration.

Impact:
User cannot fetch fan RPMs using SNMP; an SNMP walk will fail.

Workaround:
Fan speed can be fetched using CLI.

Fix:
Support to fetch fan details is added to the appliance code in 1.3.0, and data can now be fetched using SNMP.

1106881-3 : F5OS with an AFM license provisioned may provide incorrect AFM stats to a BIG-IP tenant

Links to More Info: BT1106881

Component: F5OS-A

Symptoms:
This is an intermittent problem where the affected BIG-IP tenant may receive incorrect statistics from the F5OS platform. This can cause the BIG-IP tenant to drop DNS traffic that should not be dropped.

Typically, the BIG-IP tenant will have periods of time where it receives the correct stats, and periods where it receives incorrect stats.

Conditions:
All of the below must be true:

-- Two or more BIG-IP tenants are deployed either on the same node in a partition or on the same appliance.
-- An AFM license is installed on the F5OS platform.
-- At least one tenant is receiving malformed DNS traffic.

Impact:
Clients that send DNS traffic to the affected BIG-IP tenant will not receive DNS responses when they should.

Workaround:
When AFM is provisioned for the system, deploying tenants on different nodes on a chassis based system or one tenant per appliance avoids the issue.

Fix:
BIG-IP tenants receive the correct platform statistics regardless of the node in which they are deployed.

1105001-1 : Large tar/gz/iso file download via the restconf API fails.

Links to More Info: BT1105001

Component: F5OS-A

Symptoms:
Downloading large tar/gz/iso files using the restconf API results in a corrupted file.

Conditions:
Large tar/gz/iso file download via the restconf API.

Impact:
Download fails, the downloaded file is corrupted.

Workaround:
None

Fix:
Fixed the code to download large tar/gz/iso files.

1104745-1 : Request for a webUI option to clear/reset the STP mode configuration

Component: F5OS-A

Symptoms:
On the webUI STP Configuration screen, the user does not have an option to clear STP mode once they have selected an STP mode.

Conditions:
User should have selected an STP mode.

Impact:
Once the STP mode is selected, the user does not have an option on the webUI to clear the selection.

Workaround:
None

Fix:
Added a new disabled option in STP mode selection. Selecting it will clear the previous STP mode selection.

1104569 : On upgrading, the correct webUI changes are not reflected

Component: F5OS-A

Symptoms:
On upgrading from one F5OS-A version to another, the appropriate webUI changes are not reflected, and the older changes still persist.

Conditions:
Upgrading from one F5OS-A version to another.

Impact:
Appropriate changes with respect to the version are not reflected on the webUI.

Workaround:
Refreshing the containers is a known workaround using /usr/libexec/platform-deployment stop and /usr/libexec/platform-deployment start.

Fix:
The fix is to clean up stale volumes so that new volumes are mounted after system reboot. A --remove-orphans flag was added to docker-compose down to remove volumes which were created in the previous run of docker-compose. Also, appliance_orchestration_manager was called to stop separately, as it was using a volume called config_vlogsev, which was also being used by other containers, because it is not a part of the platform.yml file. Also docker-compose down has been added before starting service in the beginning of the platform-deployment service to handle the scenario of upgrading from broken ISO to fix ISO.

1104541 : MIBs directory content is not accessible

Component: F5OS-A

Symptoms:
Directory contents are not accessible from ConfD API.

Conditions:
When file list ConfD API is used on MIBs directory, it is showing an invalid path.

Impact:
Will not be able to see directory content from ConfD API.

Workaround:
N/A

Fix:
The MIBs directory content is now accessible as expected.

1103001 : Tenants fail to come up after a live upgrade from pre-1.1.0 version to 1.1.0 on the r4xxx appliances★

Component: F5OS-A

Symptoms:
When a live upgrade is attempted from a pre-1.1.0 release to a 1.1.0 release on the r4xxx series of appliances, the tenants will not come up after the live upgrade.

The symptoms that will be seen are:
ICE driver may not load ( "lsmod | grep -i ice" will not show a line with 'ice' ), no VFs will be created, tenant deployment will fail.

Conditions:
-- An F5OS upgrade is performed on an r4xxx series appliance to version 1.1.0
-- The appliance was running pre-1.1.0 software
-- A license is installed
-- Tenants are attempted to be deployed

Impact:
Tenant deployment fails after live upgrade as the ICE driver is not loaded.

Workaround:
After the live upgrade, check that the tenant is failing to deploy.
Check that "lsmod | grep -i ice" does not show a line with 'ice'
reboot the system
Now rerun lsmod again. This should show the ice module line.

Fix:
Fixed in all versions after 1.1.0.

1102137-2 : Diagnostics ihealth upload qkview-file does not auto-complete with available qkview file names

Component: F5OS-A

Symptoms:
The ConfD command system diagnostics ihealth upload qkview-file is not tab-expandable, and you are not presented with the list of available qkview files.

Conditions:
Running "system diagnostics ihealth upload qkview-file <TAB>" to see the list of available qkview files.

Impact:
The available qkview files are not presented using tab autocomplete.

Workaround:
Run "system diagnostics qkview list" to obtain the list of available qkview files, and then manually type the desired qkview file name in when using the "system diagnostics ihealth upload qkview-file" command.

Fix:
Pressing <TAB> after system diagnostics ihealth upload qkview-file will produce a list of available files. Entering part of the name and <TAB> will auto-complete selecting a valid and available qkview file name.

1101365 : Delay in tenant deployment with tenant image corruption error

Component: F5OS-A

Symptoms:
The system posts an intermediate error message:

Tenant image corrupted - Update the tenant config with proper image.

This error auto-recovers within 20 seconds.

Conditions:
Observed intermittently while bringing up the tenant.

Impact:
There is a delay in tenant deployment with an intermediate error on the CLI console.

Workaround:
None

1101237-1 : When configured for SNMP, the system does not properly report a sysObjectID for the F5OS system

Component: F5OS-A

Symptoms:
F5OS systems may not be detected by SolarWinds or other management systems due to the wrong sysObjectID configuration in SNMP.

Conditions:
SNMP

Impact:
F5OS systems may not be detected by SolarWinds or other management systems due to the wrong sysObjectID configuration in SNMP.

Fix:
The sysObjectIDs are correct now.

1100305-2 : Tcpdump capture of packets with interface-based filtering fails on r5000 and r10000 appliances

Component: F5OS-A

Symptoms:
On r5000 and r10000, running a tcpdump as follows:
appliance-1# system diagnostics tcpdump -nni 1.0

to filter packets traversing interface 1.0 only, will fail.

The error seen will be "errbuf ERROR:Interface configuration failed. Please retry tcpdump: pcap_loop: Interface configuration failed. Please retry."
and the client will terminate.

Retrying the client will not help, contrary to the message.

Conditions:
Tcpdump capture is started on an r5000 and r10000 device and the option to filter packets based on an interface ("-i" option) is chosen.

Impact:
Tcpdump cannot work in the interface filtering mode.
It will operate in the other modes; only the interface filtering option causes it to be unable to start.

Workaround:
1) Start a tcpdump capture with no interface filter
"system diagnostics tcpdump" or
"system diagnostics tcpdump -nni 0.0"

Packets will be captured from all interfaces, and further (non-interface) filters can be used to narrow down capture
For example:
"system diagnostics tcpdump host 1.1.1.1 and port 80" or
"system diagnostics tcpdump vlan 200"

2) Restart the tcpdump container. This would make the -i option available again.

1099469 : Control plane starvation on a fully loaded rSeries system

Component: F5OS-A

Symptoms:
When an rSeries appliance is running to maximum capacity, and CPU load is 100%, the control plane does not get enough cycles to perform operations.

Conditions:
When an rSeries appliance is running to maximum capacity.

Impact:
The control plane does not get enough cycles to perform operations.

Workaround:
echo 2048 > /sys/fs/cgroup/cpu/kubepods/cpu.shares

Fix:
cpu.shares is set to 2048 on boot to boost its CPU shares.

1099437-1 : Nic-manager core file

Component: F5OS-A

Symptoms:
During a power down sequence the l2-agent may generate a core file. The system comes back up without any issue.

Conditions:
System power loss.

Impact:
Core file is generated.

Workaround:
None

Fix:
A fix has been added to detect and prevent creating an l2-agent core file during a power down.

1099197 : Packet loss caused by failure of internal hardware bus

Component: F5OS-A

Symptoms:
All or 50% of from-network packets arriving at a front panel port are dropped in hardware prior to delivery to tenant(s) running on the CPU. Packet loss is caused by CRC errors on an internal bus connecting two hardware components leading to eventual failure of the bus.

Conditions:
Issue occurs randomly, but most commonly seen soon after bootup when packets first start to be handled by fastL4 hardware acceleration, hardware per-virtual server syn cookie protection, or AFM hardware protection.

Impact:
Total loss of from-network to CPU packets on r5900, r5800, and r5600 appliances, and either total loss or loss of 50% of from-network to CPU packets on r10900, r10800, and r10600 appliances. r4800, r4600, r2800, and r2600 appliances are unaffected.

Workaround:
Reboot the appliance and disable fastL4 acceleration, per-virtual syn cookie hardware protection, and AFM hardware protection before re-enabling ingress traffic.

Fix:
This issue has been corrected.

1097925-1 : Resolving CVEs on F5OS-A 1.1.0

Component: F5OS-A

Symptoms:
F5OS-A 1.1.0 is vulnerable to the CVEs mentioned in the bug.
CVE-2021-27219
CVE-2021-43527
CVE-2022-23852
CVE-2020-10531
CVE-2022-24407
CVE-2018-1000805
CVE-2021-44142
CVE-2020-12321
CVE-2020-24489
CVE-2021-42574
CVE-2020-8625

Impact:
F5OS-A 1.1.0 is vulnerable to the CVEs mentioned in the bug.

1097833 : Debug messages logged in platform.log

Links to More Info: BT1097833

Component: F5OS-A

Symptoms:
When performing an ISO install on the hardware, some services log debug messages to platform.log until ConfD comes up.

Conditions:
This occurs during an ISO install.

Impact:
Unnecessary debug logs are logged to platform.log.

Workaround:
None

1096885-1 : Tenant image filename with special characters allowed to import, but tenant deployment fails

1092049 : CVE-2020-7774 - The package y18n before 3.2.2, 4.0.1 and 5.0.5, allows unsafe operations.

Component: F5OS-A

Symptoms:
The package y18n before 3.2.2, 4.0.1 and 5.0.5, allows unsafe operations.

Conditions:
This affects the package y18n before 3.2.2, 4.0.1, and 5.0.5.

Impact:
N/A

Workaround:
None

Fix:
This has been fixed by upgrading 'react-scripts' to version 4.0.0 and thus 'y18n' to v4.0.3 and replacing 'node-sass' with 'sass' which doesn't require 'y18n'.

1091641-2 : NTP (chrony) packet authentication is not fully implemented on VELOS

Links to More Info: BT1091641

Component: F5OS-A

Symptoms:
It is not possible to enable NTP packet authentication.

Conditions:
Running a version of F5OS-C earlier than 1.5.0.

Impact:
NTP packet authentication is not available.

Workaround:
None

Fix:
Added support for NTP packet authentication.

1090753 : NSO and ASW XBAR packet drops on 10G, 25G, and 40G interfaces.

Component: F5OS-A

Symptoms:
Unexpected egress packet drops can be seen in XBAR for 10G, 25G, and 40G ports.

This is a packet burst congestion issue that overflows XBAR egress buffers. The issue is seen mainly on 10G ports.

Conditions:
This issue can happen when customers are using the 10G, 25G, or 40G front panel interfaces.

Impact:
The impact is egress packets dropped at 10G, 25G, and 40G front panel interfaces.

Workaround:
The workaround for this issue is to upgrade to NSO bitfile version nso_1ST210EU2F50E2VG_v70.2.10.11_d22.06.23.00.bit and ASW bitfile version asw_1ST280EU2F50E2VG_v71.2.12.11_d22.06.15.00.bit. These bitfiles and newer include added packet buffer memory in the XBAR.

The added packet buffer memory greatly improves the packet drop issue, but does not resolve it completely. In testing, packet drops were still seen as system throughput approached 190Gb.

Fix:
The initial fix for this issue is to add memory to the 10G, 25G, and 40G output buffers. Memory was increased from 4Mb to 8Mb.

The added packet buffer memory greatly improves the packet drop issue, but does not resolve it completely. In testing, packet drops were still seen as system throughput approached 190Gb.

1090521 : Tenant deployment may fail if the memory configured is an odd number.

Links to More Info: BT1090521

Component: F5OS-A

Symptoms:
1. Tenant deployment fails.
2. System may go into bad state.

Conditions:
When memory configured for a tenant is set to an odd number.

Impact:
Tenant deployment fails.

Workaround:
This issue has been fixed in F5OS-A 1.2.0.

1090145-1 : VLAN-Listener incorrectly updated on Network Manager component restart

Links to More Info: BT1090145

Component: F5OS-A

Symptoms:
When the Network Manager component is restarted, VLAN Listener entries can be incorrectly updated to each tenant's default Service ID.

Conditions:
Network Manager restarts can happen due to system controller restarts, partition upgrades, or a manual restart.

Impact:
Some traffic could incorrectly follow the default Port Hash disaggregation algorithm. For example, if a VLAN has been set to use the IPPORT disaggregation algorithm, this reset can cause some of the traffic to revert to using the default Port Hash algorithm.

Workaround:
Inside the affected tenants, the cmp-hash field can be changed back to default, then changed back to the desired setting.

1090089 : NTP service does not work on rSeries appliances

Component: F5OS-A

Symptoms:
The NTP service does not work on rSeries appliances that run F5OS-A.

Running chronyc ntpdata returns "501 Not authorized"

Conditions:
-- rSeries appliance running F5OS-A
-- NTP configured

Impact:
NTP functionality does not work.

Workaround:
Change directory ownership to chrony using below command:

chown chrony:chrony /var/run/chrony

Fix:
Update ownership for "/var/run/chrony" directory and removed unwanted configuration from "chrony.conf".

1089721 : Prefix length support to allow multiple IP addresses

Component: F5OS-A

Symptoms:
Prefix length was not supported previously, and users had to configure one IP per command in order to support multiple source IPs.

Conditions:
Always

Impact:
Multiple source IP addresses cannot be allowed using a single command.

Workaround:
NA

Fix:
This improvement supports the configuration of prefix length to allow multiple IP addresses using a single command.
Prefix length is an additional parameter in the existing configuration command.

1088565-1 : Various services may stop working on a system controller if the LCD is malfunctioning

Links to More Info: BT1088565

Component: F5OS-A

Symptoms:
Various services may become unresponsive or not work correctly.

Conditions:
LCD is not working or host cannot communicate with the LCD.

Impact:
Any functionality that interacts with platform-hal could be impacted.

Workaround:
Recover or repair the LCD. Rebooting the affected system controller can also help temporarily.

Fix:
Fixed a leak that occurs when platform-hal cannot communicate with the LCD.

1086749-1 : Interface speeds are not reported correctly when linked at a slower speed

Component: F5OS-A

Symptoms:
RSeries 2xxx/4xxx interfaces support linking at certain speeds slower than the portgroup speed, but the interface speed is reported as higher.

For example:
-- A portgroup in 25G mode accepts a 10G SFP and link at 10G. The interface speed is reported as 25G.
-- A portgroup in 25G mode can link at 1G. The interface speed is reported as 25G.
-- A portgroup in 10G mode can link at 1G. The interface speed is reported as 10G.

Conditions:
This occurs when using an SFP that only supports a slower speed, or when connecting a 10G copper port to a 1G capable device.

Impact:
The interface speed reported in the webUI/CLI is higher than the actual link speed.

Workaround:
You can determine the actual link speed using ethtool, for example:

 -- For port 1.0, use ethtool x557_1.
 -- For port 5.0, use ethtool sfp_5.

Fix:
Now reports correct interface speeds.

1085925-1 : SSH connection cannot be allowed/blocked based on source IP address

Component: F5OS-A

Symptoms:
There is no command in F5OS-A or F5OS-C that can be used to allow SSH connection only from specific (or range) IP addresses.

SSH connections are allowed from all source IP addresses.

Conditions:
F5 rSeries or VELOS platform

Impact:
Malicious users might be able to connect (SSH) to F5OS-A or F5OS-C device.

Workaround:
None

Fix:
The existing command "system allowed-ips allowed-ip ..." is enhanced to support SSH. The command can be used to specify source IP addresses that can establish SSH connection.

1085149-1 : Customer requires auth token session to be configurable

Component: F5OS-A

Symptoms:
The restconf token session was not configurable in both F5OS-C and F5OS-A.

Conditions:
F5OS-C or F5OS-A webUI.

Impact:
The customer experienced a fixed session timeout within one hour and the customer has to log in again to the webUI session.

Workaround:
N/A

Fix:
This issue is fixed in F5OS-C 1.6.0 and F5OS-A 1.3.0. Now the token session timeout is configurable for up to one day.

1084817-3 : Container api-svc-gateway crashes due to certificate issues partition database

Links to More Info: BT1084817

Component: F5OS-A

Symptoms:
The api-svc-gateway container crashes when a bad self-signed certificate or key is published to partition database.

Conditions:
A corrupted certificate/key causes the issue.

Impact:
The api-svc-gateway service crashes.

Workaround:
Run the following command:

(config) # system database reset-to-default proceed

Fix:
In the scenario this happens, api-svc-gateway now:

 * detects when it cannot set up an SSL connection using these credentials
 * logs an error
 * sets health status to unhealthy with appropriate error and severity
 * tries to start a GRPC server with only insecure credentials

1083993-1 : File import should check that the target doesn't exist

Links to More Info: BT1083993

Component: F5OS-A

Symptoms:
File import will fail if the same file name already exists.

Conditions:
Importing a file that already exists on the file system.

Impact:
An error occurs if the file already exists.

Workaround:
None

1083077-1 : LACP trunks are not configured automatically in BIG-IP tenant running on F5OS chassis/appliances

Component: F5OS-A

Symptoms:
When an LACP trunk is configured on an F5OS chassis/appliance and only the native VLAN is attached, the LACP trunk will not be automatically configured on the BIG-IP tenant.

Conditions:
This behavior is observed only when the LACP trunk is attached to a native VLAN.

Impact:
LACP trunk configuration will not be applied to the BIG-IP tenant automatically when only a native VLAN is attached to it on the platform.

Workaround:
Configure the LACP trunk in the BIG-IP tenant manually.

Fix:
LACP trunks are now configured automatically in BIG-IP tenant running on F5OS chassis/appliances, as expected.

1082513 : LACP waitOnAlertFd Errors

Component: F5OS-A

Symptoms:
The system posts error messages in the platform.log:

LacpdHeartBeatsClient::run() waitOnAlertFd Error!

Conditions:
This occurs at startup, reboot, and upgrade.

Impact:
There is no functional impact; you can safely ignore these messages.

Workaround:
None

Fix:
Reduced the frequency of LACP waitOnAlertFd error messages.

1077149-1 : The fpga-tables CLI command results in syntax error in configuration mode

Component: F5OS-A

Symptoms:
When in configuration mode on the CLI and entering the fpga-tables path, a syntax error is encountered. For example:

r5900-2(config)# fpga-tables ?
Possible completions:
  <cr>
r5900-2(config)# fpga-tables
-----------------------------^
syntax error: incomplete path
r5900-2(config)#

Conditions:
Performing CLI commands in the fpga-tables path while in configuration mode.

Impact:
The fpga-tables are intended to be operational data only. Configuration of the fpga-tables path is not supported, so the impact is cosmetic. The error can be ignored.

Workaround:
The error can be ignored.

1075693-1 : CVE-2021-22543 Linux Kernel Vulnerability

Links to More Info: K01217337

1075361-1 : Messages log has a very high number of "error" and "fail" entries

Component: F5OS-A

Symptoms:
During system bring up/reboot, various fail and error logs are seen from multiple software components.

Conditions:
During system boot up or if we perform multiple reboots we may see various errors/failures in log messages.

Impact:
User will see error/fail messages, while System bring up/reboot.

Workaround:
N/A

Fix:
Fixed the error/fail logs for few components.

1074093 : Admin console is displayed when SSH login with a new root user★

Component: F5OS-A

Symptoms:
Non-root user is allowed to get root role. If any such user exist, they get an admin console instead of root console.

Conditions:
A new non-root user is created with root role.
Example :
appliance-1(config)# system aaa authentication users user user_test config username user_test role root

Impact:
non-root user with role root is restricted.

Note: In case of live upgrade from previous to current release, any non-root user with root role may cause upgrade to fail (as non-root users with root role are restricted), and you will need to either delete these users or do a bare metal install before performing a live upgrade.

Fix:
Current fix prevents creation of a non-root user with root role.

1074001 : service:overall-health attribute reports OK when the service state is unhealthy

Component: F5OS-A

Symptoms:
service:overall-health value is reported as OK, when state is unhealthy.

Conditions:
When service state is unhealthy, service:overall-health attribute is not updated.

Impact:
service:overall-health is not reporting service state properly.

Workaround:
N/A

Fix:
Updated the service:overall-health attribute.

1073581-2 : Removing a 'patch' version of services might remove the associated 'base' version as well

Links to More Info: BT1073581

Component: F5OS-A

Symptoms:
Removing a 'patch' version (X.Y.Z, Z>0) of a platform ISO or services might, under certain conditions, lead to the unexpected removal of the 'base' version (X.Y.0) associated with that patch.

Conditions:
1. A 'patch' ISO is imported when the 'base' associated with the patch is not already imported (example: An F5OS-C 1.2.2 ISO is imported, and F5OS-C1.2.0 is not already imported).
2. Some time later, the F5OS-C 1.2.2 ISO is removed. This also removes the 1.2.0 services.

Impact:
F5OS-C removes software that wasn't explicitly chosen to be removed.

Workaround:
To work around this issue, import the 'base' version ISO (X.Y.0) before importing any patches. If this is done, removal of a 'patch' will not remove the 'base'. If a 'base' was already removed accidentally, re-importing the 'base' ISO will also make it available again.

Fix:
N/A

1072209-3 : Packets are dropped on VELOS when a masquerade MAC is on a shared VLAN

Links to More Info: BT1072209

Component: F5OS-A

Symptoms:
On the VELOS platform, any packets destined to a masquerade MAC address are dropped when the masquerade MAC is located on a shared VLAN (a VLAN shared between multiple F5OS tenants).

On rSeries hardware platforms, all traffic for this MAC is first handled by the software-rebroadcaster and is replicated to all tenants sharing that VLAN.

Conditions:
-- A masquerade MAC is configured on a shared VLAN.
-- Traffic to the MAC address is initiated, that is, ping a floating self-IP.
-- The packets are dropped on ingress.

Impact:
Connectivity issues.

Workaround:
Configure a static FDB entry at the partition level.

Fix:
Packets are no longer dropped when a masquerade MAC is on a shared VLAN.

1068517-2 : VLAN connectivity among F5OS tenants is lost

Links to More Info: BT1068517

Component: F5OS-A

Symptoms:
Inbound ARP broadcasts on VLANs shared by tenants on VELOS or rSeries system are not received, and shared VLAN connectivity among tenants is lost.

Conditions:
A high volume of DLF packets are handled by the software rebroadcaster

Impact:
Loss of connectivity on VLANs shared among tenants.

Workaround:
On a VELOS system, restart the sw_rbcast container on the affected blade:

# docker restart partition_sw_rbcast

On an rSeries appliance, restart the sw_rbcast container on the appliance:

# docker restart system_sw_rbcast

Fix:
This issue no longer occurs.

1062765-1 : Tenant Status shows error "Insufficient f5.com/qat"

Component: F5OS-A

Symptoms:
Some unhealthy events intermittently occur that are related to "Insufficient f5.com/qat" inside ConfD. But the tenant is actually healthy and functional.

Conditions:
Intermittently on a system upgrade. Tenant status might show failed messages in ConfD.

Impact:
No impact, the tenant is actually healthy and functional.

Workaround:
No workaround necessary.

Fix:
Issue fixed in F5OS-A 1.3.0 release.

1062309-1 : "Failed unmounting" errors during shutdown.

Component: F5OS-A

Symptoms:
"Failed unmounting" errors are seen during the shutdown, because of unmounting of temporary directories, which are created during the SW import.
[FAILED] Failed unmounting /var/images/R5R10/1.0.0-10192.
[FAILED] Failed unmounting /var/export/chass...mounts/iso/R5R10/1.0.0-10192/m3.
[FAILED] Failed unmounting /var/export/chass...unts/services/R5R10/1.0.0-10192.

Conditions:
The "Failed unmounting" errors are seen when a system is rebooted.

Impact:
Error statements are seen in the shutdown logs. They can be ignored.

1056453-1 : Tenant datapath will not work if the tenant is named "stpd".

Component: F5OS-A

Symptoms:
If a tenant is created with the name "stpd", there will be a conflict with a system component. The datapath will not function correctly.

Conditions:
A tenant is created with the name "stpd".

Impact:
The datapath for the tenant will not function.

Workaround:
Change the name of the tenant.

Fix:
N/A

1055329-2 : VLAN shared between two tenants might not pass traffic to tenant with non-default CMP hash.

Links to More Info: BT1055329

Component: F5OS-A

Symptoms:
If two tenants on a VELOS chassis are configured with a shared VLAN, one tenant might not pass traffic if it has a non-default CMP hash configured for that VLAN.

Conditions:
-- VELOS chassis
-- Configure a VLAN shared between two or more tenants
-- In one tenant, configure a non-default CMP hash for the VLAN

Impact:
No connectivity.

Workaround:
After configuring a non-default cmp hash, run "docker restart partition_sw_rbcast" on each blade.

Fix:
Fixed operation of shared VLAN when cmp hash is not the default.

1053793-1 : QKView list and status results are difficult to parse

Component: F5OS-A

Symptoms:
The QKView list and status commands return output that can be difficult to read.

Example 1 :: running the command: system diagnostics qkview list:

frodo# system diagnostics qkview list
result {"Qkviews":[{"Filename":"appliance-1.qkview","Date":"2022-06-15T22:59:57.704997979Z","Size":320434703},{"Filename":"cancelme.tar.canceled","Date":"2022-04-28T17:22:10.411870757Z","Size":3734340},{"Filename":"duplicate.qkview","Date":"2022-08-10T20:40:10.966027168Z","Size":490039715},{"Filename":"test.qkview","Date":"2022-06-15T23:21:23.068041954Z","Size":321199668},{"Filename":"test2.qkview","Date":"2022-07-13T19:01:32.712663042Z","Size":416706874},{"Filename":"teststatus.qkview","Date":"2022-08-23T23:27:19.283797639Z","Size":530892644}]}

resultint 0


This output is easier to parse:

FILENAME SIZE CREATED ON
------------------------------------------------------------------
teststatus.qkview 530892644 2022-08-23T23:27:19.283797639Z
duplicate.qkview 490039715 2022-08-10T20:40:10.966027168Z
test2.qkview 416706874 2022-07-13T19:01:32.712663042Z
test.qkview 321199668 2022-06-15T23:21:23.068041954Z
appliance-1.qkview 320434703 2022-06-15T22:59:57.704997979Z
cancelme.tar.canceled 3734340 2022-04-28T17:22:10.411870757Z

Example 2 :: running the command: system diagnostics qkview status:

result {"Busy":false,"Percent":100,"Status":"complete","Message":"Completed collection.","Filename":"teststatus.qkview"}

resultint 0


This output is easier to parse:
system diagnostics qkview state status capture-in-progress false
system diagnostics qkview state status percentage 100
system diagnostics qkview state status status-msg "Completed collection."
system diagnostics qkview state status filename teststatus.qkview

Conditions:
- Running "system diagnostics qkview list" within the CLI
- Running "system diagnostics qkview status" within the CLI

Impact:
Formatting of output makes troubleshooting more difficult.

Workaround:
None

Fix:
QKView output formatting is improved and easier to read, utilizing new commands.

To see a list of QKView files, use the following command within the CLI:
show system diagnostics qkview state files

To see the current status of a captured QKView, use the following command within the CLI:
show system diagnostics qkview state status

1040461-3 : Permissions of some QKView control files do not follow standards

Links to More Info: BT1040461

Component: F5OS-A

Symptoms:
Permissions of some QKView control files do not follow standards.

Conditions:
Viewing permissions of QKView files.

Impact:
Some do not follow standards.

Workaround:
None

Fix:
Permissions of all QKView control files now follow the standards.

• The F5 Networks Technical Support web site: http://www.f5.com/support/
• The AskF5 web site: https://support.f5.com/csp/#/home
• The F5 DevCentral web site: http://devcentral.f5.com/

Generated: Mon Feb 6 20:31:45 2023 UTC

©2023 F5, Inc. All rights reserved.