1290949-1 : Invalid memory read in appliance orchestration manager

Links to More Info: BT1290949

Component: F5OS-A

Symptoms:
"Invalid read" identified in OMD.
During "show cluster events" we are hitting the code flow, where the ConfD API is reading the freed memory. It is leading to an invalid read.

Conditions:
Executing "show cluster events".

Impact:
Using a freed memory may cause unexpected behavior in the system.

Workaround:
N/A

Fix:
Code changes to address memory violations in the code.

1290941-1 : LLDP/STPD/LACPD in rSeries is flooding SEP_POLLERR when dma-agent restarts

Component: F5OS-A

Symptoms:
Below log is flooded in platform.log when dma-agent restarts
"SEP library in ERR state, sep_client_poll() returns SEP_POLLERR".

Conditions:
dma-agent restart.

Impact:
l2 functions such as LLDP/STPD/LACPD will be affected.

Workaround:
Reboot the device.

Fix:
Fixed code from flooding logs.

1285969 : Some aggregation interface names can cause ethernet interfaces in LACP aggregations to be erroneously down

Links to More Info: BT1285969

Component: F5OS-A

Symptoms:
One or more interfaces in LACP aggregations may be considered down when they should not be.

Conditions:
Internally, LACPD hashes interfaces to an integer, and some aggregation interface names hash will collide with ethernet interface name hash. Changes to the these aggregation interfaces can impact the ethernet interface.

Impact:
Traffic through the affected ethernet interface in LACP aggregations may be disrupted. This can cause either degraded performance or traffic failure for LACP aggregations that the interface is a member of.

Workaround:
Only use aggregation interface names that don't hash to the same port numbers as ethernet interfaces.

In order to determine if an existing aggregation interfaces port number conflicts with an ethernet interface, review the lacpd_interface_stat table.

For a VELOS partition, use the lacpd container on any blade in the partition to run tmctl.
For an appliance, use system_lacpd container to run tmctl.

The following example from a rSeries appliance shows the aggregation interface "vlag" with the same port number as interface 1.0

[root@appliance-1 ~]# docker exec -it system_lacpd bash

[root@appliance-1 partition]# tmctl lacpd_interface_stat -s name,port_num
name port_num
---- --------
1.0 1024
10.0 10240
2.0 2048
3.0 3072
4.0 4096
5.0 5120
6.0 6144
7.0 7168
8.0 8192
9.0 9216
mgmt 43008
vlag 1024

If an aggregation interface hashes to the same port number an Ethernet interface:

1. Delete the conflicting aggregation interface

2a. You can either restart the lacpd containers

    or

2b. Reboot the appliance, or for VELOS reboot each blade in the partition.

Fix:
Aggregation interface names will never impact ethernet interfaces in a LACP aggregation.

1282757 : On upgrade, systems might overwrite key due to automatic firmware updating

Links to More Info: K000133379

Component: F5OS-A

Symptoms:
When upgrading to a new version (such as 1.4.0), automatic firmware updates occur, and these interfere with the encryption key retrieval, causing a new key to be generated, which blocks api-service-gateway.

Conditions:
Upgrading to a new version where automatic firmware updates get started at boot-up.

Impact:
The api-service-gateway container does not come up and there is no communication with the tenant.

Workaround:
Docker exec -it system_manager bash
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-key"
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-cert"

Fix:
The encryption key will not generate a new key unless the TPM module has none. The code will continue to retry until it succeeds or ConfD timeout occurs (300 seconds).

1281861 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0

Component: F5OS-A

Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".

Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.

Impact:
Tenants will not start and are unusable.

Workaround:
To work around this issue, perform one of these actions:

1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".

Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.

1281749-1 : Hashed/encrypted passwords are getting logged

Component: F5OS-A

Symptoms:
When the audit log entries are created with database changes, the updated values of password hashes and encrypted passwords are exposed. These values are potentially sensitive and should be masked.

Conditions:
Updating user passwords, server passwords, and other values that are stored as either hashes or encrypted in the configuration database.

Impact:
Potentially exposes sensitive information, though the encrypted fields use AES128-CFB, and the one-way hashes use SHA512, and cannot easily be converted back to plaintext form.

Workaround:
Secure the viewing of logs to trusted users.

See the following page for more information: https://my.f5.com/manage/s/article/K58243048

Fix:
These fields are now always masked during audit logging.

1280365-3 : WebUI and shell admin access unavailable after upgrade to when one of the previously installed images is no longer present

Links to More Info: BT1280365

Component: F5OS-A

Symptoms:
1. WebUI or CLI inaccessible via admin account (that is, ConfD is not up):
[root@appliance-1(XXXXXXXXX) log]# su admin
Failed to connect to server

2. sw-mgmt.debug file will have a line similar to this one (with image version changing depending on which image is missing):
DEBUG: Source file /var/export/chassis/import/.mounts/iso/R2R4/1.1.1-9159/m3/*-services/F5OS*.img does not exist, removing from all_sw.

3. Containers stuck in ImagePullBackOff. For example, system_network container cannot be pulled, and the following error is observed in messages log:

appliance-1 dockerd-current: time="2023-03-24T15:09:26.631359235Z" level=error msg="Not continuing with pull after error: Error: image system_network:1.4.5-f5os-a-1-4-0-candidate.2023-02-14-15-09-15.S9b340f7e not found"

Conditions:
Both of the below conditions:

1. Certain ISO image has been ungracefully removed from the /var/import/staging folder. Examples of ungraceful removals:
-- Deleted via bash (after running chattr -i <image name>)
-- Image name had parentheses in it and as per ID1273021 it is wiped out upon reboot.

2. /var/import/import.json file includes reference to removed image that is listed BEFORE the reference to currently used image.

Impact:
Device webUI is inaccessible. Cannot access ConfD. Root access is working.

Workaround:
Two workarounds:
1. Re-import the deleted image and reboot the box.
2. Remove the whole section that references the deleted image from import.json file and reboot the box.

Fix:
N/A

1273845-1 : Removing or manually adding TLS Certificate & Key on webUI removes whole TLS configuration

Links to More Info: BT1273845

Component: F5OS-A

Symptoms:
Manually adding TLS Certificate & Key on webUI instead of storing through Self-Signed Certificate or removing Certificate & Key removes TLS configuration, which includes verify-client and verify-client-depth.

Conditions:
- When there is an existing Verify Client and Client Depth configuration, and user tries to remove TLS Certificate & Key on Certificate Management screen on webUI.

- When user fills the TLS Certificate & Key on Certificate Management screen on webUI.

Impact:
Verify Client and Client Depth configuration of Certificate Authentication will be changed to default values which disables verification of httpd client certificates.

Workaround:
- Remove or Add TLS Certificate & Key through CLI.
- While creating Self-Signed Certificate, set "Store TLS" field as true
- Re-add Verify Client and Client Depth after removing or manually adding TLS Certificate & Key.

1273445 : Downgrade/upgrade issues are seen because ISO has special characters in the file name★

Component: F5OS-A

Symptoms:
If a F5OS-A ISO with a filename containing 'special characters' ('+ , * , ? , ^ , $ , ( , ) , [ , ] , { , } , | , ＼') is imported onto the device, and the system is downgraded/upgraded with this ISO, it can result in the upgrade/downgrade failing.

Conditions:
1. Download and import an ISO with a 'special character' in its name (for example,F5OS-A-1.5.0-*.iso.
2. Attempt an upgrade /downgrade.
3. Upgrade/downgrade will fail.

Impact:
Upgrade/downgrade will fail, requiring manual intervention to recover the system.

Workaround:
1. Before performing a platform software upgrade, compare versions referenced by the "show system image" ConfD CLI command with the names of files present in the "/var/import/staging” directory.

If the ISO is not present in /var/import/staging but it is shown in "show system image" command output, then import again to "/var/import/staging”.

2. If there is any ISO file with a name containing a special character present in "/var/import/staging”, remove that version of platform software and re-import it by re-downloading the file with a name that does not include special characters. You may then attempt upgrade.

3. In order to remove that ISO file with a name containing a special characters use the below command.

appliance-1(config)# system image remove iso <iso version>

4. In scenarios where the above command fails or where it is not possible to use above command, please follow the below procedure to delete the image.
  * login to the device using root
  * chattr -i "/var/import/staging/<iso with special characters>”
  * rm -rf "/var/import/staging/<iso with special characters>”

In case downgrade or upgrade failure has already occurred due to this issue, follow these steps to recover the system:

1. Download another copy of the ISO with a proper name to /var/import/staging.

2. Wait for five minutes for it to import. If ConfD is unavailable, you can check the logs in /var/log/sw-mgmt.debug for import status.

3. Once the import is complete, reboot the system. This should recover the system.

Fix:
The fix is to delete the ISO with the special characters when it is being imported.

1273025-1 : Once TACACS server-group is configured on a non-default port, on downgrade virt-handler pod gets into a crash loopbackoff state because of SELinux corruption

Component: F5OS-A

Symptoms:
Virt-handler pod is crashing upon downgrading from F5OS-A 1.4.0 to F5OS-A 1.3.2, and a tenant is stuck in pending state.

Conditions:
Configure TACACS server-group on a non-default port (that is, other than port 49) and downgrade from F5OS-A 1.4.0 to F5OS-A 1.3.2.

Impact:
Tenant becomes stuck in pending state.

Workaround:
Two workarounds:

1. Configure standard port (49) for the TACACS server instead of a non-standard port. Using the standard port should not trigger these issues. Releases older than F5OS-A 1.4.0 do not correctly support any port other than 49 for the TACACS server.

2. Fix SELinux policy on the appliance:

a. cp selinux module from /usr

cp /usr/etc/selinux/targeted/active/modules/400/f5_appliance to /etc/selinux/targeted/active/modules/400/f5_appliance

b. Reboot the device

reboot

Fix:
Enforce closure of non-standard port every time configuration is updated or system is shut down. This avoids leaving ports open for which SELinux may not have exceptions.

Note this does not address the non-standard port in older releases when downgrading. Non-standard ports for TACACS are still not properly supported in the older release.

1273021-1 : ISOs imported with regex special characters in their names are getting deleted★

Component: F5OS-A

Symptoms:
When upgraded to ISO that is imported with special regex characters, upgrade fails.

Conditions:
ISO imported with regex special characters present in /var/import/staging.

Impact:
Docker container services will not come up.

Workaround:
If ISO is deleted, or any ISO is present in /var/import/staging with special characters in its name, delete the ISO (if present) and re-import without special characters.

If containers are down, reboot the device for containers to come up.

Fix:
Import of ISO with special characters is blocked.

1273017-1 : LACPD restarts when changing aggregation lag-type through configuration utility webUI

Links to More Info: BT1273017

Component: F5OS-A

Symptoms:
The Link Aggregation Control Protocol Daemon (LACPD) will restart. An LACP aggregation's interface can be permanently down, restricting traffic from passing on that interface.

Conditions:
-An aggregation interface's lag-type is set to static through configuration utility.

Impact:
One or more physical interfaces associated with an LACP aggregation can be erroneously marked down indefinitely, causing either degraded performance, or complete traffic failure.

Performance degradation may not occur, but the LACPD process will always restart.

Workaround:
- Toggle any affected interface to disable and then back to enable.
- Toggle any affected aggregation interface to static and then back to LACP.
- Reboot the system.

Fix:
LACPD will not restart when an aggregation is configured to static through the configuration utility. Few warnings can be logged when this operation occurs. These warnings can be ignored if seen while changing an aggregation's lag-type through configuration utility.

1269989-2 : tcam-manager may get stuck using 100% CPU

Links to More Info: BT1269989

Component: F5OS-A

Symptoms:
After running a QKView or tcam-dump by itself, tcam-manager does not clean up the diagnostic socket, which results in a tight loop and pegging the CPU at 100% utilization. This in turn starves other platform processes (such as dma-agent), which causes performance degradation.

Conditions:
A QKView or tcam-dump, which is included in QKView, is run.

Impact:
Performance degradation.

Workaround:
The issue can be avoided by not running QKView.

Fix:
After tcam-dump completes, the corresponding socket is properly removed.

1267253-2 : LDAP shadowExpire attribute not honored

Links to More Info: BT1267253

Component: F5OS-A

Symptoms:
When using LDAP authentication, usage of the shadowExpire and related attributes will not enforce expiration on the F5 device.

Conditions:
LDAP authentication is configured. LDAP shadowExpire, shadowMax, and related attributes are set such that the user should be expired.

Impact:
User with expired attributes can log into F5 device.

Workaround:
Either remove the user from groups with roles that allow access to the F5 device (for example, F5OS admin role gidNumber) or delete the user.

1253713-3 : CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png

Links to More Info: K000133070, BT1253713

1252377-2 : VXLAN-GPE and GENEVE are disabled by default when software is upgraded from F5OS-A 1.3.0 build to F5OS-A 1.4.0★

Links to More Info: BT1252377

Component: F5OS-A

Symptoms:
When r10000 or r5000 Series hardware is running with F5OS-A 1.3.0, the default settings for VXLAN-GPE and GENEVE are enabled, and hardware disaggregation support for these tunnel protocols is enabled without any explicit configuration.

If the software is upgraded from F5OS-A 1.3.0 to F5OS-A 1.4.0, these protocols will be disabled, and hardware disaggregation is disabled. It is required to enable these two protocols explicitly in the configuration to enabled them in the hardware.

Conditions:
If VXLAN-GPE and GENEVE tunnels are used in the deployment with F5OS-A 1.3.0 software version without any explicit enabled configuration for these two tunnels, and software upgraded to F5OS-A 1.4.0 or later.

Impact:
Hardware disaggregation support for VXLAN-GPE and GENEVE will be disabled if software is upgraded from F5OS-A 1.3.0 to F5OS-A 1.4.0 or later when these two tunnels are using default configuration to enable them.

Workaround:
Use explicit tunnel settings to enable VXLAN-GPE and GENEVE in F5OS-A 1.3.0, or enable these two protocols explicitly after software upgrade from F5OS-A 1.3.0.

Fix:
VXLAN-GPE and GENEVE are disabled in default global configuration and advised to use explicit tunnel configuration settings to enable hardware disaggregation support.

1251981 : Speed on webUI Interfaces screen is empty for 1GB

Links to More Info: BT1251981

Component: F5OS-A

Symptoms:
When interface speed is 1GB, the speed column on this screen is blank. The Edit Interfaces screen has the same issue.

Conditions:
Interface speed is set to 1GB.

Impact:
Speed column will be blank, so user will not see the actual speed.

Workaround:
Use the F5OS CLI to view the interface speed when it is set to 1GB.

Fix:
Speed column is now populated correctly on the Interfaces screen.

1250901-2 : On rSeries FIPS system live upgrade, cavium_n3fips (liquidsec_pf_vf driver) may fail to come into operational state

Links to More Info: BT1250901

Component: F5OS-A

Symptoms:
After a reboot of the system in live upgrade, tenants that were running earlier might not change to a running state. This is due to the HSM board driver stuck in SAFE_STATE instead of OPERATIONAL_STATE.

In some cases, the driver changes to an operational state after some amount of time (approximately 10 minutes). But this time might vary upon detection of reset/link failure in the hardware. In some other systems, the driver becomes stuck in SAFE_STATE indefinitely.

Conditions:
Live upgrade/reboot of the rSeries FIPS system with F5OS-A.

You may observe the below logs in dmesg-
[ 964.105021] liquidsec_pf_vf_driver 0000:ca:00.0: We might have a link issue... resetting
[ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: RESETTING FIRMWARE... CAUTION

Impact:
Running tenants goes to pending state when this issue occurs in a live upgrade.

Workaround:
Check contents of cavium_n3fips file as shown below.
[appliance]# cat /proc/cavium_n3fips/driver_state
HSM 0:OPERATIONAL_STATE

If the driver changes to an operational state, perform
"docker restart fips-support-pod" to help in recovering.

But if the driver state is still "HSM 0:SAFE_STATE", you may need to perform a power cycle reboot (but this will not guarantee recovery).

Fix:
N/A

1249773-2 : QKView may fail to collect all files for platform-monitor container

Links to More Info: BT1249773

Component: F5OS-A

Symptoms:
Very occasionally, QKView view will have a conflict collecting round-robin database (RRD) files in the platform monitor container. The qkview-collect routine may terminate unexpectedly as a result.

Conditions:
QKView capture request happens coincidentally to round-robin database update.

Impact:
RRD files may not be collected.

Workaround:
Rerun QKView.

Fix:
This will be fixed in a future release.

1239325 : Issue when Management IP address is configured to have public internet access on F5OS

Links to More Info: BT1239325

Component: F5OS-A

Symptoms:
The F5OS webUI allows web crawlers access to all content when the Management IP address is configured to have public internet access.

Conditions:
If the Management IP address is configured to have public internet access.

Impact:
This impedes the ability to satisfy internal security compliance mandates.

Workaround:
To mitigate the issue, you can manipulate the contents of the robots.txt file inside the webUI container as demonstrated below:

$ ssh root@10.238.160.60
root@10.238.160.60's password:
[root@appliance-1 ~]# docker exec -it vanquish-gui bash
[root@d6303361e100 /]# cd /app/build
[root@d6303361e100 build]# echo "User-agent: *" > robots.txt
[root@d6303361e100 build]# echo "Disallow: /" >> robots.txt
[root@d6303361e100 build]# cat robots.txt
User-agent: *
Disallow: /
[root@d6303361e100 build]# exit
exit
[root@appliance-1 ~]# exit
logout
Connection to 10.238.160.60 closed.

Fix:
Robots.txt now disallows web crawlers access to any content.

1236857-1 : F5OS OID SNMPv2-MIB::sysDescr provides meaningless information for system controller

Links to More Info: BT1236857

Component: F5OS-A

Symptoms:
After setting up snmpwalk on older version and live upgrading to another version, the snmpwalk is still showing older service version.

Conditions:
1. configure SNMP
2. upgrade system with live upgrade
3. check system version using SNMPv2-MIB::sysDescr (it will be pointing to older version)

example:
SNMPv2-MIB::sysDescr.0 = STRING: Linux 3.10.0-1160.62.1.F5.1.el7_8.x86_64 : Appliance services version <older_version>

Impact:
sysDescr will be displaying older version.

Workaround:
N/A

Fix:
This issue is fixed in latest release.

1234049 : The Add/Edit tenant deployment screen on the r4600 webUI does not have the option for 12 vCPUs in the vCPUs dropdown

Links to More Info: BT1234049

Component: F5OS-A

Symptoms:
The vCPUs dropdown does not have 12 as an option in the Add/Edit tenant deployment screen on the r4600 webUI.

Conditions:
While adding or editing a tenant on the r4600 system via webUI.

Impact:
The user cannot add or edit a tenant with 12 vCPU cores on the webUI.

Workaround:
Users can add/edit a tenant with 12 vCPU cores from the CLI.

Fix:
The webUI will have an additional option for '12' in the vCPUs dropdown thus allowing the user to deploy a tenant with 12 vCPU cores.

1232369 : Intel Microcode update

Component: F5OS-A

Symptoms:
Intel Microcode update was found to fix an internal regulator power issue. No workaround; requires BIOS update.

Conditions:
Intel Microcode earlier than 0d000389 in the BIOS.

Impact:
Unknown

Workaround:
Upgrade BIOS that includes the new microcode 0d000389 from Intel.

Fix:
BIOS version 2.01.134.1 has been updated from vendor with the updated microcode from Intel.

1232309 : CVE-2020-10754: nmcli did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings

Component: F5OS-A

Symptoms:
It was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely.

Conditions:
N/A

Impact:
N/A

Fix:
The networkmanager and dependent packages are upgraded to NetworkManager-team-1.18.8.

1231357 : Unexpected reboot might occur on r5000/r10000 Series

Links to More Info: BT1231357

Component: F5OS-A

Symptoms:
An unexpected operating system reboot might occur on r5000/r10000 Series.

After the system reboots, in the /var/crash/ directory there will be a new directory created that is named with a timestamp corresponding to the reboot. In that new directory, a file vmcore-dmesg.txt is available with the following error message:

CPU 0: Machine Check Exception: 5 Bank 4: ba00000056000402

Conditions:
Unexpected system reboot.

Impact:
When the reboot occurs, the entire system will reboot and all tenants will stop processing traffic until the reboot is complete. The system will operate normally after the reboot.

Workaround:
None

Fix:
This issue has been corrected.

1230609 : Neighbor interface description is not updated in LLDP neighbor details

Links to More Info: BT1230609

Component: F5OS-A

Symptoms:
Port Description TLV is not displayed under LLDP interface neighbors.

Conditions:
1) enable LLDP on device and on switch
2) enable port description TLV
3) set port description on interface in switch side

Impact:
No impact.

Workaround:
N/A

Fix:
Fixed code to display port description.

1229465-3 : QKView is not collecting core files in /var/crash

Component: F5OS-A

Symptoms:
QKView was designed to collect core files in /var/core only. The operating system kernel can create core files in /var/crash. SEs need to know about these files.

Conditions:
OS kernel creates a core file.

Impact:
Core file not collected by QKView.

Workaround:
Core file can be manually copied from /var/crash.

Fix:
QKView takes a directory listing from /var/crash and collects core files in that directory.

1226505-2 : Average transactions per second impacted in certain cases

Component: F5OS-A

Symptoms:
There is a reduction in http/https average transactions per second for some file sizes when ASM is configured on BIG-IP tenant on R2000 series.

Conditions:
BIG-IP config: virtual server with asm_rw policy attached to it; virtual server with profiles http, tcp, and websecurity attached to it (visual snippet is at the end of high level details).

CPU: 95-97%

simulated users: 1536

The traffic involved in testing ASM is close to real world traffic conditions.

Impact:
Reduction in average transactions per second when traffic is run for a specified duration with 1536 simulated users.

Impact is seen for http traffic specific to 32kb and 5kb file sizes.

Workaround:
N/A

Fix:
N/A

1226429 : "DEBUG cannot reply twice on the same call" log reporting repeatedly

Links to More Info: BT1226429

Component: F5OS-A

Symptoms:
When the snmpget operation is performed on IF-MIB, the message "DEBUG cannot reply twice on the same call" appears in /var/log/message. The issue is that the DEBUG is enabled in one of the services container so this DEBUG message is logging in /var/log/message.

Conditions:
One of the reproduction steps is to perform the snmpget operation on IF-MIB.

Impact:
No known impact on the functionality. They are DEBUG messages only.

Workaround:
No workaround. The debug messages stops when the snmpget operation is completed.

Fix:
Removed unwanted debug enable from the service container.

1225981-1 : Files greater then 1000 MiB are truncated in QKView

Links to More Info: BT1225981

Component: F5OS-A

Symptoms:
QKView is unable to collect an untrunucated platform.log file that has been rotated.

Conditions:
Rotated copy of the platform.log file is greater than 1000 MiB.

Impact:
Logs are not complete in QKView making it difficult to troubleshoot issues.

Workaround:
Collect the log files manually.

1215917 : webUI failed to load when downgrading from 1.5.0 to 1.3.1 with self-signed certificate with encrypted RSA key type

Component: F5OS-A

Symptoms:
webUI fails to load.

Conditions:
If the self-signed certificate is enabled with encrypted-RSA/ECDSA, and the system is downgraded to lower versions than 1.5.0

Impact:
webUI fails to load.

Workaround:
Remove the self-signed encrypted certificate before downgrading to lower versions.

Fix:
Added code changes to restrict the downgrade to lower versions if encrypted RSA/ECDSA certificate is available.

1211861 : Configured input values of IP address fields reset to default upon switching the protocol

Links to More Info: BT1211861

Component: F5OS-A

Symptoms:
IP address fields are reset to default values.

Conditions:
When the user changes the protocol and switches back to the previously selected protocol via the "Address" field on the webUI.

Impact:
Values of IP address fields are lost as they are reset to default values.

Workaround:
Users can cancel or navigate away from the screen. When they visit the management interface screen again, the configured values will appear.

Fix:
The "Address" field in the Management Interface section has been removed, and all the IPv4 and IPv6 address fields are always displayed, thereby eliminating the need to switch protocols.

We have added 'X' buttons adjacent to the address fields that can be leveraged to put in default values in case the user does not want to configure the fields for a particular protocol.

1211777 : Configured input values of IP address fields reset to default upon switching the protocol

Links to More Info: BT1211777

Component: F5OS-A

Symptoms:
IP address fields are reset to default values.

Conditions:
When the user changes the protocol and switches back to the previously selected protocol via the "Address" field on the webUI.

Impact:
Values of IP address fields are lost as they are reset to default values.

Workaround:
Users can cancel or navigate away from the screen. When they visit the management interface screen again, the configured values will appear.

Fix:
The "Address" field in the Management Interface section has been removed, and all the IPv4 and IPv6 address fields are always displayed, thereby eliminating the need to switch protocols.

We have added 'X' buttons adjacent to the address fields that can be leveraged to put in default values in case the user does not want to configure the fields for a particular protocol.

1211025 : Firmware update interrupted during OS install★

Links to More Info: BT1211025

Component: F5OS-A

Symptoms:
Firmware update can be interrupted by docker container issues.

Conditions:
Random container issue restarts all containers.

Impact:
If firmware is being updated in that moment, the firmware update will fail and it could cause problems to normal system operation.

Workaround:
Ask the support team to update the LOP firmware.

Fix:
Docker container failure handles routine checks if firmware is being updated and waits until the update is done before handling the failure.

1207485-1 : LACP daemon restarts when changing lag-type of the aggregation

Links to More Info: BT1207485

Component: F5OS-A

Symptoms:
LACP daemon restarts. The system will be unable to process LACPDUs until LACP daemon starts up again.

Conditions:
The issue occurs from changing the lag-type of an aggregation interface that does not have an associated LACP interface.

Impact:
All LACP link aggregations may go down and be unable to process traffic for a short time. The down time, if it occurs, should be less than a few seconds.

Workaround:
Only change an aggregation's lag-type while an associated LACP interface exists.

Fix:
LACP daemon will not restart when changing an aggregation's lag-type while an associated LACP interface does not exist.

1204481 : System may flap external links multiple times during startup or links may fail to come up at all

Links to More Info: K000132166, BT1204481

Component: F5OS-A

Symptoms:
When the system boots up, the interfaces may flap (go up and down) several times in quick succession before coming up and stabilizing.

In some cases, the interfaces fail to come up at all.

If a peer switch is configured to detect excessive link flaps, it may put the port in an err-disable state and prevent the link from coming up.

Conditions:
-- r5000 or r10000 Series appliance

Impact:
If the peer switch triggers a link-flap detection feature, the ports may remain offline until an administrator manually recovers the port on that switch.

Workaround:
There is no workaround for this issue on the rSeries appliance.

An administrator can mitigate this issue by doing one of the following:

- configuring the peer switch to automatically try to recover ports that are disabled for excessive link flapping
- increasing the number of link flaps required in a certain interval before the port is put in a disabled state

Fix:
Disable sending of remote-fault signaling to peer device while the system is booting up.

1190369 : Terminal window not reflecting configured hostname

Component: F5OS-A

Symptoms:
The title of the terminal window does not have the configured hostname.
Currently, all open windows with root login either from PuTTY or any application display as appliance-1.

Conditions:
Connecting to the device using ssh clients like PuTTY.

Impact:
This causes difficulty for a user trying to juggle multiple open SSH sessions during a maintenance window.

1188053 : SSH idle-timeout support

Component: F5OS-A

Symptoms:
There was no idle-timeout implemented for SSH session. The SSH session was not getting terminated even if it was idle for a long time.

Conditions:
There was no idle timeout for SSH session.

Impact:
SSH session will not get terminated even if it is idle for long time.

Workaround:
User must close the SSH session.

Fix:
Implemented SSH idle-timeout which is configurable from CLI/RESTCONF. The SSH session will now get terminated if it is idle for the configured idle-timeout. The default value is 0, which means no idle-timeout.

1185701-2 : 'system aaa' command in ConfD to fail with "Error: application communication failure"

Links to More Info: BT1185701

Component: F5OS-A

Symptoms:
System fails to change password and renders system in a degraded state where user management no longer works.
System fails to provide proper user feedback to the user about failed password changes.

Conditions:
This policy option is causing the problem:
system aaa password-policy config retries 5

Impact:
F5OS user password cannot be changed.

Workaround:
Do not change the configuration from default.
system aaa password-policy config retries 5

Fix:
N/A

1185497-3 : Tenant health in the partition shows additional entries that are not part of the tenant configuration

Links to More Info: BT1185497

Component: F5OS-A

Symptoms:
When the admin upgrades the system software from 1.3.x to 1.5.0, the platform updates the tenant's table with additional entries that are not running as part of the tenant's original configuration.

Conditions:
Power cycle or system software upgrades from 1.3.x to 1.5.0.

Impact:
There will not be any impact on the critical functionality of the tenant, and traffic continues to work. However, it does show some unwanted information in the health which could be confusing.

Workaround:
Toggling the affected tenant's running state from "Deployed" to "Provisioned" and back to "Deployed" will fix the state of the tenant in the table.

Fix:
During the power cycle/system upgrade, the platform re-populates the tenant oper status from Openshift and publishes it to Partition. If the REST response of the tenants from Openshift is incomplete, the platform is populating entries under the wrong key/value. As a result, the partition tenant's table ends up with some unwanted entries.
It is a cosmetic issue and will not impact any tenants.

1184821 : Obscure crash in external authenticator

Links to More Info: BT1184821

Component: F5OS-A

Symptoms:
An unexpected sequence of characters in the username or password of an external login could cause a crash in the external authenticator.

Conditions:
Certain malformed usernames or passwords being used for external authentication.

Impact:
The crash in these circumstances would prevent successful login. After analysis, it was deemed there was no security risk or exposure.

Workaround:
Use usernames and passwords for authentication via SSH or webUI that conform to the device username/password requirements.

Fix:
The bug was fixed and a crash no longer occurs.

1181721 : Add additional commands and files to QKView collection

Component: F5OS-A

Symptoms:
There is no change in functionality. The fix adds new commands and files to QKView collection.

Conditions:
Additional commands and files are added to the QKView collection and they will be collected whenever QKView is requested.

Impact:
Additional commands and files are added to the QKView collection.

Workaround:
Only new commands and files will not be collected as part of QKView collection. Old commands and files will get collected in QKView.

Fix:
Additional commands and files are added to the QKView collection.

1167761-2 : Directory Indexing enabled for management webUI

Component: F5OS-A

Symptoms:
Directory Indexing is enabled for management webUI.

Conditions:
When the management IP is followed by the name of any directory that is contained in the webUI, the build directories and file contents are visible on the browser.

Impact:
The webUI build directories and file contents are visible on the browser.

Workaround:
http-server config can be updated to disable directory indexing.
Steps:
1. Log in as root user into the system
2. Enter inside the http-server docker container and update the config file:
[root@appliance-1 ~]# docker exec -it http-server bash
bash-4.2# cd /etc/httpd/conf.d
bash-4.2# vi velocity.conf
Replace "Options Indexes FollowSymLinks"
with "Options FollowSymLinks"

Fix:
Disabled directory indexing.

1165973-2 : Application error while using the CLI command "show components"

Links to More Info: BT1165973

Component: F5OS-A

Symptoms:
The user receives an error message using the CLI (show components -> Error: application error) when there is a faulty sensor in the hardware.

Conditions:
When the system has the faulty sensor.

Impact:
Application error seen in the ConfD CLI while trying to execute "show components". The webUI is affected as well.

Workaround:
N/A

Fix:
We have added a check at diag-agent to not throw the application error; it will show data for the healthy components.

1137121-3 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0

Links to More Info: BT1137121

Component: F5OS-A

Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".

Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.

Impact:
Tenants will not start and are unusable.

Workaround:
To work around this issue, perform one of these actions:

1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".

Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.

1136597-3 : LDAP user with admin and operator role gets only operator permissions

Links to More Info: BT1136597

Component: F5OS-A

Symptoms:
An LDAP user configured with groups for both admin and operator roles only receives operator permissions.

Conditions:
LDAP user configured with gidNumber assignments for both admin and operator roles.

Impact:
A user with this config would be assigned only operator permissions.

Workaround:
Only configure the gidNumber for the desired role in LDAP for the user. Do not configure multiple roles for the same user.

Fix:
There was an error in the NACM rules for ConfD config. The role logic has been fixed.

• The F5 Networks Technical Support website: http://www.f5.com/support/
• The MyF5 website: https://my.f5.com/manage/s/
• The F5 DevCentral website: http://devcentral.f5.com/

Generated: Mon May 22 20:06:44 2023 UTC

©2023 F5, Inc. All rights reserved.