Supplemental Document : F5OS-A 1.5.0 Fixes and Known Issues Release Notes

Applies To:

Show Versions Show Versions

F5OS-A

  • 1.5.0
Updated Date: 05/22/2023

F5OS-A Release Information

Version: 1.5.0
Build: 5781

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Known Issues in F5OS-A v1.5.x

Vulnerability Fixes

ID Number CVE Links to More Info Description
1253713-3 CVE-2020-15999 K000133070, BT1253713 CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png


Functional Change Fixes

None


F5OS-A Fixes

ID Number Severity Links to More Info Description
1290949-1 1-Blocking BT1290949 Invalid memory read in appliance orchestration manager
1290941-1 1-Blocking   LLDP/STPD/LACPD in rSeries is flooding SEP_POLLERR when dma-agent restarts
1285969 1-Blocking BT1285969 Some aggregation interface names can cause ethernet interfaces in LACP aggregations to be erroneously down
1282757 1-Blocking K000133379 On upgrade, systems might overwrite key due to automatic firmware updating
1281861 1-Blocking   Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0
1281749-1 1-Blocking   Hashed/encrypted passwords are getting logged
1273445 1-Blocking   Downgrade/upgrade issues are seen because ISO has special characters in the file name
1269989-2 1-Blocking BT1269989 tcam-manager may get stuck using 100% CPU
1267253-2 1-Blocking BT1267253 LDAP shadowExpire attribute not honored
1250901-2 1-Blocking BT1250901 On rSeries FIPS system live upgrade, cavium_n3fips (liquidsec_pf_vf driver) may fail to come into operational state
1232369 1-Blocking   Intel Microcode update
1226505-2 1-Blocking   Average transactions per second impacted in certain cases
1280365-3 2-Critical BT1280365 WebUI and shell admin access unavailable after upgrade to when one of the previously installed images is no longer present
1273025-1 2-Critical   Once TACACS server-group is configured on a non-default port, on downgrade virt-handler pod gets into a crash loopbackoff state because of SELinux corruption
1273021-1 2-Critical   ISOs imported with regex special characters in their names are getting deleted
1252377-2 2-Critical BT1252377 VXLAN-GPE and GENEVE are disabled by default when software is upgraded from F5OS-A 1.3.0 build to F5OS-A 1.4.0
1249773-2 2-Critical BT1249773 QKView may fail to collect all files for platform-monitor container
1231357 2-Critical BT1231357 Unexpected reboot might occur on r5000/r10000 Series
1215917 2-Critical   webUI failed to load when downgrading from 1.5.0 to 1.3.1 with self-signed certificate with encrypted RSA key type
1211025 2-Critical BT1211025 Firmware update interrupted during OS install
1204481 2-Critical K000132166, BT1204481 System may flap external links multiple times during startup or links may fail to come up at all
1184821 2-Critical BT1184821 Obscure crash in external authenticator
1137121-3 2-Critical BT1137121 Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0
1136597-3 2-Critical BT1136597 LDAP user with admin and operator role gets only operator permissions
1273845-1 3-Major BT1273845 Removing or manually adding TLS Certificate & Key on webUI removes whole TLS configuration
1273017-1 3-Major BT1273017 LACPD restarts when changing aggregation lag-type through configuration utility webUI
1251981 3-Major BT1251981 Speed on webUI Interfaces screen is empty for 1GB
1239325 3-Major BT1239325 Issue when Management IP address is configured to have public internet access on F5OS
1236857-1 3-Major BT1236857 F5OS OID SNMPv2-MIB::sysDescr provides meaningless information for system controller
1234049 3-Major BT1234049 The Add/Edit tenant deployment screen on the r4600 webUI does not have the option for 12 vCPUs in the vCPUs dropdown
1230609 3-Major BT1230609 Neighbor interface description is not updated in LLDP neighbor details
1229465-3 3-Major   QKView is not collecting core files in /var/crash
1226429 3-Major BT1226429 "DEBUG cannot reply twice on the same call" log reporting repeatedly
1207485-1 3-Major BT1207485 LACP daemon restarts when changing lag-type of the aggregation
1188053 3-Major   SSH idle-timeout support
1185701-2 3-Major BT1185701 'system aaa' command in ConfD to fail with "Error: application communication failure"
1185497-3 3-Major BT1185497 Tenant health in the partition shows additional entries that are not part of the tenant configuration
1181721 3-Major   Add additional commands and files to QKView collection
1165973-2 3-Major BT1165973 Application error while using the CLI command "show components"
1232309 4-Minor   CVE-2020-10754: nmcli did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings
1225981-1 4-Minor BT1225981 Files greater then 1000 MiB are truncated in QKView
1211861 4-Minor BT1211861 Configured input values of IP address fields reset to default upon switching the protocol
1211777 4-Minor BT1211777 Configured input values of IP address fields reset to default upon switching the protocol
1190369 4-Minor   Terminal window not reflecting configured hostname
1167761-2 4-Minor   Directory Indexing enabled for management webUI

 

Cumulative fix details for F5OS-A v1.5.0 that are included in this release

1290949-1 : Invalid memory read in appliance orchestration manager

Links to More Info: BT1290949

Component: F5OS-A

Symptoms:
"Invalid read" identified in OMD.
During "show cluster events" we are hitting the code flow, where the ConfD API is reading the freed memory. It is leading to an invalid read.

Conditions:
Executing "show cluster events".

Impact:
Using a freed memory may cause unexpected behavior in the system.

Workaround:
N/A

Fix:
Code changes to address memory violations in the code.


1290941-1 : LLDP/STPD/LACPD in rSeries is flooding SEP_POLLERR when dma-agent restarts

Component: F5OS-A

Symptoms:
Below log is flooded in platform.log when dma-agent restarts
"SEP library in ERR state, sep_client_poll() returns SEP_POLLERR".

Conditions:
dma-agent restart.

Impact:
l2 functions such as LLDP/STPD/LACPD will be affected.

Workaround:
Reboot the device.

Fix:
Fixed code from flooding logs.


1285969 : Some aggregation interface names can cause ethernet interfaces in LACP aggregations to be erroneously down

Links to More Info: BT1285969

Component: F5OS-A

Symptoms:
One or more interfaces in LACP aggregations may be considered down when they should not be.

Conditions:
Internally, LACPD hashes interfaces to an integer, and some aggregation interface names hash will collide with ethernet interface name hash. Changes to the these aggregation interfaces can impact the ethernet interface.

Impact:
Traffic through the affected ethernet interface in LACP aggregations may be disrupted. This can cause either degraded performance or traffic failure for LACP aggregations that the interface is a member of.

Workaround:
Only use aggregation interface names that don't hash to the same port numbers as ethernet interfaces.

In order to determine if an existing aggregation interfaces port number conflicts with an ethernet interface, review the lacpd_interface_stat table.

For a VELOS partition, use the lacpd container on any blade in the partition to run tmctl.
For an appliance, use system_lacpd container to run tmctl.

The following example from a rSeries appliance shows the aggregation interface "vlag" with the same port number as interface 1.0

[root@appliance-1 ~]# docker exec -it system_lacpd bash

[root@appliance-1 partition]# tmctl lacpd_interface_stat -s name,port_num
name port_num
---- --------
1.0 1024
10.0 10240
2.0 2048
3.0 3072
4.0 4096
5.0 5120
6.0 6144
7.0 7168
8.0 8192
9.0 9216
mgmt 43008
vlag 1024

If an aggregation interface hashes to the same port number an Ethernet interface:

1. Delete the conflicting aggregation interface

2a. You can either restart the lacpd containers

    or

2b. Reboot the appliance, or for VELOS reboot each blade in the partition.

Fix:
Aggregation interface names will never impact ethernet interfaces in a LACP aggregation.


1282757 : On upgrade, systems might overwrite key due to automatic firmware updating

Links to More Info: K000133379

Component: F5OS-A

Symptoms:
When upgrading to a new version (such as 1.4.0), automatic firmware updates occur, and these interfere with the encryption key retrieval, causing a new key to be generated, which blocks api-service-gateway.

Conditions:
Upgrading to a new version where automatic firmware updates get started at boot-up.

Impact:
The api-service-gateway container does not come up and there is no communication with the tenant.

Workaround:
Docker exec -it system_manager bash
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-key"
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-cert"

Fix:
The encryption key will not generate a new key unless the TPM module has none. The code will continue to retry until it succeeds or ConfD timeout occurs (300 seconds).


1281861 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0

Component: F5OS-A

Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".

Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.

Impact:
Tenants will not start and are unusable.

Workaround:
To work around this issue, perform one of these actions:

1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".

Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.


1281749-1 : Hashed/encrypted passwords are getting logged

Component: F5OS-A

Symptoms:
When the audit log entries are created with database changes, the updated values of password hashes and encrypted passwords are exposed. These values are potentially sensitive and should be masked.

Conditions:
Updating user passwords, server passwords, and other values that are stored as either hashes or encrypted in the configuration database.

Impact:
Potentially exposes sensitive information, though the encrypted fields use AES128-CFB, and the one-way hashes use SHA512, and cannot easily be converted back to plaintext form.

Workaround:
Secure the viewing of logs to trusted users.

See the following page for more information: https://my.f5.com/manage/s/article/K58243048

Fix:
These fields are now always masked during audit logging.


1280365-3 : WebUI and shell admin access unavailable after upgrade to when one of the previously installed images is no longer present

Links to More Info: BT1280365

Component: F5OS-A

Symptoms:
1. WebUI or CLI inaccessible via admin account (that is, ConfD is not up):
[root@appliance-1(XXXXXXXXX) log]# su admin
Failed to connect to server

2. sw-mgmt.debug file will have a line similar to this one (with image version changing depending on which image is missing):
DEBUG: Source file /var/export/chassis/import/.mounts/iso/R2R4/1.1.1-9159/m3/*-services/F5OS*.img does not exist, removing from all_sw.

3. Containers stuck in ImagePullBackOff. For example, system_network container cannot be pulled, and the following error is observed in messages log:

appliance-1 dockerd-current: time="2023-03-24T15:09:26.631359235Z" level=error msg="Not continuing with pull after error: Error: image system_network:1.4.5-f5os-a-1-4-0-candidate.2023-02-14-15-09-15.S9b340f7e not found"

Conditions:
Both of the below conditions:

1. Certain ISO image has been ungracefully removed from the /var/import/staging folder. Examples of ungraceful removals:
-- Deleted via bash (after running chattr -i <image name>)
-- Image name had parentheses in it and as per ID1273021 it is wiped out upon reboot.

2. /var/import/import.json file includes reference to removed image that is listed BEFORE the reference to currently used image.

Impact:
Device webUI is inaccessible. Cannot access ConfD. Root access is working.

Workaround:
Two workarounds:
1. Re-import the deleted image and reboot the box.
2. Remove the whole section that references the deleted image from import.json file and reboot the box.

Fix:
N/A


1273845-1 : Removing or manually adding TLS Certificate & Key on webUI removes whole TLS configuration

Links to More Info: BT1273845

Component: F5OS-A

Symptoms:
Manually adding TLS Certificate & Key on webUI instead of storing through Self-Signed Certificate or removing Certificate & Key removes TLS configuration, which includes verify-client and verify-client-depth.

Conditions:
- When there is an existing Verify Client and Client Depth configuration, and user tries to remove TLS Certificate & Key on Certificate Management screen on webUI.

- When user fills the TLS Certificate & Key on Certificate Management screen on webUI.

Impact:
Verify Client and Client Depth configuration of Certificate Authentication will be changed to default values which disables verification of httpd client certificates.

Workaround:
- Remove or Add TLS Certificate & Key through CLI.
- While creating Self-Signed Certificate, set "Store TLS" field as true
- Re-add Verify Client and Client Depth after removing or manually adding TLS Certificate & Key.


1273445 : Downgrade/upgrade issues are seen because ISO has special characters in the file name

Component: F5OS-A

Symptoms:
If a F5OS-A ISO with a filename containing 'special characters' ('+ , * , ? , ^ , $ , ( , ) , [ , ] , { , } , | , \') is imported onto the device, and the system is downgraded/upgraded with this ISO, it can result in the upgrade/downgrade failing.

Conditions:
1. Download and import an ISO with a 'special character' in its name (for example,F5OS-A-1.5.0-*.iso.
2. Attempt an upgrade /downgrade.
3. Upgrade/downgrade will fail.

Impact:
Upgrade/downgrade will fail, requiring manual intervention to recover the system.

Workaround:
1. Before performing a platform software upgrade, compare versions referenced by the "show system image" ConfD CLI command with the names of files present in the "/var/import/staging” directory.

If the ISO is not present in /var/import/staging but it is shown in "show system image" command output, then import again to "/var/import/staging”.

2. If there is any ISO file with a name containing a special character present in "/var/import/staging”, remove that version of platform software and re-import it by re-downloading the file with a name that does not include special characters. You may then attempt upgrade.

3. In order to remove that ISO file with a name containing a special characters use the below command.

appliance-1(config)# system image remove iso <iso version>

4. In scenarios where the above command fails or where it is not possible to use above command, please follow the below procedure to delete the image.
  * login to the device using root
  * chattr -i "/var/import/staging/<iso with special characters>”
  * rm -rf "/var/import/staging/<iso with special characters>”

In case downgrade or upgrade failure has already occurred due to this issue, follow these steps to recover the system:

1. Download another copy of the ISO with a proper name to /var/import/staging.

2. Wait for five minutes for it to import. If ConfD is unavailable, you can check the logs in /var/log/sw-mgmt.debug for import status.

3. Once the import is complete, reboot the system. This should recover the system.

Fix:
The fix is to delete the ISO with the special characters when it is being imported.


1273025-1 : Once TACACS server-group is configured on a non-default port, on downgrade virt-handler pod gets into a crash loopbackoff state because of SELinux corruption

Component: F5OS-A

Symptoms:
Virt-handler pod is crashing upon downgrading from F5OS-A 1.4.0 to F5OS-A 1.3.2, and a tenant is stuck in pending state.

Conditions:
Configure TACACS server-group on a non-default port (that is, other than port 49) and downgrade from F5OS-A 1.4.0 to F5OS-A 1.3.2.

Impact:
Tenant becomes stuck in pending state.

Workaround:
Two workarounds:

1. Configure standard port (49) for the TACACS server instead of a non-standard port. Using the standard port should not trigger these issues. Releases older than F5OS-A 1.4.0 do not correctly support any port other than 49 for the TACACS server.

2. Fix SELinux policy on the appliance:

a. cp selinux module from /usr

cp /usr/etc/selinux/targeted/active/modules/400/f5_appliance to /etc/selinux/targeted/active/modules/400/f5_appliance

b. Reboot the device

reboot

Fix:
Enforce closure of non-standard port every time configuration is updated or system is shut down. This avoids leaving ports open for which SELinux may not have exceptions.

Note this does not address the non-standard port in older releases when downgrading. Non-standard ports for TACACS are still not properly supported in the older release.


1273021-1 : ISOs imported with regex special characters in their names are getting deleted

Component: F5OS-A

Symptoms:
When upgraded to ISO that is imported with special regex characters, upgrade fails.

Conditions:
ISO imported with regex special characters present in /var/import/staging.

Impact:
Docker container services will not come up.

Workaround:
If ISO is deleted, or any ISO is present in /var/import/staging with special characters in its name, delete the ISO (if present) and re-import without special characters.

If containers are down, reboot the device for containers to come up.

Fix:
Import of ISO with special characters is blocked.


1273017-1 : LACPD restarts when changing aggregation lag-type through configuration utility webUI

Links to More Info: BT1273017

Component: F5OS-A

Symptoms:
The Link Aggregation Control Protocol Daemon (LACPD) will restart. An LACP aggregation's interface can be permanently down, restricting traffic from passing on that interface.

Conditions:
-An aggregation interface's lag-type is set to static through configuration utility.

Impact:
One or more physical interfaces associated with an LACP aggregation can be erroneously marked down indefinitely, causing either degraded performance, or complete traffic failure.

Performance degradation may not occur, but the LACPD process will always restart.

Workaround:
- Toggle any affected interface to disable and then back to enable.
- Toggle any affected aggregation interface to static and then back to LACP.
- Reboot the system.

Fix:
LACPD will not restart when an aggregation is configured to static through the configuration utility. Few warnings can be logged when this operation occurs. These warnings can be ignored if seen while changing an aggregation's lag-type through configuration utility.


1269989-2 : tcam-manager may get stuck using 100% CPU

Links to More Info: BT1269989

Component: F5OS-A

Symptoms:
After running a QKView or tcam-dump by itself, tcam-manager does not clean up the diagnostic socket, which results in a tight loop and pegging the CPU at 100% utilization. This in turn starves other platform processes (such as dma-agent), which causes performance degradation.

Conditions:
A QKView or tcam-dump, which is included in QKView, is run.

Impact:
Performance degradation.

Workaround:
The issue can be avoided by not running QKView.

Fix:
After tcam-dump completes, the corresponding socket is properly removed.


1267253-2 : LDAP shadowExpire attribute not honored

Links to More Info: BT1267253

Component: F5OS-A

Symptoms:
When using LDAP authentication, usage of the shadowExpire and related attributes will not enforce expiration on the F5 device.

Conditions:
LDAP authentication is configured. LDAP shadowExpire, shadowMax, and related attributes are set such that the user should be expired.

Impact:
User with expired attributes can log into F5 device.

Workaround:
Either remove the user from groups with roles that allow access to the F5 device (for example, F5OS admin role gidNumber) or delete the user.


1253713-3 : CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png

Links to More Info: K000133070, BT1253713


1252377-2 : VXLAN-GPE and GENEVE are disabled by default when software is upgraded from F5OS-A 1.3.0 build to F5OS-A 1.4.0

Links to More Info: BT1252377

Component: F5OS-A

Symptoms:
When r10000 or r5000 Series hardware is running with F5OS-A 1.3.0, the default settings for VXLAN-GPE and GENEVE are enabled, and hardware disaggregation support for these tunnel protocols is enabled without any explicit configuration.

If the software is upgraded from F5OS-A 1.3.0 to F5OS-A 1.4.0, these protocols will be disabled, and hardware disaggregation is disabled. It is required to enable these two protocols explicitly in the configuration to enabled them in the hardware.

Conditions:
If VXLAN-GPE and GENEVE tunnels are used in the deployment with F5OS-A 1.3.0 software version without any explicit enabled configuration for these two tunnels, and software upgraded to F5OS-A 1.4.0 or later.

Impact:
Hardware disaggregation support for VXLAN-GPE and GENEVE will be disabled if software is upgraded from F5OS-A 1.3.0 to F5OS-A 1.4.0 or later when these two tunnels are using default configuration to enable them.

Workaround:
Use explicit tunnel settings to enable VXLAN-GPE and GENEVE in F5OS-A 1.3.0, or enable these two protocols explicitly after software upgrade from F5OS-A 1.3.0.

Fix:
VXLAN-GPE and GENEVE are disabled in default global configuration and advised to use explicit tunnel configuration settings to enable hardware disaggregation support.


1251981 : Speed on webUI Interfaces screen is empty for 1GB

Links to More Info: BT1251981

Component: F5OS-A

Symptoms:
When interface speed is 1GB, the speed column on this screen is blank. The Edit Interfaces screen has the same issue.

Conditions:
Interface speed is set to 1GB.

Impact:
Speed column will be blank, so user will not see the actual speed.

Workaround:
Use the F5OS CLI to view the interface speed when it is set to 1GB.

Fix:
Speed column is now populated correctly on the Interfaces screen.


1250901-2 : On rSeries FIPS system live upgrade, cavium_n3fips (liquidsec_pf_vf driver) may fail to come into operational state

Links to More Info: BT1250901

Component: F5OS-A

Symptoms:
After a reboot of the system in live upgrade, tenants that were running earlier might not change to a running state. This is due to the HSM board driver stuck in SAFE_STATE instead of OPERATIONAL_STATE.

In some cases, the driver changes to an operational state after some amount of time (approximately 10 minutes). But this time might vary upon detection of reset/link failure in the hardware. In some other systems, the driver becomes stuck in SAFE_STATE indefinitely.

Conditions:
Live upgrade/reboot of the rSeries FIPS system with F5OS-A.

You may observe the below logs in dmesg-
[ 964.105021] liquidsec_pf_vf_driver 0000:ca:00.0: We might have a link issue... resetting
[ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: RESETTING FIRMWARE... CAUTION

Impact:
Running tenants goes to pending state when this issue occurs in a live upgrade.

Workaround:
Check contents of cavium_n3fips file as shown below.
[appliance]# cat /proc/cavium_n3fips/driver_state
HSM 0:OPERATIONAL_STATE

If the driver changes to an operational state, perform
"docker restart fips-support-pod" to help in recovering.

But if the driver state is still "HSM 0:SAFE_STATE", you may need to perform a power cycle reboot (but this will not guarantee recovery).

Fix:
N/A


1249773-2 : QKView may fail to collect all files for platform-monitor container

Links to More Info: BT1249773

Component: F5OS-A

Symptoms:
Very occasionally, QKView view will have a conflict collecting round-robin database (RRD) files in the platform monitor container. The qkview-collect routine may terminate unexpectedly as a result.

Conditions:
QKView capture request happens coincidentally to round-robin database update.

Impact:
RRD files may not be collected.

Workaround:
Rerun QKView.

Fix:
This will be fixed in a future release.


1239325 : Issue when Management IP address is configured to have public internet access on F5OS

Links to More Info: BT1239325

Component: F5OS-A

Symptoms:
The F5OS webUI allows web crawlers access to all content when the Management IP address is configured to have public internet access.

Conditions:
If the Management IP address is configured to have public internet access.

Impact:
This impedes the ability to satisfy internal security compliance mandates.

Workaround:
To mitigate the issue, you can manipulate the contents of the robots.txt file inside the webUI container as demonstrated below:

$ ssh root@10.238.160.60
root@10.238.160.60's password:
[root@appliance-1 ~]# docker exec -it vanquish-gui bash
[root@d6303361e100 /]# cd /app/build
[root@d6303361e100 build]# echo "User-agent: *" > robots.txt
[root@d6303361e100 build]# echo "Disallow: /" >> robots.txt
[root@d6303361e100 build]# cat robots.txt
User-agent: *
Disallow: /
[root@d6303361e100 build]# exit
exit
[root@appliance-1 ~]# exit
logout
Connection to 10.238.160.60 closed.

Fix:
Robots.txt now disallows web crawlers access to any content.


1236857-1 : F5OS OID SNMPv2-MIB::sysDescr provides meaningless information for system controller

Links to More Info: BT1236857

Component: F5OS-A

Symptoms:
After setting up snmpwalk on older version and live upgrading to another version, the snmpwalk is still showing older service version.

Conditions:
1. configure SNMP
2. upgrade system with live upgrade
3. check system version using SNMPv2-MIB::sysDescr (it will be pointing to older version)

example:
SNMPv2-MIB::sysDescr.0 = STRING: Linux 3.10.0-1160.62.1.F5.1.el7_8.x86_64 : Appliance services version <older_version>

Impact:
sysDescr will be displaying older version.

Workaround:
N/A

Fix:
This issue is fixed in latest release.


1234049 : The Add/Edit tenant deployment screen on the r4600 webUI does not have the option for 12 vCPUs in the vCPUs dropdown

Links to More Info: BT1234049

Component: F5OS-A

Symptoms:
The vCPUs dropdown does not have 12 as an option in the Add/Edit tenant deployment screen on the r4600 webUI.

Conditions:
While adding or editing a tenant on the r4600 system via webUI.

Impact:
The user cannot add or edit a tenant with 12 vCPU cores on the webUI.

Workaround:
Users can add/edit a tenant with 12 vCPU cores from the CLI.

Fix:
The webUI will have an additional option for '12' in the vCPUs dropdown thus allowing the user to deploy a tenant with 12 vCPU cores.


1232369 : Intel Microcode update

Component: F5OS-A

Symptoms:
Intel Microcode update was found to fix an internal regulator power issue. No workaround; requires BIOS update.

Conditions:
Intel Microcode earlier than 0d000389 in the BIOS.

Impact:
Unknown

Workaround:
Upgrade BIOS that includes the new microcode 0d000389 from Intel.

Fix:
BIOS version 2.01.134.1 has been updated from vendor with the updated microcode from Intel.


1232309 : CVE-2020-10754: nmcli did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings

Component: F5OS-A

Symptoms:
It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely.

Conditions:
N/A

Impact:
N/A

Fix:
The networkmanager and dependent packages are upgraded to NetworkManager-team-1.18.8.


1231357 : Unexpected reboot might occur on r5000/r10000 Series

Links to More Info: BT1231357

Component: F5OS-A

Symptoms:
An unexpected operating system reboot might occur on r5000/r10000 Series.

After the system reboots, in the /var/crash/ directory there will be a new directory created that is named with a timestamp corresponding to the reboot. In that new directory, a file vmcore-dmesg.txt is available with the following error message:

CPU 0: Machine Check Exception: 5 Bank 4: ba00000056000402

Conditions:
Unexpected system reboot.

Impact:
When the reboot occurs, the entire system will reboot and all tenants will stop processing traffic until the reboot is complete. The system will operate normally after the reboot.

Workaround:
None

Fix:
This issue has been corrected.


1230609 : Neighbor interface description is not updated in LLDP neighbor details

Links to More Info: BT1230609

Component: F5OS-A

Symptoms:
Port Description TLV is not displayed under LLDP interface neighbors.

Conditions:
1) enable LLDP on device and on switch
2) enable port description TLV
3) set port description on interface in switch side

Impact:
No impact.

Workaround:
N/A

Fix:
Fixed code to display port description.


1229465-3 : QKView is not collecting core files in /var/crash

Component: F5OS-A

Symptoms:
QKView was designed to collect core files in /var/core only. The operating system kernel can create core files in /var/crash. SEs need to know about these files.

Conditions:
OS kernel creates a core file.

Impact:
Core file not collected by QKView.

Workaround:
Core file can be manually copied from /var/crash.

Fix:
QKView takes a directory listing from /var/crash and collects core files in that directory.


1226505-2 : Average transactions per second impacted in certain cases

Component: F5OS-A

Symptoms:
There is a reduction in http/https average transactions per second for some file sizes when ASM is configured on BIG-IP tenant on R2000 series.

Conditions:
BIG-IP config: virtual server with asm_rw policy attached to it; virtual server with profiles http, tcp, and websecurity attached to it (visual snippet is at the end of high level details).

CPU: 95-97%

simulated users: 1536

The traffic involved in testing ASM is close to real world traffic conditions.

Impact:
Reduction in average transactions per second when traffic is run for a specified duration with 1536 simulated users.

Impact is seen for http traffic specific to 32kb and 5kb file sizes.

Workaround:
N/A

Fix:
N/A


1226429 : "DEBUG cannot reply twice on the same call" log reporting repeatedly

Links to More Info: BT1226429

Component: F5OS-A

Symptoms:
When the snmpget operation is performed on IF-MIB, the message "DEBUG cannot reply twice on the same call" appears in /var/log/message. The issue is that the DEBUG is enabled in one of the services container so this DEBUG message is logging in /var/log/message.

Conditions:
One of the reproduction steps is to perform the snmpget operation on IF-MIB.

Impact:
No known impact on the functionality. They are DEBUG messages only.

Workaround:
No workaround. The debug messages stops when the snmpget operation is completed.

Fix:
Removed unwanted debug enable from the service container.


1225981-1 : Files greater then 1000 MiB are truncated in QKView

Links to More Info: BT1225981

Component: F5OS-A

Symptoms:
QKView is unable to collect an untrunucated platform.log file that has been rotated.

Conditions:
Rotated copy of the platform.log file is greater than 1000 MiB.

Impact:
Logs are not complete in QKView making it difficult to troubleshoot issues.

Workaround:
Collect the log files manually.


1215917 : webUI failed to load when downgrading from 1.5.0 to 1.3.1 with self-signed certificate with encrypted RSA key type

Component: F5OS-A

Symptoms:
webUI fails to load.

Conditions:
If the self-signed certificate is enabled with encrypted-RSA/ECDSA, and the system is downgraded to lower versions than 1.5.0

Impact:
webUI fails to load.

Workaround:
Remove the self-signed encrypted certificate before downgrading to lower versions.

Fix:
Added code changes to restrict the downgrade to lower versions if encrypted RSA/ECDSA certificate is available.


1211861 : Configured input values of IP address fields reset to default upon switching the protocol

Links to More Info: BT1211861

Component: F5OS-A

Symptoms:
IP address fields are reset to default values.

Conditions:
When the user changes the protocol and switches back to the previously selected protocol via the "Address" field on the webUI.

Impact:
Values of IP address fields are lost as they are reset to default values.

Workaround:
Users can cancel or navigate away from the screen. When they visit the management interface screen again, the configured values will appear.

Fix:
The "Address" field in the Management Interface section has been removed, and all the IPv4 and IPv6 address fields are always displayed, thereby eliminating the need to switch protocols.

We have added 'X' buttons adjacent to the address fields that can be leveraged to put in default values in case the user does not want to configure the fields for a particular protocol.


1211777 : Configured input values of IP address fields reset to default upon switching the protocol

Links to More Info: BT1211777

Component: F5OS-A

Symptoms:
IP address fields are reset to default values.

Conditions:
When the user changes the protocol and switches back to the previously selected protocol via the "Address" field on the webUI.

Impact:
Values of IP address fields are lost as they are reset to default values.

Workaround:
Users can cancel or navigate away from the screen. When they visit the management interface screen again, the configured values will appear.

Fix:
The "Address" field in the Management Interface section has been removed, and all the IPv4 and IPv6 address fields are always displayed, thereby eliminating the need to switch protocols.

We have added 'X' buttons adjacent to the address fields that can be leveraged to put in default values in case the user does not want to configure the fields for a particular protocol.


1211025 : Firmware update interrupted during OS install

Links to More Info: BT1211025

Component: F5OS-A

Symptoms:
Firmware update can be interrupted by docker container issues.

Conditions:
Random container issue restarts all containers.

Impact:
If firmware is being updated in that moment, the firmware update will fail and it could cause problems to normal system operation.

Workaround:
Ask the support team to update the LOP firmware.

Fix:
Docker container failure handles routine checks if firmware is being updated and waits until the update is done before handling the failure.


1207485-1 : LACP daemon restarts when changing lag-type of the aggregation

Links to More Info: BT1207485

Component: F5OS-A

Symptoms:
LACP daemon restarts. The system will be unable to process LACPDUs until LACP daemon starts up again.

Conditions:
The issue occurs from changing the lag-type of an aggregation interface that does not have an associated LACP interface.

Impact:
All LACP link aggregations may go down and be unable to process traffic for a short time. The down time, if it occurs, should be less than a few seconds.

Workaround:
Only change an aggregation's lag-type while an associated LACP interface exists.

Fix:
LACP daemon will not restart when changing an aggregation's lag-type while an associated LACP interface does not exist.


1204481 : System may flap external links multiple times during startup or links may fail to come up at all

Links to More Info: K000132166, BT1204481

Component: F5OS-A

Symptoms:
When the system boots up, the interfaces may flap (go up and down) several times in quick succession before coming up and stabilizing.

In some cases, the interfaces fail to come up at all.

If a peer switch is configured to detect excessive link flaps, it may put the port in an err-disable state and prevent the link from coming up.

Conditions:
-- r5000 or r10000 Series appliance

Impact:
If the peer switch triggers a link-flap detection feature, the ports may remain offline until an administrator manually recovers the port on that switch.

Workaround:
There is no workaround for this issue on the rSeries appliance.

An administrator can mitigate this issue by doing one of the following:

- configuring the peer switch to automatically try to recover ports that are disabled for excessive link flapping
- increasing the number of link flaps required in a certain interval before the port is put in a disabled state

Fix:
Disable sending of remote-fault signaling to peer device while the system is booting up.


1190369 : Terminal window not reflecting configured hostname

Component: F5OS-A

Symptoms:
The title of the terminal window does not have the configured hostname.
Currently, all open windows with root login either from PuTTY or any application display as appliance-1.

Conditions:
Connecting to the device using ssh clients like PuTTY.

Impact:
This causes difficulty for a user trying to juggle multiple open SSH sessions during a maintenance window.


1188053 : SSH idle-timeout support

Component: F5OS-A

Symptoms:
There was no idle-timeout implemented for SSH session. The SSH session was not getting terminated even if it was idle for a long time.

Conditions:
There was no idle timeout for SSH session.

Impact:
SSH session will not get terminated even if it is idle for long time.

Workaround:
User must close the SSH session.

Fix:
Implemented SSH idle-timeout which is configurable from CLI/RESTCONF. The SSH session will now get terminated if it is idle for the configured idle-timeout. The default value is 0, which means no idle-timeout.


1185701-2 : 'system aaa' command in ConfD to fail with "Error: application communication failure"

Links to More Info: BT1185701

Component: F5OS-A

Symptoms:
System fails to change password and renders system in a degraded state where user management no longer works.
System fails to provide proper user feedback to the user about failed password changes.

Conditions:
This policy option is causing the problem:
system aaa password-policy config retries 5

Impact:
F5OS user password cannot be changed.

Workaround:
Do not change the configuration from default.
system aaa password-policy config retries 5

Fix:
N/A


1185497-3 : Tenant health in the partition shows additional entries that are not part of the tenant configuration

Links to More Info: BT1185497

Component: F5OS-A

Symptoms:
When the admin upgrades the system software from 1.3.x to 1.5.0, the platform updates the tenant's table with additional entries that are not running as part of the tenant's original configuration.

Conditions:
Power cycle or system software upgrades from 1.3.x to 1.5.0.

Impact:
There will not be any impact on the critical functionality of the tenant, and traffic continues to work. However, it does show some unwanted information in the health which could be confusing.

Workaround:
Toggling the affected tenant's running state from "Deployed" to "Provisioned" and back to "Deployed" will fix the state of the tenant in the table.

Fix:
During the power cycle/system upgrade, the platform re-populates the tenant oper status from Openshift and publishes it to Partition. If the REST response of the tenants from Openshift is incomplete, the platform is populating entries under the wrong key/value. As a result, the partition tenant's table ends up with some unwanted entries.
It is a cosmetic issue and will not impact any tenants.


1184821 : Obscure crash in external authenticator

Links to More Info: BT1184821

Component: F5OS-A

Symptoms:
An unexpected sequence of characters in the username or password of an external login could cause a crash in the external authenticator.

Conditions:
Certain malformed usernames or passwords being used for external authentication.

Impact:
The crash in these circumstances would prevent successful login. After analysis, it was deemed there was no security risk or exposure.

Workaround:
Use usernames and passwords for authentication via SSH or webUI that conform to the device username/password requirements.

Fix:
The bug was fixed and a crash no longer occurs.


1181721 : Add additional commands and files to QKView collection

Component: F5OS-A

Symptoms:
There is no change in functionality. The fix adds new commands and files to QKView collection.

Conditions:
Additional commands and files are added to the QKView collection and they will be collected whenever QKView is requested.

Impact:
Additional commands and files are added to the QKView collection.

Workaround:
Only new commands and files will not be collected as part of QKView collection. Old commands and files will get collected in QKView.

Fix:
Additional commands and files are added to the QKView collection.


1167761-2 : Directory Indexing enabled for management webUI

Component: F5OS-A

Symptoms:
Directory Indexing is enabled for management webUI.

Conditions:
When the management IP is followed by the name of any directory that is contained in the webUI, the build directories and file contents are visible on the browser.

Impact:
The webUI build directories and file contents are visible on the browser.

Workaround:
http-server config can be updated to disable directory indexing.
Steps:
1. Log in as root user into the system
2. Enter inside the http-server docker container and update the config file:
[root@appliance-1 ~]# docker exec -it http-server bash
bash-4.2# cd /etc/httpd/conf.d
bash-4.2# vi velocity.conf
Replace "Options Indexes FollowSymLinks"
with "Options FollowSymLinks"

Fix:
Disabled directory indexing.


1165973-2 : Application error while using the CLI command "show components"

Links to More Info: BT1165973

Component: F5OS-A

Symptoms:
The user receives an error message using the CLI (show components -> Error: application error) when there is a faulty sensor in the hardware.

Conditions:
When the system has the faulty sensor.

Impact:
Application error seen in the ConfD CLI while trying to execute "show components". The webUI is affected as well.

Workaround:
N/A

Fix:
We have added a check at diag-agent to not throw the application error; it will show data for the healthy components.


1137121-3 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0

Links to More Info: BT1137121

Component: F5OS-A

Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".

Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.

Impact:
Tenants will not start and are unusable.

Workaround:
To work around this issue, perform one of these actions:

1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".

Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.


1136597-3 : LDAP user with admin and operator role gets only operator permissions

Links to More Info: BT1136597

Component: F5OS-A

Symptoms:
An LDAP user configured with groups for both admin and operator roles only receives operator permissions.

Conditions:
LDAP user configured with gidNumber assignments for both admin and operator roles.

Impact:
A user with this config would be assigned only operator permissions.

Workaround:
Only configure the gidNumber for the desired role in LDAP for the user. Do not configure multiple roles for the same user.

Fix:
There was an error in the NACM rules for ConfD config. The role logic has been fixed.



Known Issues in F5OS-A v1.5.x


F5OS-A Issues

ID Number Severity Links to More Info Description
1292541 1-Blocking   Loading saved configuration on BIG-IP fails if host modifications are made after "tmsh save sys config" on R2800/R4800 platforms
1291353-1 1-Blocking   LCD application does not update if appliance is power-cycled during firmware update
1289929-1 1-Blocking   Tenants fail to come up due to abrupt power cycle
1288965-1 1-Blocking   Downgrade/upgrade issues are seen because ISO has special characters in the file name
1284705-1 1-Blocking BT1284705 Appliance Orchestration Manager core file may consume entire root filesystem
1282493-1 1-Blocking   Crypto devices are not released after tenants are deleted
1273013-2 1-Blocking   Five percent (5%) deviation can be observed in TPS performance on R10920 and R5920 tenant
1217169-2 1-Blocking   Disk full: Latest ISO is not getting imported
1188921-1 1-Blocking   tcpdump not working after upgrade
1184441-2 1-Blocking   VXLAN-GPE and GENEVE tunnel support
1184429-1 1-Blocking BT1184429 Specifying "operation not supported" as an iHealth QKView description or SR number will disable iHealth uploading
1291461-2 2-Critical   LCD shutdown does not work on r2800 and r4800 platforms
1289633-1 2-Critical   FIPS devices show incorrect vCPUs
1273221-2 2-Critical BT1273221 On rSeries FIPS system, operations which involve reboot, might result in FIPS device failure state
1211853-3 2-Critical   Hardware offload features may affect packets destined for unrelated tenants
1144005-2 2-Critical BT1144005 TPS drop of ~14% from F5OS-A 1.1.0 and later on r10000 series platforms
1297665 3-Major BT1297665 Occasionally diagnostic agent reports as unhealthy for unpopulated PSU_Slot in health summary and ihealth reports
1291421-1 3-Major   Cannot set local user password if LDAP user with same name exists
1291305-1 3-Major   LACP Mode is passive for a static trunk in tenants running r2800/r4800 platforms
1286285-3 3-Major   ISO with special characters in name will not import
1285997-1 3-Major   LLDP is allowed to configure on interfaces when virtual wire is enabled
1280441-1 3-Major   When no parameter is given for 'system aaa tls create-self-signed-cert', encrypted key-type does not ask for passphrase
1231889-2 3-Major BT1231889 Deleting default VLANs and creating them in a partition other than common partition is not supported on BIG-IP tenants running on R2800/R4800 platforms
1211233 3-Major BT1211233 F5OS dashboard in webUI displays the system root file system usage, not the entire disk
1127393-3 3-Major   Error message is not displayed when user configures more than 3 DNS servers in ConfD CLI or webUI
1184513-1 4-Minor BT1184513 F5OS audit log reports duration values in microseconds, using "ms" abbreviation

 

Known Issue details for F5OS-A v1.5.x

1297665 : Occasionally diagnostic agent reports as unhealthy for unpopulated PSU_Slot in health summary and ihealth reports

Links to More Info: BT1297665

Component: F5OS-A

Symptoms:
Diagnostic agent reports as unhealthy for unpopulated PSU_Slot in ihealth reports and "show system health summary" output.

Conditions:
Occurs only when any empty PSU slots are in the system and diagnostic agent receives PSU Input State events in different order.

Impact:
It causes diagnostic agent to report as unhealthy for PSU on the unpopulated slot in health summary.

Workaround:
N/A


1292541 : Loading saved configuration on BIG-IP fails if host modifications are made after "tmsh save sys config" on R2800/R4800 platforms

Component: F5OS-A

Symptoms:
Loading saved configuration on BIG-IP tenant running on R2800/R4800 fails when host has a different configurations compared to what is being loaded on the tenant.
Fails with an error message similar to below:

01070257:3: Requested VLAN member (1.5) is currently a trunk member
Unexpected Error: Loading configuration process failed.

Conditions:
-- rSeries 4x00 or R2x00 platform
-- Configuration is backed up using tmsh
-- A change is made to one or more VLANs, interfaces, trunks, or type of VLANs on the host
-- The BIG-IP system loads the configuration

Impact:
Configuration load fails, which puts TMM into an inoperative state.

Workaround:
When tenant is in inoperative state because of this issue, the steps below help in recovering the system:

1. Revert the configuration on the platform related to VLANs attached to the tenant moved to INOPERATIVE state.
2. Check if reverted configuration is loaded in tenant.
3. Restart the mcpd service or reboot the tenant to bring back tenant to active state.
4. Once the tenant is back to active state, save the config using "save sys config".
5. Now subsequent reboots will not let tenant to go into INOPERATIVE state.


1291461-2 : LCD shutdown does not work on r2800 and r4800 platforms

Component: F5OS-A

Symptoms:
In F5OS-A versions 1.4.0 and later, the button on the LCD menu that is used to shut down the system, when pressed, does not shutdown the system.

Conditions:
With F5OS-A 1.4.0 or later installed, from the LCD touchscreen, click the System button. Select Shutdown from the menu. Click the Shutdown button at the 'Shutdown the system?' prompt.

Impact:
The LCD touchscreen is lacking functionality the customer is expecting it to have.

Workaround:
In an external terminal, connect to the unit's AOM. Select P for "Power on/off host subsystem", and then 0 for "Turn host subsystem off". Or, if the system is off, 1 for "Turn host subsystem on"


1291421-1 : Cannot set local user password if LDAP user with same name exists

Component: F5OS-A

Symptoms:
When LDAP authentication is enabled and a user exists both on the local device and in the LDAP directory, changing the local user password may fail.

Conditions:
LDAP authentication is enabled. User in question exists both on the local device and in the LDAP directory.

Impact:
Cannot change local user password.

Workaround:
It is generally considered best practice to prevent username collisions between the local device and remote authentication server. Either create a new username on the local device for the user in question, or change the name of the user in the remote directory, so there is no collision.


1291353-1 : LCD application does not update if appliance is power-cycled during firmware update

Component: F5OS-A

Symptoms:
After an OS update, an automatic firmware update runs and attempts to update all necessary firmware images. If the appliance is power-cycled or rebooted while the LCD application is being updated, the LCD update can fail and the system will report the old firmware version.

Conditions:
The OS is updated and an LCD firmware update is required. During that update, the appliance is rebooted or power-cycled, causing the LCD application update not to complete.

Impact:
The LCD application has not been updated and needs to be updated to get the latest features and bug fixes.

Workaround:
After verifying that the automatic firmware update process is complete, wait at least 5 minutes, look at the file /var/F5/system/AFU_COMPLETE, look for "AFU_STATUS: FWU_DONE", restart the system allowing automatic firmware to restart, and reprogram the LCD.


1291305-1 : LACP Mode is passive for a static trunk in tenants running r2800/r4800 platforms

Component: F5OS-A

Symptoms:
LACP Mode set to active or passive mode causes a LAG to participate in negotiation whereas a static LAG configuration does not participate in negotiation. Hence lace-mode does not make sense for static LAG interfaces.

Conditions:
When a static LAG is created on a platform, and a tenant is launched with a VLAN to which the static LAG interface is associated.

Impact:
An LACPd daemon is running on R2800/R4800 platforms which is responsible for running LACP protocol; the tenant is not dependent on LACP mode configurations and hence there will not be any impact. This is more of a display issue where one might confuse displaying LACP mode as passive for a static LAG interface.

Workaround:
There is no workaround for this behavior.


1289929-1 : Tenants fail to come up due to abrupt power cycle

Component: F5OS-A

Symptoms:
The helper task terminates instantly due to glibc rpm corruption. The abrupt reboot has caused corruption in the container DB.

Conditions:
Abrupt power cycle during AFU Update.

Impact:
Tenant.

Workaround:
Uninstall and reinstall the K3S cluster.


1289633-1 : FIPS devices show incorrect vCPUs

Component: F5OS-A

Symptoms:
1. The Dashboard System Summary shows 36 vCPUs rather than the actual number of vCPUs available for Tenant Deployment.
2. The Add/Edit Tenant deployments screen allows selecting up to 36 vCPUs instead of the maximum vCPUs that the platform supports.

Conditions:
FIPS device.

Impact:
No functional impact.

Workaround:
Users can view the correct value for total vCPUs for tenant deployment on the device from the CLI using the following command:

"show cluster nodes node node-1 state node-info"


1288965-1 : Downgrade/upgrade issues are seen because ISO has special characters in the file name

Component: F5OS-A

Symptoms:
If an F5OS-A ISO with a filename containing 'special characters' ('+ , * , ? , ^ , $ , ( , ) , [ , ] , { , } , | , \') is imported, and the system is downgraded/upgraded to that version, it can result in the upgrade failing and the ISO being automatically removed.

Conditions:
1. Download and import an ISO with a 'special character' in its name, ex. 'F5OS-A-1.5.0-*.iso'.
2. Attempt an upgrade to the imported ISO version.
3. Upgrade will fail.

Impact:
An upgrade to a version of software marked as successfully imported can fail unexpectedly, requiring manual intervention to recover the system.

Workaround:
1. Before performing a platform software upgrade, compare versions referenced by the "show system image" ConfD CLI command with the names of files present in the "/var/import/staging” directory.
If the iso is not present in /var/import/staging but it is shown in "show system image" command output, then import again to "/var/import/staging”.

2. If there is any iso file with a name containing a special character present in "/var/import/staging” remove that version of platform software and re-import it by re-downloading the file with a name that does not include special characters. You may then attempt upgrade.
3.In-order to remove that iso file with a name containing a special characters use below command.
appliance-1(config)# system image remove iso <iso version>
4.In scenarios where above command fails or not possible to use above command
please follow below procedure to delete the image.
  * login to the device using root.
  * chattr -i "/var/import/staging/<iso with special characters>”
  * rm -rf "/var/import/staging/<iso with special characters>”

Incase downgrade or upgrade failure is already happened, because this issue,
follow these steps to recover the system:
1.Download another copy of the ISO with a proper name to /var/import/staging.
2.Wait for five minutes for it to import. if confd is unavailable, you can check the logs in /var/log/sw-mgmt.debug for import status.
3.Once the import is complete, reboot the system. This should recover the system.


1286285-3 : ISO with special characters in name will not import

Component: F5OS-A

Symptoms:
An ISO named with special characters like "()" will not be imported and gets deleted from the import directory silently.

Conditions:
Only when the ISO name contains special characters.

Impact:
User will not have any status on the imported image with a name that contains special characters.

Workaround:
No workaround.


1285997-1 : LLDP is allowed to configure on interfaces when virtual wire is enabled

Component: F5OS-A

Symptoms:
LLDP is allowed to configure on interfaces although virtual wire is enabled.

Conditions:
1) Enable virtual wire on interface.
2) Attach interfaces to a lag.
3) Enabled LLDP on the interfaces.

Impact:
When virtual wire is enabled, BIG-IP will function in transparent mode and is not expected to see interfaces on either side.
With this issue, F5 interfaces will be visible when LLDP is enabled.

Workaround:
Do not configure LLDP on the interfaces when virtual wire is enabled.


1284705-1 : Appliance Orchestration Manager core file may consume entire root filesystem

Links to More Info: BT1284705

Component: F5OS-A

Symptoms:
If the Appliance Orchestration Manager daemon crashes, it may write an extremely large (~80-90 GiB) core file that consumes all of the free space on the root filesystem and causes the system to become inoperative.

Conditions:
Unknown.

Impact:
System is inoperative, and only accessible by logging in to the system command line as root:

- Tenants are inoperative/inaccessible
- System webUI is inaccessible
- Attempts to log in to CLI as any user other than "root" fails

Workaround:
There is no way to avoid this issue.

Once a system is affected, the system can be recovered by removing the large core file from /var/shared/core/container/ and then rebooting the system.


1. Log in to the system CLI as root and check the amount of free space on the root file system:

   df -h /

2. If that reports no free space, check whether there are large core files present in /var/shared core by running:

   du -h /var/shared/core
   ls -lSh /var/shared/core/container/

3. To free up the space, remove the large "core.appliance_orch.appliance_orchestration_manager" core files from /var/shared/core/container/


1282493-1 : Crypto devices are not released after tenants are deleted

Component: F5OS-A

Symptoms:
Deleting the tenants does not release the crypto devices that were allocated to those tenants while creating them.

Conditions:
When a software upgrade was initiated incorrectly such as:
1. Upgrading only OS version
2. Upgrading only Service version

Impact:
Crypto devices behavior will be unexpected.

Workaround:
Always upgrade the software with ISO that contains the correct OS and services combination.


1280441-1 : When no parameter is given for 'system aaa tls create-self-signed-cert', encrypted key-type does not ask for passphrase

Component: F5OS-A

Symptoms:
When requesting a self-signed-cert, if the key-type is encrypted, then a passphrase is required. However, if no parameters are supplied, the key-type is then requested as a mandatory parameter, but won't ask for passphrase if encrypted type is selected.

Conditions:
No parameters passed to the config: system aaa tls create-self-signed-cert.

Impact:
An error indicates that the passphrase wasn't supplied, but it never was asked for in these conditions.

Workaround:
Specify key-type as a parameter and then if encrypted, the passphrase will be requested.


1273221-2 : On rSeries FIPS system, operations which involve reboot, might result in FIPS device failure state

Links to More Info: BT1273221

Component: F5OS-A

Symptoms:
After reboot of the F5OS-A rSeries system in any operations (for example, live upgrade, reboot), FIPS HSM card might not become operational, and tenants that were running earlier might not come into a running state. This is due to the handshake failure between the liquid security driver and the HSM card. The driver gets stuck in SAFE_STATE instead of coming into SECURE_OPERATIONAL_STATE.

The driver state can be checked with the below command on the host system.
[root@appliance-1 ~]# cat /proc/cavium_n3fips/driver_state
HSM 0:SECURE_OPERATIONAL_STATE
[root@appliance-1 ~]#

Conditions:
The issue might occur in a live software upgrade or any situation that involves a reboot of the rSeries FIPS system with F5OS-A.

The below logs will be observed in dmesg repeatedly for every retry of the hand shake between driver and HSM card.

[ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: We might have a link issue... resetting
[ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: RESETTING FIRMWARE... CAUTION

Impact:
FIPS HSM is not operational in the system, which results in FIPS tenants deployed on the F5OS rSeries host do not work as expected. They do not change to a RUNNING state.

Workaround:
As the driver is stuck in "HSM 0:SAFE_STATE", a power reboot will resolve the issue.

Below are the steps to follow:

1. Power off
2. Wait for 5 minutes
3. Power on


1273013-2 : Five percent (5%) deviation can be observed in TPS performance on R10920 and R5920 tenant

Component: F5OS-A

Symptoms:
On R10920 and R5920 tenants, the TPS performance degradation may be observed up to 5%.

Conditions:
When the R10920 and R5920 tenant is deployed.

Impact:
TPS performance may be degraded by 5%.

Workaround:
N/A


1231889-2 : Deleting default VLANs and creating them in a partition other than common partition is not supported on BIG-IP tenants running on R2800/R4800 platforms

Links to More Info: BT1231889

Component: F5OS-A

Symptoms:
VLANs created upon BIG-IP tenant bring-up are considered to be default VLANs and they are not supposed to be deleted and created in a different partition other than the common partition. When a VLAN that is in the common partition is deleted and created in a different partition, the subsequent default VLANs will not have a default VLAN-member associated to it.

Conditions:
When VLANs created upon tenant bring-up are deleted and created in different partitions other than the common partition.

Impact:
Partitions other than the common partition cannot have default VLANs. VLANs created in other partitions will not be operational in the data path.

Workaround:
Workaround is to create the VLAN-member for the default VLANs pushed from platform post moving a VLAN from common to another partition.


1217169-2 : Disk full: Latest ISO is not getting imported

Component: F5OS-A

Symptoms:
Not able to import images because /var/export/chassis LVM goes to read-only mode when the memory usage of this LVM is reached by more than 50%.

This LVM is created as VDO (virtual data optimizer) volume, twice the size of the physical partition size, so 50% of the LVM size is equal to 100% of the size of the underlying physical device (partition), on which this LVM is being created.

When the LVM usage reaches more than 50% of LVM size, the LVM metadata is corrupted, causing this issue.

Conditions:
The issue is seen when usage of the LVM /var/export/chassis reaches around 50% by importing more than 12 F5OS-A images on an rSeries low device.

Impact:
Not able to import images once the LVM /var/export/chassis goes to read-only mode.

Workaround:
The workaround is to deport older images from /var/export/chassis/import/iso/ using command below before importing/copying new images.

appliance-1(config)# system image remove iso <old/unused iso version>

or

If it is not possible to delete the images using above command
please follow below steps.

chattr -i /var/import/stagging/<old/unused iso>
rm -rf /var/import/stagging/<old/unused iso>

In case the issue is seen (/var/import/stagging/ becomes read only) the only way to recover the system is perform either pxeboot or usb install on the system.


1211853-3 : Hardware offload features may affect packets destined for unrelated tenants

Component: F5OS-A

Symptoms:
When a tenant requests that hardware assist be enabled for an L4 connection, syn cookie protection, DDoS protection, or allowlist/denylist, it is possible that packets destined for other tenants on the same VLAN will be affected by the hardware assist entry.

Conditions:
Hardware assist must have been activated for a specific flow or DDoS profile, and packets must be present for unrelated tenants that are on the same VLAN and contain the same IP destination and/or IP source address as the hardware assist activation.

Impact:
Packets destined for unrelated tenants may receive unexpected handling as a result of hardware assist matching those packets. For example, packets for an unrelated tenant on the same VLAN might be unexpectedly dropped if they have the same IP destination address as the activated DDoS hardware assist.

Workaround:
Ensure that tenants all use unique VLANs or that tenants that share a VLAN use unique IP source/destination addresses for their traffic.


1211233 : F5OS dashboard in webUI displays the system root file system usage, not the entire disk

Links to More Info: BT1211233

Component: F5OS-A

Symptoms:
The Dashboard page displays disk usage information that can be misleading.

For example, on an r5900 the following information may be shown:

Storage Capacity: 109.4GB
System Storage Free: 89.1GB
System Storage Used: 15%

However, the storage capacity is a value taken from the root (/) filesystem. It does not represent the entire 800GB disk, and does not show information about the file systems where tenant images reside.

Conditions:
View Dashboard page in webUI.

Impact:
This is a cosmetic issue.

Workaround:
Linux commands such as "df -hl -t ext4" will provide detailed information about disk usage.

Another breakdown of the disk partition use can also be seen using "lsblk /dev/nvme0n1". Note that nvme0n1 is the physical disk of interest.

Example from rSeries appliance:

# lsblk /dev/nvme0n1
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259:0 0 683.5G 0 disk
|-nvme0n1p1 259:1 0 1G 0 part /boot/efi
|-nvme0n1p2 259:2 0 1G 0 part /boot
|-nvme0n1p3 259:3 0 455.3G 0 part
| `-partition_tenant-root 253:2 0 455.3G 0 lvm /var/F5/system/cbip-disks
|-nvme0n1p4 259:4 0 113.9G 0 part
| `-vdo_vol 253:3 0 227.7G 0 vdo
| `-partition_image-export_chassis 253:4 0 227.7G 0 lvm /var/export/chassis


1188921-1 : tcpdump not working after upgrade

Component: F5OS-A

Symptoms:
tcpdump fails with CLI error:
errbuf ERROR:DMAA error, packets cannot be captured
tcpdump: pcap_loop: DMAA error, packets cannot be captured

Error logged:
appliance-1 tcpdumpd-manager[8]: priority="Crit" version=1.0 msgid=0x5406000000000029 msg="DMAA socket failed:" comp="connect" errno=2.

Conditions:
System upgrade has failed to properly update the configuration file, which is responsible for starting tcpdumpd_manager.

Impact:
tcpdumpd_manager will not be able to start and packets cannot be captured. tcpdumpd_manager will continue log this failure to the system log.

Workaround:
None


1184513-1 : F5OS audit log reports duration values in microseconds, using "ms" abbreviation

Links to More Info: BT1184513

Component: F5OS-A

Symptoms:
The F5OS audit log reports the duration of some calls that occur through RESTCONF. These duration values use an "ms" unit, which in this case stands for microseconds, not milliseconds.

For example:

<INFO> 23-Aug-2022::18:28:00.602 appliance-1 confd[106]: audit user: netsupport/7502531 RESTCONF: response with http: HTTP/1.1 /restconf/data//openconfig-system:system/f5-system-image:image/remove 400 duration 122160290 ms

This operation took ~122 seconds, not ~1.4 days.

Conditions:
Using the F5OS audit log.

Impact:
Difficult to interpret audit log.

Workaround:
Interpret the duration values as being in microseconds, not milliseconds.


1184441-2 : VXLAN-GPE and GENEVE tunnel support

Component: F5OS-A

Symptoms:
VXLAN-GPE and GENEVE tunnel support can cause host-generated UDP frames with destination ports matching system configured destination ports for VXLAN-GPE or GENEVE to be treated as VXLAN-GPE or GENEVE traffic even if the underlying frame is not VXLAN-GPE or GENEVE. Frames fitting this characteristic may have a bad UDP checksum forced onto the frame if frame fails basic VXLAN-GPE or GENEVE protocol checks.

Conditions:
Administrator configures VXLAN-GPE and/or GENEVE tunnel support.

Impact:
Minimal.

Workaround:
Tunnels are disable by default. This issue is only observed if tunnels are enabled.


1184429-1 : Specifying "operation not supported" as an iHealth QKView description or SR number will disable iHealth uploading

Links to More Info: BT1184429

Component: F5OS-A

Symptoms:
The phrase "operation not supported" was scanned for communication with iHealth to indicate an error. By using this as a description or as an SR case, this will trigger an error, preventing the ability to upload to iHealth.

Conditions:
The phrase "operation not supported" is used as an iHealth QKView description or SR number.

Impact:
Unable to upload iHealth through the iHealth upload service on the device.

Workaround:
Do not use the phrase "operation not supported" as a description or an SR case number when uploading to iHealth.


1144005-2 : TPS drop of ~14% from F5OS-A 1.1.0 and later on r10000 series platforms

Links to More Info: BT1144005

Component: F5OS-A

Symptoms:
A TPS drop of approximately 12-14% was observed when running 512KB L7 HTTP tests on r10000 series platforms.
Increased CPU usage, and larger tcp_lro receive packet sizes and some packet drops were observed when it is running with full capacity.

Conditions:
Upgrade F5OS-A software version from 1.0.0 to any later software version, including 1.1.0, 1.2.0, 1.3.0, and 1.4.0.

Impact:
If F5OS software is upgraded from F5OS-A 1.0.0 to any later version, including F5OS-A 1.1.0, there will a maximum drop of 14% in TPS from device actually supported in F5OS-A 1.0.0.

Workaround:
No mitigation currently available.


1127393-3 : Error message is not displayed when user configures more than 3 DNS servers in ConfD CLI or webUI

Component: F5OS-A

Symptoms:
When user tries to configure more than 3 DNS server entries in F5OS-A using command "system dns servers server" or from webUI, no error message is displayed. System allows only 3 DNS servers, but user will be allowed to configure more than 3.

Conditions:
Configure DNS server in F5OS-A using ConfD CLI or webUI.

Impact:
No impact. Even though user configures more than 3, system will take only 3 entries.

Workaround:
NA




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************