Applies To:
Show VersionsF5OS-A
- 1.5.1
F5OS-A Release Information
Version: 1.5.1
Build: 12283
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Cumulative fixes from F5OS-A v1.5.0 that are included in this release
Known Issues in F5OS-A v1.5.x
Functional Change Fixes
None
F5OS-A Fixes
ID Number | Severity | Links to More Info | Description |
1315121-1 | 1-Blocking | BT1315121 | Key migration failure and potential corruption updating to 1.5.0 or later with deployed tenants |
1293305-2 | 1-Blocking | BT1293305 | LAG interface status is not updated on the BIG-IP tenant |
1281857-1 | 1-Blocking | Repeated disabling and enabling of link partner interface might result in datapath corruption | |
1217169-2 | 1-Blocking | Disk full: Latest ISO is not getting imported★ | |
1188921-1 | 1-Blocking | BT1188921 | tcpdump not working after upgrade |
1184429-1 | 1-Blocking | BT1184429 | Specifying "operation not supported" as an iHealth QKView description or SR number will disable iHealth uploading |
1328977-1 | 2-Critical | BT1328977 | Appliance Orchestration Manager fails due to memory corruption |
1328729 | 2-Critical | BT1328729 | Slow memory leak when processing tenant telemetry |
1327701-4 | 2-Critical | Space in SNMP community/user/target name causing snmpd container restart | |
1304657-1 | 2-Critical | tcam-manager does not support all the possible system network subnets | |
1286165-1 | 2-Critical | Ping failing after removing aggregate ID from interface and adding trunk VLANs in the same commit | |
1297665-1 | 3-Major | Occasionally diagnostic agent reports as unhealthy for unpopulated PSU_Slot in health summary and ihealth reports | |
1286285-3 | 3-Major | ISO with special characters in name will not import |
Cumulative fixes from F5OS-A v1.5.0 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description |
1253713-3 | CVE-2020-15999 | K000133070, BT1253713 | CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png |
1232309 | CVE-2020-10754 | K000132761, BT1232309 | CVE-2020-10754: nmcli did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings |
1281749-1 | CVE-2023-36494 | K000134922, BT1281749 | Hashed/encrypted passwords are getting logged |
Functional Change Fixes
None
F5OS-A Fixes
ID Number | Severity | Links to More Info | Description |
1290949-1 | 1-Blocking | BT1290949 | Invalid memory read in appliance orchestration manager |
1290941-1 | 1-Blocking | BT1290941 | LLDP/STPD/LACPD in rSeries is flooding SEP_POLLERR when dma-agent restarts |
1285969 | 1-Blocking | BT1285969 | Some aggregation interface names can cause ethernet interfaces in LACP aggregations to be erroneously down |
1282757 | 1-Blocking | K000133379, BT1282757 | On upgrade, systems might overwrite key due to automatic firmware updating |
1281861 | 1-Blocking | BT1281861 | Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0 |
1273445 | 1-Blocking | BT1273445 | Downgrade/upgrade issues are seen because ISO has special characters in the file name★ |
1269989-2 | 1-Blocking | BT1269989 | tcam-manager may get stuck using 100% CPU |
1267253-2 | 1-Blocking | BT1267253 | LDAP shadowExpire attribute not honored |
1250901-2 | 1-Blocking | BT1250901 | On rSeries FIPS system live upgrade, cavium_n3fips (liquidsec_pf_vf driver) may fail to come into operational state |
1232369 | 1-Blocking | BT1232369 | Intel Microcode update |
1226505-2 | 1-Blocking | BT1226505 | Average transactions per second impacted in certain cases |
1225989-2 | 1-Blocking | BT1225989 | TACACS users only able to access CLI, not webUI |
1280365-3 | 2-Critical | BT1280365 | WebUI and shell admin access unavailable after upgrade to when one of the previously installed images is no longer present |
1273025-1 | 2-Critical | BT1273025 | Once TACACS server-group is configured on a non-default port, on downgrade virt-handler pod gets into a crash loopbackoff state because of SELinux corruption |
1273021-1 | 2-Critical | BT1273021 | ISOs imported with regex special characters in their names are getting deleted★ |
1252377-2 | 2-Critical | BT1252377 | VXLAN-GPE and GENEVE are disabled by default when software is upgraded from F5OS-A 1.3.0 build to F5OS-A 1.4.0★ |
1249773-2 | 2-Critical | BT1249773 | QKView may fail to collect all files for platform-monitor container |
1231357 | 2-Critical | BT1231357 | Unexpected reboot might occur on r5000/r10000 Series |
1215917 | 2-Critical | webUI failed to load when downgrading from 1.5.0 to 1.3.1 with self-signed certificate with encrypted RSA key type | |
1211025 | 2-Critical | BT1211025 | Firmware update interrupted during OS install★ |
1204481 | 2-Critical | K000132166, BT1204481 | System may flap external links multiple times during startup or links may fail to come up at all |
1184821 | 2-Critical | BT1184821 | Obscure crash in external authenticator |
1137121-3 | 2-Critical | BT1137121 | Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0 |
1136597-3 | 2-Critical | BT1136597 | LDAP user with admin and operator role gets only operator permissions |
1273845-1 | 3-Major | BT1273845 | Removing or manually adding TLS Certificate & Key on webUI removes whole TLS configuration |
1273017-1 | 3-Major | BT1273017 | LACPD restarts when changing aggregation lag-type through configuration utility webUI |
1251981 | 3-Major | BT1251981 | Speed on webUI Interfaces screen is empty for 1GB |
1239325 | 3-Major | BT1239325 | Issue when Management IP address is configured to have public internet access on F5OS |
1236857-1 | 3-Major | BT1236857 | F5OS OID SNMPv2-MIB::sysDescr provides meaningless information for system controller |
1234049 | 3-Major | BT1234049 | The Add/Edit tenant deployment screen on the r4600 webUI does not have the option for 12 vCPUs in the vCPUs dropdown |
1230609 | 3-Major | BT1230609 | Neighbor interface description is not updated in LLDP neighbor details |
1229465-3 | 3-Major | QKView is not collecting core files in /var/crash | |
1226429 | 3-Major | BT1226429 | "DEBUG cannot reply twice on the same call" log reporting repeatedly |
1207485-1 | 3-Major | BT1207485 | LACP daemon restarts when changing lag-type of the aggregation |
1188053 | 3-Major | SSH idle-timeout support | |
1185701-2 | 3-Major | BT1185701 | 'system aaa' command in ConfD to fail with "Error: application communication failure" |
1185497-3 | 3-Major | BT1185497 | Tenant health in the partition shows additional entries that are not part of the tenant configuration |
1181721 | 3-Major | Add additional commands and files to QKView collection | |
1165973-2 | 3-Major | BT1165973 | Application error while using the CLI command "show components" |
1225981-1 | 4-Minor | BT1225981 | Files greater then 1000 MiB are truncated in QKView |
1211861 | 4-Minor | BT1211861 | Configured input values of IP address fields reset to default upon switching the protocol |
1211777 | 4-Minor | BT1211777 | Configured input values of IP address fields reset to default upon switching the protocol |
1190369 | 4-Minor | Terminal window not reflecting configured hostname | |
1167761-2 | 4-Minor | BT1167761 | Directory indexing enabled for management webUI |
Cumulative fix details for F5OS-A v1.5.1 that are included in this release
1328977-1 : Appliance Orchestration Manager fails due to memory corruption
Links to More Info: BT1328977
Component: F5OS-A
Symptoms:
Appliance Orchestration Manager fails, leading to a restart of the docker container. We can observe a core as well.
Conditions:
There are no preconditions. It is happening to memory corruption in the systems. The issue is not consistent.
Impact:
OMD restarts; this will not generally disturb the tenant's functionality.
Workaround:
N/A
Fix:
Fixed the issues related to memory corruptions in the appliance Orchestration Manager.
1328729 : Slow memory leak when processing tenant telemetry
Links to More Info: BT1328729
Component: F5OS-A
Symptoms:
The system will eventually run out of memory. Up until the point of service restart, the memory utilization will negatively impact running tenants, causing potential memory allocation errors.
Conditions:
When a BIG-IP tenant version </= 15.1.7 is running.
Impact:
Excessive memory utilization will impact operational performance of the F5OS and tenants.
Workaround:
The mitigation is to update a BIG-IP tenant version to 15.1.8 or newer, or to update to F5OS 1.5.1.
1327701-4 : Space in SNMP community/user/target name causing snmpd container restart
Component: F5OS-A
Symptoms:
When there is a space in any SNMP community/user/target name configuration, this will cause an F5OS snmpd service restart.
Conditions:
When there is a space in an SNMP community/user/target name configuration.
Impact:
F5OS snmpd restarts.
Workaround:
Reconfigure the SNMP community/user/target without a space in the name.
Fix:
Added a space restriction in SNMP community/user/target name configuration so the user can no longer configure with a space.
1315121-1 : Key migration failure and potential corruption updating to 1.5.0 or later with deployed tenants
Links to More Info: BT1315121
Component: F5OS-A
Symptoms:
When setting a new primary key after upgrading from an older release (such as 1.1.1 or older), where tenants are deployed, to 1.5.0 or newer, the key migration may fail.
The migration failure may cause configuration database corruption for the entire system.
Conditions:
Tenants are deployed on release 1.1.1 or older. Upgrade to 1.5.0 or newer (including through intermediate upgrades, such as 1.1.1 -> 1.3.2 -> 1.5.1). Set new primary key.
Impact:
Setting a new primary key may fail. When this failure occurs, system configuration corruption may occur.
Workaround:
Mitigation to prevent failure:
- Change all tenants to the configured state
- Set a new primary key
- Wait for key migration to complete
- Return tenants to deployed state.
Recovery for corruption:
- Reset device to default configuration
- Set the primary key to the known primary key for a known-good backup
- Restore with known-good backup
Fix:
Fix known causes of database corruption on primary key migration failure. While the primary key configuration may still fail if tenants are in deployed state, it should no longer cause system corruption.
1304657-1 : tcam-manager does not support all the possible system network subnets
Component: F5OS-A
Symptoms:
The connection from the tenant (TMM) to the tcam-manager is continuously restarted.
tcam-mgr logs show the wrong tenant-id and hence rejected connection from the tenant:
msg="INFO" MSG="Connection from client address:10.245.3.1".
msg="ERROR" MSG=" Confd access error obtaining tenant info for tenant:12291 slot:1".
msg="INFO" MSG="neuron_handle_responses: dropping resp to non-existent client".
TMM periodically logs neuron client errors, such as:
notice hudproxy_neuron_client_closed_cb: Neuron client connection terminated
notice pva_sc_frs_neuron_stopped_cb/2373: FRS SC: Neuron client stopped.
notice [DDOS Neuron]Neuron daemon stopped
Conditions:
The 'system network' configuration is changed from its default setting in F5OS.
Impact:
TCAM based features don't work.
Workaround:
Select either the default RFC6598 subnet or any of the unaffected RFC1918 subnets.
Fix:
tcam-manager now correctly calculates the tenant-id for all possible system network subnets.
1297665-1 : Occasionally diagnostic agent reports as unhealthy for unpopulated PSU_Slot in health summary and ihealth reports
Component: F5OS-A
Symptoms:
Diagnostic agent reports as unhealthy for unpopulated PSU_Slot in ihealth reports and "show system health summary" output.
Conditions:
Occurs only when any empty PSU slots are in the system and diagnostic agent receives PSU Input State events in different order.
Impact:
It causes diagnostic agent to report as unhealthy for PSU on the unpopulated slot in health summary.
Workaround:
N/A
1293305-2 : LAG interface status is not updated on the BIG-IP tenant
Links to More Info: BT1293305
Component: F5OS-A
Symptoms:
Symptom 1: Trunk is down in tenant but the LAG is up in F5OS-A.
Symptom 2: LAG is down in F5OS-A but the trunk is up in tenant.
Conditions:
For symptom 1:
1. Set up new rSeries device.
2. Config static LAG and VLAN.
3. Deploy new tenant.
4. In tenant, LAG will be shown as down but interfaces shown as up.
5. This happens only at initial tenant deployment.
For symptom 2:
1. LAG is shown as down in F5OS-A.
2. Trunk is shown as up in tenant.
Impact:
Symptom 1:
On r2x00/r4x00 platforms, as LAG will be in DOWN state, datapath will not be working.
Symptom 2:
On r2x00/r4x00 platforms, LAG status is shown as UP but it's actually DOWN on the platform. Datapath will not be UP, but as LAG is UP in tenant we expect Datapath to be UP.
Symptom 3:
If trunks are used for HA Group the scores associated to the trunks are not deducted from the overall health scores regardless of whether the interfaces in the trunks are up or not.
Workaround:
For symptom 1:
Restarting "system_api_svc_gateway" service on host.
#docker restart system_api_svc_gateway
For symptom 2:
Restarting "system_api_svc_gateway" service on host.
#docker restart system_api_svc_gateway
1290949-1 : Invalid memory read in appliance orchestration manager
Links to More Info: BT1290949
Component: F5OS-A
Symptoms:
"Invalid read" identified in OMD.
During "show cluster events" we are hitting the code flow, where the ConfD API is reading the freed memory. It is leading to an invalid read.
Conditions:
Executing "show cluster events".
Impact:
Using a freed memory may cause unexpected behavior in the system.
Workaround:
N/A
Fix:
Code changes to address memory violations in the code.
1290941-1 : LLDP/STPD/LACPD in rSeries is flooding SEP_POLLERR when dma-agent restarts
Links to More Info: BT1290941
Component: F5OS-A
Symptoms:
Below log is flooded in platform.log when dma-agent restarts
"SEP library in ERR state, sep_client_poll() returns SEP_POLLERR".
Conditions:
dma-agent restart.
Impact:
l2 functions such as LLDP/STPD/LACPD will be affected.
Workaround:
Reboot the device.
Fix:
Fixed code from flooding logs.
1286285-3 : ISO with special characters in name will not import
Component: F5OS-A
Symptoms:
An ISO named with special characters like "()" will not be imported and gets deleted from the import directory silently.
Conditions:
Only when the ISO name contains special characters.
Impact:
User will not have any status on the imported image with a name that contains special characters.
Workaround:
No workaround.
Fix:
The "show system image" API will display the status as "Import error. File name is incorrect."
1286165-1 : Ping failing after removing aggregate ID from interface and adding trunk VLANs in the same commit
Component: F5OS-A
Symptoms:
Ping to self IP of tenant failing.
Conditions:
This issue will be observed only when tried from F5OS ConfD CLI.
Removing aggregate ID and assigning trunk VLANs to an interface in the same commit from ConfD CLI.
Impact:
Ping to self IP of tenant will fail.
Workaround:
From F5OS CLI
1)Remove aggregate ID from interface.
2)commit the changes.
3)Add trunk VLANs to interface and commit the changes.
For example:
1)no interfaces interface 3.0 ethernet config aggregate-id
2)commit; top
3)interfaces interface 3.0 ethernet switched-vlan config trunk-vlans [ 3700 3800 3900 ]
4)commit
Fix:
NA
1285969 : Some aggregation interface names can cause ethernet interfaces in LACP aggregations to be erroneously down
Links to More Info: BT1285969
Component: F5OS-A
Symptoms:
One or more interfaces in LACP aggregations may be considered down when they should not be.
Conditions:
Internally, LACPD hashes interfaces to an integer, and some aggregation interface names hash will collide with ethernet interface name hash. Changes to the these aggregation interfaces can impact the ethernet interface.
Impact:
Traffic through the affected ethernet interface in LACP aggregations may be disrupted. This can cause either degraded performance or traffic failure for LACP aggregations that the interface is a member of.
Workaround:
Only use aggregation interface names that don't hash to the same port numbers as ethernet interfaces.
In order to determine if an existing aggregation interfaces port number conflicts with an ethernet interface, review the lacpd_interface_stat table.
For a VELOS partition, use the lacpd container on any blade in the partition to run tmctl.
For an appliance, use system_lacpd container to run tmctl.
The following example from a rSeries appliance shows the aggregation interface "vlag" with the same port number as interface 1.0
[root@appliance-1 ~]# docker exec -it system_lacpd bash
[root@appliance-1 partition]# tmctl lacpd_interface_stat -s name,port_num
name port_num
---- --------
1.0 1024
10.0 10240
2.0 2048
3.0 3072
4.0 4096
5.0 5120
6.0 6144
7.0 7168
8.0 8192
9.0 9216
mgmt 43008
vlag 1024
If an aggregation interface hashes to the same port number an Ethernet interface:
1. Delete the conflicting aggregation interface
2a. You can either restart the lacpd containers
or
2b. Reboot the appliance, or for VELOS reboot each blade in the partition.
Fix:
Aggregation interface names will never impact ethernet interfaces in a LACP aggregation.
1282757 : On upgrade, systems might overwrite key due to automatic firmware updating
Links to More Info: K000133379, BT1282757
Component: F5OS-A
Symptoms:
When upgrading to a new version (such as 1.4.0), automatic firmware updates occur, and these interfere with the encryption key retrieval, causing a new key to be generated, which blocks api-service-gateway.
Conditions:
Upgrading to a new version where automatic firmware updates get started at boot-up.
Impact:
The api-service-gateway container does not come up and there is no communication with the tenant.
Workaround:
Docker exec -it system_manager bash
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-key"
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-cert"
Fix:
The encryption key will not generate a new key unless the TPM module has none. The code will continue to retry until it succeeds or ConfD timeout occurs (300 seconds).
1281861 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0
Links to More Info: BT1281861
Component: F5OS-A
Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".
Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.
Impact:
Tenants will not start and are unusable.
Workaround:
To work around this issue, perform one of these actions:
1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".
Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.
1281857-1 : Repeated disabling and enabling of link partner interface might result in datapath corruption
Component: F5OS-A
Symptoms:
Packets received on an interface are corrupted or lost after a link partner interface is repeatedly disabled and then enabled within relatively short windows of time.
Conditions:
A link partner interface is repeatedly disabled and then enabled within relatively short windows of time.
Impact:
Dataplane services on the given interface will be inoperable.
Workaround:
The product must be rebooted to recover.
Fix:
An FPGA firmware fix was implemented to add an additional clock to an internal component that served to isolate noise between the MAC and itself.
1281749-1 : Hashed/encrypted passwords are getting logged
Links to More Info: K000134922, BT1281749
1280365-3 : WebUI and shell admin access unavailable after upgrade to when one of the previously installed images is no longer present
Links to More Info: BT1280365
Component: F5OS-A
Symptoms:
1. WebUI or CLI inaccessible via admin account (that is, ConfD is not up):
[root@appliance-1(XXXXXXXXX) log]# su admin
Failed to connect to server
2. sw-mgmt.debug file will have a line similar to this one (with image version changing depending on which image is missing):
DEBUG: Source file /var/export/chassis/import/.mounts/iso/R2R4/1.1.1-9159/m3/*-services/F5OS*.img does not exist, removing from all_sw.
3. Containers stuck in ImagePullBackOff. For example, system_network container cannot be pulled, and the following error is observed in messages log:
appliance-1 dockerd-current: time="2023-03-24T15:09:26.631359235Z" level=error msg="Not continuing with pull after error: Error: image system_network:1.4.5-f5os-a-1-4-0-candidate.2023-02-14-15-09-15.S9b340f7e not found"
Conditions:
Both of the below conditions:
1. Certain ISO image has been ungracefully removed from the /var/import/staging folder. Examples of ungraceful removals:
-- Deleted via bash (after running chattr -i <image name>)
-- Image name had parentheses in it and as per ID1273021 it is wiped out upon reboot.
2. /var/import/import.json file includes reference to removed image that is listed BEFORE the reference to currently used image.
Impact:
Device webUI is inaccessible. Cannot access ConfD. Root access is working.
Workaround:
Two workarounds:
1. Re-import the deleted image and reboot the box.
2. Remove the whole section that references the deleted image from import.json file and reboot the box.
Fix:
N/A
1273845-1 : Removing or manually adding TLS Certificate & Key on webUI removes whole TLS configuration
Links to More Info: BT1273845
Component: F5OS-A
Symptoms:
Manually adding TLS Certificate & Key on webUI instead of storing through Self-Signed Certificate or removing Certificate & Key removes TLS configuration, which includes verify-client and verify-client-depth.
Conditions:
- When there is an existing Verify Client and Client Depth configuration, and user tries to remove TLS Certificate & Key on Certificate Management screen on webUI.
- When user fills the TLS Certificate & Key on Certificate Management screen on webUI.
Impact:
Verify Client and Client Depth configuration of Certificate Authentication will be changed to default values which disables verification of httpd client certificates.
Workaround:
- Remove or Add TLS Certificate & Key through CLI.
- While creating Self-Signed Certificate, set "Store TLS" field as true
- Re-add Verify Client and Client Depth after removing or manually adding TLS Certificate & Key.
1273445 : Downgrade/upgrade issues are seen because ISO has special characters in the file name★
Links to More Info: BT1273445
Component: F5OS-A
Symptoms:
If a F5OS-A ISO with a filename containing 'special characters' ('+ , * , ? , ^ , $ , ( , ) , [ , ] , { , } , | , \') is imported onto the device, and the system is downgraded/upgraded with this ISO, it can result in the upgrade/downgrade failing.
Conditions:
1. Download and import an ISO with a 'special character' in its name (for example,F5OS-A-1.5.0-*.iso.
2. Attempt an upgrade /downgrade.
3. Upgrade/downgrade will fail.
Impact:
Upgrade/downgrade will fail, requiring manual intervention to recover the system.
Workaround:
1. Before performing a platform software upgrade, compare versions referenced by the "show system image" ConfD CLI command with the names of files present in the "/var/import/staging” directory.
If the ISO is not present in /var/import/staging but it is shown in "show system image" command output, then import again to "/var/import/staging”.
2. If there is any ISO file with a name containing a special character present in "/var/import/staging”, remove that version of platform software and re-import it by re-downloading the file with a name that does not include special characters. You may then attempt upgrade.
3. In order to remove that ISO file with a name containing a special characters use the below command.
appliance-1(config)# system image remove iso <iso version>
4. In scenarios where the above command fails or where it is not possible to use above command, please follow the below procedure to delete the image.
* login to the device using root
* chattr -i "/var/import/staging/<iso with special characters>”
* rm -rf "/var/import/staging/<iso with special characters>”
In case downgrade or upgrade failure has already occurred due to this issue, follow these steps to recover the system:
1. Download another copy of the ISO with a proper name to /var/import/staging.
2. Wait for five minutes for it to import. If ConfD is unavailable, you can check the logs in /var/log/sw-mgmt.debug for import status.
3. Once the import is complete, reboot the system. This should recover the system.
Fix:
The fix is to delete the ISO with the special characters when it is being imported.
1273025-1 : Once TACACS server-group is configured on a non-default port, on downgrade virt-handler pod gets into a crash loopbackoff state because of SELinux corruption
Links to More Info: BT1273025
Component: F5OS-A
Symptoms:
Virt-handler pod is crashing upon downgrading from F5OS-A 1.4.0 to F5OS-A 1.3.2, and a tenant is stuck in pending state.
Conditions:
Configure TACACS server-group on a non-default port (that is, other than port 49) and downgrade from F5OS-A 1.4.0 to F5OS-A 1.3.2.
Impact:
Tenant becomes stuck in pending state.
Workaround:
Two workarounds:
1. Configure standard port (49) for the TACACS server instead of a non-standard port. Using the standard port should not trigger these issues. Releases older than F5OS-A 1.4.0 do not correctly support any port other than 49 for the TACACS server.
2. Fix SELinux policy on the appliance:
a. cp selinux module from /usr
cp /usr/etc/selinux/targeted/active/modules/400/f5_appliance to /etc/selinux/targeted/active/modules/400/f5_appliance
b. Reboot the device
reboot
Fix:
Enforce closure of non-standard port every time configuration is updated or system is shut down. This avoids leaving ports open for which SELinux may not have exceptions.
Note this does not address the non-standard port in older releases when downgrading. Non-standard ports for TACACS are still not properly supported in the older release.
1273021-1 : ISOs imported with regex special characters in their names are getting deleted★
Links to More Info: BT1273021
Component: F5OS-A
Symptoms:
When upgraded to ISO that is imported with special regex characters, upgrade fails.
Conditions:
ISO imported with regex special characters present in /var/import/staging.
Impact:
Docker container services will not come up.
Workaround:
If ISO is deleted, or any ISO is present in /var/import/staging with special characters in its name, delete the ISO (if present) and re-import without special characters.
If containers are down, reboot the device for containers to come up.
Fix:
Import of ISO with special characters is blocked.
1273017-1 : LACPD restarts when changing aggregation lag-type through configuration utility webUI
Links to More Info: BT1273017
Component: F5OS-A
Symptoms:
The Link Aggregation Control Protocol Daemon (LACPD) will restart. An LACP aggregation's interface can be permanently down, restricting traffic from passing on that interface.
Conditions:
-An aggregation interface's lag-type is set to static through configuration utility.
Impact:
One or more physical interfaces associated with an LACP aggregation can be erroneously marked down indefinitely, causing either degraded performance, or complete traffic failure.
Performance degradation may not occur, but the LACPD process will always restart.
Workaround:
- Toggle any affected interface to disable and then back to enable.
- Toggle any affected aggregation interface to static and then back to LACP.
- Reboot the system.
Fix:
LACPD will not restart when an aggregation is configured to static through the configuration utility. Few warnings can be logged when this operation occurs. These warnings can be ignored if seen while changing an aggregation's lag-type through configuration utility.
1269989-2 : tcam-manager may get stuck using 100% CPU
Links to More Info: BT1269989
Component: F5OS-A
Symptoms:
After running a QKView or tcam-dump by itself, tcam-manager does not clean up the diagnostic socket, which results in a tight loop and pegging the CPU at 100% utilization. This in turn starves other platform processes (such as dma-agent), which causes performance degradation.
Conditions:
A QKView or tcam-dump, which is included in QKView, is run.
Impact:
Performance degradation.
Workaround:
The issue can be avoided by not running QKView.
Fix:
After tcam-dump completes, the corresponding socket is properly removed.
1267253-2 : LDAP shadowExpire attribute not honored
Links to More Info: BT1267253
Component: F5OS-A
Symptoms:
When using LDAP authentication, usage of the shadowExpire and related attributes will not enforce expiration on the F5 device.
Conditions:
LDAP authentication is configured. LDAP shadowExpire, shadowMax, and related attributes are set such that the user should be expired.
Impact:
User with expired attributes can log into F5 device.
Workaround:
Either remove the user from groups with roles that allow access to the F5 device (for example, F5OS admin role gidNumber) or delete the user.
1253713-3 : CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png
Links to More Info: K000133070, BT1253713
1252377-2 : VXLAN-GPE and GENEVE are disabled by default when software is upgraded from F5OS-A 1.3.0 build to F5OS-A 1.4.0★
Links to More Info: BT1252377
Component: F5OS-A
Symptoms:
When r10000 or r5000 Series hardware is running with F5OS-A 1.3.0, the default settings for VXLAN-GPE and GENEVE are enabled, and hardware disaggregation support for these tunnel protocols is enabled without any explicit configuration.
If the software is upgraded from F5OS-A 1.3.0 to F5OS-A 1.4.0, these protocols will be disabled, and hardware disaggregation is disabled. It is required to enable these two protocols explicitly in the configuration to enabled them in the hardware.
Conditions:
If VXLAN-GPE and GENEVE tunnels are used in the deployment with F5OS-A 1.3.0 software version without any explicit enabled configuration for these two tunnels, and software upgraded to F5OS-A 1.4.0 or later.
Impact:
Hardware disaggregation support for VXLAN-GPE and GENEVE will be disabled if software is upgraded from F5OS-A 1.3.0 to F5OS-A 1.4.0 or later when these two tunnels are using default configuration to enable them.
Workaround:
Use explicit tunnel settings to enable VXLAN-GPE and GENEVE in F5OS-A 1.3.0, or enable these two protocols explicitly after software upgrade from F5OS-A 1.3.0.
Fix:
VXLAN-GPE and GENEVE are disabled in default global configuration and advised to use explicit tunnel configuration settings to enable hardware disaggregation support.
1251981 : Speed on webUI Interfaces screen is empty for 1GB
Links to More Info: BT1251981
Component: F5OS-A
Symptoms:
When interface speed is 1GB, the speed column on this screen is blank. The Edit Interfaces screen has the same issue.
Conditions:
Interface speed is set to 1GB.
Impact:
Speed column will be blank, so user will not see the actual speed.
Workaround:
Use the F5OS CLI to view the interface speed when it is set to 1GB.
Fix:
Speed column is now populated correctly on the Interfaces screen.
1250901-2 : On rSeries FIPS system live upgrade, cavium_n3fips (liquidsec_pf_vf driver) may fail to come into operational state
Links to More Info: BT1250901
Component: F5OS-A
Symptoms:
After a reboot of the system in live upgrade, tenants that were running earlier might not change to a running state. This is due to the HSM board driver stuck in SAFE_STATE instead of OPERATIONAL_STATE.
In some cases, the driver changes to an operational state after some amount of time (approximately 10 minutes). But this time might vary upon detection of reset/link failure in the hardware. In some other systems, the driver becomes stuck in SAFE_STATE indefinitely.
Conditions:
Live upgrade/reboot of the rSeries FIPS system with F5OS-A.
You may observe the below logs in dmesg-
[ 964.105021] liquidsec_pf_vf_driver 0000:ca:00.0: We might have a link issue... resetting
[ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: RESETTING FIRMWARE... CAUTION
Impact:
Running tenants goes to pending state when this issue occurs in a live upgrade.
Workaround:
Check contents of cavium_n3fips file as shown below.
[appliance]# cat /proc/cavium_n3fips/driver_state
HSM 0:OPERATIONAL_STATE
If the driver changes to an operational state, perform
"docker restart fips-support-pod" to help in recovering.
But if the driver state is still "HSM 0:SAFE_STATE", you may need to perform a power cycle reboot (but this will not guarantee recovery).
Fix:
N/A
1249773-2 : QKView may fail to collect all files for platform-monitor container
Links to More Info: BT1249773
Component: F5OS-A
Symptoms:
Very occasionally, QKView view will have a conflict collecting round-robin database (RRD) files in the platform monitor container. The qkview-collect routine may terminate unexpectedly as a result.
Conditions:
QKView capture request happens coincidentally to round-robin database update.
Impact:
RRD files may not be collected.
Workaround:
Rerun QKView.
Fix:
This will be fixed in a future release.
1239325 : Issue when Management IP address is configured to have public internet access on F5OS
Links to More Info: BT1239325
Component: F5OS-A
Symptoms:
The F5OS webUI allows web crawlers access to all content when the Management IP address is configured to have public internet access.
Conditions:
If the Management IP address is configured to have public internet access.
Impact:
This impedes the ability to satisfy internal security compliance mandates.
Workaround:
To mitigate the issue, you can manipulate the contents of the robots.txt file inside the webUI container as demonstrated below:
$ ssh root@10.238.160.60
root@10.238.160.60's password:
[root@appliance-1 ~]# docker exec -it vanquish-gui bash
[root@d6303361e100 /]# cd /app/build
[root@d6303361e100 build]# echo "User-agent: *" > robots.txt
[root@d6303361e100 build]# echo "Disallow: /" >> robots.txt
[root@d6303361e100 build]# cat robots.txt
User-agent: *
Disallow: /
[root@d6303361e100 build]# exit
exit
[root@appliance-1 ~]# exit
logout
Connection to 10.238.160.60 closed.
Fix:
Robots.txt now disallows web crawlers access to any content.
1236857-1 : F5OS OID SNMPv2-MIB::sysDescr provides meaningless information for system controller
Links to More Info: BT1236857
Component: F5OS-A
Symptoms:
After setting up snmpwalk on older version and live upgrading to another version, the snmpwalk is still showing older service version.
Conditions:
1. configure SNMP
2. upgrade system with live upgrade
3. check system version using SNMPv2-MIB::sysDescr (it will be pointing to older version)
example:
SNMPv2-MIB::sysDescr.0 = STRING: Linux 3.10.0-1160.62.1.F5.1.el7_8.x86_64 : Appliance services version <older_version>
Impact:
sysDescr will be displaying older version.
Workaround:
N/A
Fix:
This issue is fixed in latest release.
1234049 : The Add/Edit tenant deployment screen on the r4600 webUI does not have the option for 12 vCPUs in the vCPUs dropdown
Links to More Info: BT1234049
Component: F5OS-A
Symptoms:
The vCPUs dropdown does not have 12 as an option in the Add/Edit tenant deployment screen on the r4600 webUI.
Conditions:
While adding or editing a tenant on the r4600 system via webUI.
Impact:
The user cannot add or edit a tenant with 12 vCPU cores on the webUI.
Workaround:
Users can add/edit a tenant with 12 vCPU cores from the CLI.
Fix:
The webUI will have an additional option for '12' in the vCPUs dropdown thus allowing the user to deploy a tenant with 12 vCPU cores.
1232369 : Intel Microcode update
Links to More Info: BT1232369
Component: F5OS-A
Symptoms:
Intel Microcode update was found to fix an internal regulator power issue. No workaround; requires BIOS update.
Conditions:
Intel Microcode earlier than 0d000389 in the BIOS.
Impact:
Unknown
Workaround:
Upgrade BIOS that includes the new microcode 0d000389 from Intel.
Fix:
BIOS version 2.01.134.1 has been updated from vendor with the updated microcode from Intel.
1232309 : CVE-2020-10754: nmcli did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings
Links to More Info: K000132761, BT1232309
1231357 : Unexpected reboot might occur on r5000/r10000 Series
Links to More Info: BT1231357
Component: F5OS-A
Symptoms:
An unexpected operating system reboot might occur on r5000/r10000 Series.
After the system reboots, in the /var/crash/ directory there will be a new directory created that is named with a timestamp corresponding to the reboot. In that new directory, a file vmcore-dmesg.txt is available with the following error message:
CPU 0: Machine Check Exception: 5 Bank 4: ba00000056000402
Conditions:
Unexpected system reboot.
Impact:
When the reboot occurs, the entire system will reboot and all tenants will stop processing traffic until the reboot is complete. The system will operate normally after the reboot.
Workaround:
None
Fix:
This issue has been corrected.
1230609 : Neighbor interface description is not updated in LLDP neighbor details
Links to More Info: BT1230609
Component: F5OS-A
Symptoms:
Port Description TLV is not displayed under LLDP interface neighbors.
Conditions:
1) enable LLDP on device and on switch
2) enable port description TLV
3) set port description on interface in switch side
Impact:
No impact.
Workaround:
N/A
Fix:
Fixed code to display port description.
1229465-3 : QKView is not collecting core files in /var/crash
Component: F5OS-A
Symptoms:
QKView was designed to collect core files in /var/core only. The operating system kernel can create core files in /var/crash. SEs need to know about these files.
Conditions:
OS kernel creates a core file.
Impact:
Core file not collected by QKView.
Workaround:
Core file can be manually copied from /var/crash.
Fix:
QKView takes a directory listing from /var/crash and collects core files in that directory.
1226505-2 : Average transactions per second impacted in certain cases
Links to More Info: BT1226505
Component: F5OS-A
Symptoms:
There is a reduction in http/https average transactions per second for some file sizes when ASM is configured on BIG-IP tenant on R2000 series.
Conditions:
BIG-IP config: virtual server with asm_rw policy attached to it; virtual server with profiles http, tcp, and websecurity attached to it (visual snippet is at the end of high level details).
CPU: 95-97%
simulated users: 1536
The traffic involved in testing ASM is close to real world traffic conditions.
Impact:
Reduction in average transactions per second when traffic is run for a specified duration with 1536 simulated users.
Impact is seen for http traffic specific to 32kb and 5kb file sizes.
Workaround:
N/A
Fix:
N/A
1226429 : "DEBUG cannot reply twice on the same call" log reporting repeatedly
Links to More Info: BT1226429
Component: F5OS-A
Symptoms:
When the snmpget operation is performed on IF-MIB, the message "DEBUG cannot reply twice on the same call" appears in /var/log/message. The issue is that the DEBUG is enabled in one of the services container so this DEBUG message is logging in /var/log/message.
Conditions:
One of the reproduction steps is to perform the snmpget operation on IF-MIB.
Impact:
No known impact on the functionality. They are DEBUG messages only.
Workaround:
No workaround. The debug messages stops when the snmpget operation is completed.
Fix:
Removed unwanted debug enable from the service container.
1225989-2 : TACACS users only able to access CLI, not webUI
Links to More Info: BT1225989
Component: F5OS-A
Symptoms:
A TACACS user with either admin or operator privilege is unable to log onto the webUI, but can get access through the CLI. This was found to be due to an internal file linking error.
Conditions:
Have a correctly configured TACACS authenticated user access the webUI.
Impact:
The login will not be successful, and an "Authentication failed" message will be displayed. The webUI will be inaccessible.
Workaround:
N/A
Fix:
The file link issue has been resolved, and the problem no longer exists.
1225981-1 : Files greater then 1000 MiB are truncated in QKView
Links to More Info: BT1225981
Component: F5OS-A
Symptoms:
QKView is unable to collect an untrunucated platform.log file that has been rotated.
Conditions:
Rotated copy of the platform.log file is greater than 1000 MiB.
Impact:
Logs are not complete in QKView making it difficult to troubleshoot issues.
Workaround:
Collect the log files manually.
1217169-2 : Disk full: Latest ISO is not getting imported★
Component: F5OS-A
Symptoms:
Not able to import images because /var/export/chassis LVM goes to read-only mode when the memory usage of this LVM is reached by more than 50%.
This LVM is created as VDO (virtual data optimizer) volume, twice the size of the physical partition size, so 50% of the LVM size is equal to 100% of the size of the underlying physical device (partition), on which this LVM is being created.
When the LVM usage reaches more than 50% of LVM size, the LVM metadata is corrupted, causing this issue.
Conditions:
The issue is seen when usage of the LVM /var/export/chassis reaches around 50% by importing more than 12 F5OS-A images on an rSeries low device.
Impact:
Not able to import images once the LVM /var/export/chassis goes to read-only mode.
Workaround:
The workaround is to deport older images from /var/export/chassis/import/iso/ using command below before importing/copying new images.
appliance-1(config)# system image remove iso <old/unused iso version>
or
If it is not possible to delete the images using above command
please follow below steps.
chattr -i /var/import/stagging/<old/unused iso>
rm -rf /var/import/stagging/<old/unused iso>
In case the issue is seen (/var/import/stagging/ becomes read only) the only way to recover the system is perform either pxeboot or usb install on the system.
1215917 : webUI failed to load when downgrading from 1.5.0 to 1.3.1 with self-signed certificate with encrypted RSA key type
Component: F5OS-A
Symptoms:
webUI fails to load.
Conditions:
If the self-signed certificate is enabled with encrypted-RSA/ECDSA, and the system is downgraded to lower versions than 1.5.0
Impact:
webUI fails to load.
Workaround:
Remove the self-signed encrypted certificate before downgrading to lower versions.
Fix:
Added code changes to restrict the downgrade to lower versions if encrypted RSA/ECDSA certificate is available.
1211861 : Configured input values of IP address fields reset to default upon switching the protocol
Links to More Info: BT1211861
Component: F5OS-A
Symptoms:
IP address fields are reset to default values.
Conditions:
When the user changes the protocol and switches back to the previously selected protocol via the "Address" field on the webUI.
Impact:
Values of IP address fields are lost as they are reset to default values.
Workaround:
Users can cancel or navigate away from the screen. When they visit the management interface screen again, the configured values will appear.
Fix:
The "Address" field in the Management Interface section has been removed, and all the IPv4 and IPv6 address fields are always displayed, thereby eliminating the need to switch protocols.
We have added 'X' buttons adjacent to the address fields that can be leveraged to put in default values in case the user does not want to configure the fields for a particular protocol.
1211777 : Configured input values of IP address fields reset to default upon switching the protocol
Links to More Info: BT1211777
Component: F5OS-A
Symptoms:
IP address fields are reset to default values.
Conditions:
When the user changes the protocol and switches back to the previously selected protocol via the "Address" field on the webUI.
Impact:
Values of IP address fields are lost as they are reset to default values.
Workaround:
Users can cancel or navigate away from the screen. When they visit the management interface screen again, the configured values will appear.
Fix:
The "Address" field in the Management Interface section has been removed, and all the IPv4 and IPv6 address fields are always displayed, thereby eliminating the need to switch protocols.
We have added 'X' buttons adjacent to the address fields that can be leveraged to put in default values in case the user does not want to configure the fields for a particular protocol.
1211025 : Firmware update interrupted during OS install★
Links to More Info: BT1211025
Component: F5OS-A
Symptoms:
Firmware update can be interrupted by docker container issues.
Conditions:
Random container issue restarts all containers.
Impact:
If firmware is being updated in that moment, the firmware update will fail and it could cause problems to normal system operation.
Workaround:
Ask the support team to update the LOP firmware.
Fix:
Docker container failure handles routine checks if firmware is being updated and waits until the update is done before handling the failure.
1207485-1 : LACP daemon restarts when changing lag-type of the aggregation
Links to More Info: BT1207485
Component: F5OS-A
Symptoms:
LACP daemon restarts. The system will be unable to process LACPDUs until LACP daemon starts up again.
Conditions:
The issue occurs from changing the lag-type of an aggregation interface that does not have an associated LACP interface.
Impact:
All LACP link aggregations may go down and be unable to process traffic for a short time. The down time, if it occurs, should be less than a few seconds.
Workaround:
Only change an aggregation's lag-type while an associated LACP interface exists.
Fix:
LACP daemon will not restart when changing an aggregation's lag-type while an associated LACP interface does not exist.
1204481 : System may flap external links multiple times during startup or links may fail to come up at all
Links to More Info: K000132166, BT1204481
Component: F5OS-A
Symptoms:
When the system boots up, the interfaces may flap (go up and down) several times in quick succession before coming up and stabilizing.
In some cases, the interfaces fail to come up at all.
If a peer switch is configured to detect excessive link flaps, it may put the port in an err-disable state and prevent the link from coming up.
Conditions:
-- r5000 or r10000 Series appliance
Impact:
If the peer switch triggers a link-flap detection feature, the ports may remain offline until an administrator manually recovers the port on that switch.
Workaround:
There is no workaround for this issue on the rSeries appliance.
An administrator can mitigate this issue by doing one of the following:
- configuring the peer switch to automatically try to recover ports that are disabled for excessive link flapping
- increasing the number of link flaps required in a certain interval before the port is put in a disabled state
Fix:
Disable sending of remote-fault signaling to peer device while the system is booting up.
1190369 : Terminal window not reflecting configured hostname
Component: F5OS-A
Symptoms:
The title of the terminal window does not have the configured hostname.
Currently, all open windows with root login either from PuTTY or any application display as appliance-1.
Conditions:
Connecting to the device using ssh clients like PuTTY.
Impact:
This causes difficulty for a user trying to juggle multiple open SSH sessions during a maintenance window.
1188921-1 : tcpdump not working after upgrade
Links to More Info: BT1188921
Component: F5OS-A
Symptoms:
tcpdump fails with CLI error:
errbuf ERROR:DMAA error, packets cannot be captured
tcpdump: pcap_loop: DMAA error, packets cannot be captured
Error logged:
appliance-1 tcpdumpd-manager[8]: priority="Crit" version=1.0 msgid=0x5406000000000029 msg="DMAA socket failed:" comp="connect" errno=2.
Conditions:
System upgrade has failed to properly update the configuration file, which is responsible for starting tcpdumpd_manager.
Impact:
tcpdumpd_manager will not be able to start and packets cannot be captured. tcpdumpd_manager will continue log this failure to the system log.
Workaround:
None
1188053 : SSH idle-timeout support
Component: F5OS-A
Symptoms:
There was no idle-timeout implemented for SSH session. The SSH session was not getting terminated even if it was idle for a long time.
Conditions:
There was no idle timeout for SSH session.
Impact:
SSH session will not get terminated even if it is idle for long time.
Workaround:
User must close the SSH session.
Fix:
Implemented SSH idle-timeout which is configurable from CLI/RESTCONF. The SSH session will now get terminated if it is idle for the configured idle-timeout. The default value is 0, which means no idle-timeout.
1185701-2 : 'system aaa' command in ConfD to fail with "Error: application communication failure"
Links to More Info: BT1185701
Component: F5OS-A
Symptoms:
System fails to change password and renders system in a degraded state where user management no longer works.
System fails to provide proper user feedback to the user about failed password changes.
Conditions:
This policy option is causing the problem:
system aaa password-policy config retries 5
Impact:
F5OS user password cannot be changed.
Workaround:
Do not change the configuration from default.
system aaa password-policy config retries 5
Fix:
N/A
1185497-3 : Tenant health in the partition shows additional entries that are not part of the tenant configuration
Links to More Info: BT1185497
Component: F5OS-A
Symptoms:
When the admin upgrades the system software from 1.3.x to 1.5.0, the platform updates the tenant's table with additional entries that are not running as part of the tenant's original configuration.
Conditions:
Power cycle or system software upgrades from 1.3.x to 1.5.0.
Impact:
There will not be any impact on the critical functionality of the tenant, and traffic continues to work. However, it does show some unwanted information in the health which could be confusing.
Workaround:
Toggling the affected tenant's running state from "Deployed" to "Provisioned" and back to "Deployed" will fix the state of the tenant in the table.
Fix:
During the power cycle/system upgrade, the platform re-populates the tenant oper status from Openshift and publishes it to Partition. If the REST response of the tenants from Openshift is incomplete, the platform is populating entries under the wrong key/value. As a result, the partition tenant's table ends up with some unwanted entries.
It is a cosmetic issue and will not impact any tenants.
1184821 : Obscure crash in external authenticator
Links to More Info: BT1184821
Component: F5OS-A
Symptoms:
An unexpected sequence of characters in the username or password of an external login could cause a crash in the external authenticator.
Conditions:
Certain malformed usernames or passwords being used for external authentication.
Impact:
The crash in these circumstances would prevent successful login. After analysis, it was deemed there was no security risk or exposure.
Workaround:
Use usernames and passwords for authentication via SSH or webUI that conform to the device username/password requirements.
Fix:
The bug was fixed and a crash no longer occurs.
1184429-1 : Specifying "operation not supported" as an iHealth QKView description or SR number will disable iHealth uploading
Links to More Info: BT1184429
Component: F5OS-A
Symptoms:
The phrase "operation not supported" was scanned for communication with iHealth to indicate an error. By using this as a description or as an SR case, this will trigger an error, preventing the ability to upload to iHealth.
Conditions:
The phrase "operation not supported" is used as an iHealth QKView description or SR number.
Impact:
Unable to upload iHealth through the iHealth upload service on the device.
Workaround:
Do not use the phrase "operation not supported" as a description or an SR case number when uploading to iHealth.
Fix:
Fix to check for errors will scan for http error code instead of scanning the text of the http body.
1181721 : Add additional commands and files to QKView collection
Component: F5OS-A
Symptoms:
There is no change in functionality. The fix adds new commands and files to QKView collection.
Conditions:
Additional commands and files are added to the QKView collection and they will be collected whenever QKView is requested.
Impact:
Additional commands and files are added to the QKView collection.
Workaround:
Only new commands and files will not be collected as part of QKView collection. Old commands and files will get collected in QKView.
Fix:
Additional commands and files are added to the QKView collection.
1167761-2 : Directory indexing enabled for management webUI
Links to More Info: BT1167761
Component: F5OS-A
Symptoms:
Directory indexing is enabled for management webUI.
Conditions:
When the management IP is followed by the name of any directory that is contained in the webUI, the build directories and file contents are visible on the browser.
Impact:
The webUI build directories and file contents are visible on the browser.
Workaround:
None
Fix:
Disabled directory indexing.
1165973-2 : Application error while using the CLI command "show components"
Links to More Info: BT1165973
Component: F5OS-A
Symptoms:
The user receives an error message using the CLI (show components -> Error: application error) when there is a faulty sensor in the hardware.
Conditions:
When the system has the faulty sensor.
Impact:
Application error seen in the ConfD CLI while trying to execute "show components". The webUI is affected as well.
Workaround:
N/A
Fix:
We have added a check at diag-agent to not throw the application error; it will show data for the healthy components.
1137121-3 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0
Links to More Info: BT1137121
Component: F5OS-A
Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".
Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.
Impact:
Tenants will not start and are unusable.
Workaround:
To work around this issue, perform one of these actions:
1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".
Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.
1136597-3 : LDAP user with admin and operator role gets only operator permissions
Links to More Info: BT1136597
Component: F5OS-A
Symptoms:
An LDAP user configured with groups for both admin and operator roles only receives operator permissions.
Conditions:
LDAP user configured with gidNumber assignments for both admin and operator roles.
Impact:
A user with this config would be assigned only operator permissions.
Workaround:
Only configure the gidNumber for the desired role in LDAP for the user. Do not configure multiple roles for the same user.
Fix:
There was an error in the NACM rules for ConfD config. The role logic has been fixed.
Known Issues in F5OS-A v1.5.x
F5OS-A Issues
ID Number | Severity | Links to More Info | Description |
1292541 | 1-Blocking | Loading saved configuration on BIG-IP fails if host modifications are made after "tmsh save sys config" on R2800/R4800 platforms | |
1291353-1 | 1-Blocking | LCD application does not update if appliance is power-cycled during firmware update | |
1289929-1 | 1-Blocking | BT1289929 | Tenants fail to come up due to abrupt power cycle |
1288965-1 | 1-Blocking | Downgrade/upgrade issues are seen because ISO has special characters in the file name★ | |
1282493-1 | 1-Blocking | Crypto devices are not released after tenants are deleted | |
1273013-2 | 1-Blocking | Five percent (5%) deviation can be observed in TPS performance on R10920 and R5920 tenant | |
1249873-3 | 1-Blocking | sPVA hardware offload not working correctly on r10k | |
1211853-5 | 1-Blocking | Hardware offload features may affect packets destined for unrelated tenants | |
1184441-2 | 1-Blocking | VXLAN-GPE and GENEVE tunnel support | |
1328405-2 | 2-Critical | BT1328405 | F5OS system stopped generating tmstat snapshots |
1298329-2 | 2-Critical | Tcpdump capture fails | |
1291461-2 | 2-Critical | LCD shutdown does not work on r2800 and r4800 platforms | |
1285997-4 | 2-Critical | LLDP is allowed to configure on interfaces when virtual wire is enabled | |
1273221-2 | 2-Critical | BT1273221 | On rSeries FIPS system, operations which involve reboot, might result in FIPS device failure state |
1267201-1 | 2-Critical | BT1267201 | "Unexpected response back from API" error message when deleting ISO |
1204433-2 | 2-Critical | BT1204433 | "Appliance-mode" flag in license should not be used to enable appliance-mode |
1188105-1 | 2-Critical | BT1188105 | K3SClusterUpgrade status shown as Done before cluster pods running up on appliance |
1186597-1 | 2-Critical | BT1186597 | K3S install status in f5OS ConfD is improved |
1144005-2 | 2-Critical | BT1144005 | TPS drop of ~14% from F5OS-A 1.1.0 and later on r10000 series platforms |
1099069-2 | 2-Critical | BT1099069 | Issues with pulling files from VELOS partition using SCP |
1330273-2 | 3-Major | When MAC masquerade is enabled on r5k/r10k/r12k systems with a live upgrade, an FDB entry is seen on Active and Standby | |
1329161-3 | 3-Major | In non-FIPS mode, added support for the SSH-RSA host key algorithm | |
1315261 | 3-Major | QAT devices not populated in ConfD | |
1306649-1 | 3-Major | Rapid removal and re-insertion of 10G optics may result in link failure | |
1306197-1 | 3-Major | The "show system image" command is taking more time than expected to display the output | |
1305909 | 3-Major | BT1305909 | iHealth upload not supported on F5OS-A |
1291421-1 | 3-Major | Cannot set local user password if LDAP user with same name exists | |
1291305-1 | 3-Major | LACP Mode is passive for a static trunk in tenants running r2800/r4800 platforms | |
1289633-2 | 3-Major | FIPS devices show incorrect vCPUs | |
1288897-1 | 3-Major | BT1288897 | Allowed IP rule name, which contains all underscores, will be deleted while upgrading to F5OS-A 1.7.0 and later versions |
1280441-1 | 3-Major | BT1280441 | When no parameter is given for 'system aaa tls create-self-signed-cert', encrypted key-type does not ask for passphrase |
1231889-2 | 3-Major | BT1231889 | Deleting default VLANs and creating them in a partition other than common partition is not supported on BIG-IP tenants running on R2800/R4800 platforms |
1211233 | 3-Major | BT1211233 | F5OS dashboard in webUI displays the system root file system usage, not the entire disk |
1127393-3 | 3-Major | Error message is not displayed when user configures more than 3 DNS servers in ConfD CLI or webUI | |
1184513-1 | 4-Minor | BT1184513 | F5OS audit log reports duration values in microseconds, using "ms" abbreviation |
Known Issue details for F5OS-A v1.5.x
1330273-2 : When MAC masquerade is enabled on r5k/r10k/r12k systems with a live upgrade, an FDB entry is seen on Active and Standby
Component: F5OS-A
Symptoms:
When a MAC masquerade address is configured on BIG-IP in R5K/R10K/R12K based systems and a live upgrade of F5OS is done, an FDB entry can be seen in both Active F5OS appliance as well as Standby:
f5-appliance-active# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:cd:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
f5-appliance-standby# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:ee:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -
Conditions:
On r5k/r10K/r12K systems where BIG-IP is configured in HA mode and MAC masquerading is addressed and configured, and F5OS is upgraded.
Impact:
Active and Standby act as if they are the owners of Floating MAC and IP.
Workaround:
From Standby system remove fdb entry from confd.
f5-appliance-standby# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:cd:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
f5-appliance-standby(config)# no fdb mac-table entries entry 02:94:a1:ab:cd:ee 3920 tag_type_vid
f5-appliance-standby(config)# comm
Commit complete.
f5-appliance-standby# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:ee:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -
1329161-3 : In non-FIPS mode, added support for the SSH-RSA host key algorithm
Component: F5OS-A
Symptoms:
Not able to establish an SSH connection using the SSH-RSA host key algorithm in non-FIPS mode.
Conditions:
Connect to the device from the SSH client using the SSH-RSA host key algorithm in non-FIPS mode.
Impact:
The SSH connection to the device could not be established.
Workaround:
None
1328405-2 : F5OS system stopped generating tmstat snapshots
Links to More Info: BT1328405
Component: F5OS-A
Symptoms:
The F5OS system is not generating the tmstat snapshots, which helps us in diagnosing issues.
Conditions:
System is running an affected version of F5OS software (F5OS-A 1.2.0 and above, or F5OS-C 1.6.0 and above).
Impact:
Impacts the supportability of the device; the support teams usually rely on the snapshots while working on field issues.
1315261 : QAT devices not populated in ConfD
Component: F5OS-A
Symptoms:
When the tenants are deployed before a live upgrade, sometimes the tenant's QAT devices are not updated in the ConfD table after the upgrade. Hence the show command to list QAT devices does not display the devices. All other functionality is intact.
Conditions:
Tenant is deployed before a live upgrade.
Impact:
The below ConfD show command does not display the QAT devices allocated to the tenant.
show cluster nodes node node-1 state cryptos tenants tenant
1306649-1 : Rapid removal and re-insertion of 10G optics may result in link failure
Component: F5OS-A
Symptoms:
An interface link remains down.
Conditions:
Removing and re-insertion of the SFP module within a few seconds.
Impact:
Interface link remains down.
Workaround:
There are two workarounds:
1. After removing the SFP module, wait for 2 to 3 minutes before re-inserting the SFP module. This may not work 100% of the time.
2. Reboot the appliance.
1306197-1 : The "show system image" command is taking more time than expected to display the output
Component: F5OS-A
Symptoms:
The "show system image" command is taking more time than expected to display the output.
Conditions:
Execute the "show system image" command. Check for the CLI output.
Impact:
Degraded user experience when executing the "show system image" command.
1305909 : iHealth upload not supported on F5OS-A
Links to More Info: BT1305909
Component: F5OS-A
Symptoms:
The iHealth upload service has changed its authentication scheme to OKTA, and requires a client ID and client secret rather than a user ID and password. Version 1.5.1 (and previous versions) of F5OS-A do not support this authentication scheme.
Conditions:
Always
Impact:
Users will not be able to directly upload QKView files to iHealth from the appliance.
Workaround:
1. Use the file export feature to download the QKView from the appliance to a local PC.
2. Sign on to ihealth.f5.com.
3. Use the upload feature to upload the QKView to the iHealth service.
1298329-2 : Tcpdump capture fails
Component: F5OS-A
Symptoms:
SELinux shared label set by identifier container for the common path shared across all the containers. This issue started when node-agent container was introduced without dependency.
The system repeatedly logs this message to the platform log:
tcpdumpd-manager[8]: priority="Crit" version=1.0 msgid=0x5406000000000018 msg="[] global_dmaa_comm init_comm failed ret:" this=0x17c6b50 ret=3.
Conditions:
This issue seems to occur when downgrading a system to an affected version.
Impact:
Tcpdump capture fails.
Workaround:
This issue can be resolved by doing the following:
1. Log into the system as root
2. Edit /var/docker/config/platform.yml
3. Locate the configuration for 'tcpdumpd-manager', and replace the volume that reads:
- /var/F5/system:/var/tcpdump
with:
- /var/F5/system:/var/tcpdump:z
4. Save the file
5. Reboot the appliance
1292541 : Loading saved configuration on BIG-IP fails if host modifications are made after "tmsh save sys config" on R2800/R4800 platforms
Component: F5OS-A
Symptoms:
Loading saved configuration on BIG-IP tenant running on R2800/R4800 fails when host has a different configurations compared to what is being loaded on the tenant.
Fails with an error message similar to below:
01070257:3: Requested VLAN member (1.5) is currently a trunk member
Unexpected Error: Loading configuration process failed.
Conditions:
-- rSeries 4x00 or R2x00 platform
-- Configuration is backed up using tmsh
-- A change is made to one or more VLANs, interfaces, trunks, or type of VLANs on the host
-- The BIG-IP system loads the configuration
Impact:
Configuration load fails, which puts TMM into an inoperative state.
Workaround:
When tenant is in inoperative state because of this issue, the steps below help in recovering the system:
1. Revert the configuration on the platform related to VLANs attached to the tenant moved to INOPERATIVE state.
2. Check if reverted configuration is loaded in tenant.
3. Restart the mcpd service or reboot the tenant to bring back tenant to active state.
4. Once the tenant is back to active state, save the config using "save sys config".
5. Now subsequent reboots will not let tenant to go into INOPERATIVE state.
1291461-2 : LCD shutdown does not work on r2800 and r4800 platforms
Component: F5OS-A
Symptoms:
In F5OS-A versions 1.4.0 and later, the button on the LCD menu that is used to shut down the system, when pressed, does not shutdown the system.
Conditions:
With F5OS-A 1.4.0 or later installed, from the LCD touchscreen, click the System button. Select Shutdown from the menu. Click the Shutdown button at the 'Shutdown the system?' prompt.
Impact:
The LCD touchscreen is lacking functionality the customer is expecting it to have.
Workaround:
In an external terminal, connect to the unit's AOM. Select P for "Power on/off host subsystem", and then 0 for "Turn host subsystem off". Or, if the system is off, 1 for "Turn host subsystem on"
1291421-1 : Cannot set local user password if LDAP user with same name exists
Component: F5OS-A
Symptoms:
When LDAP authentication is enabled and a user exists both on the local device and in the LDAP directory, changing the local user password may fail.
Conditions:
LDAP authentication is enabled. User in question exists both on the local device and in the LDAP directory.
Impact:
Cannot change local user password.
Workaround:
It is generally considered best practice to prevent username collisions between the local device and remote authentication server. Either create a new username on the local device for the user in question, or change the name of the user in the remote directory, so there is no collision.
1291353-1 : LCD application does not update if appliance is power-cycled during firmware update
Component: F5OS-A
Symptoms:
After an OS update, an automatic firmware update runs and attempts to update all necessary firmware images. If the appliance is power-cycled or rebooted while the LCD application is being updated, the LCD update can fail and the system will report the old firmware version.
Conditions:
The OS is updated and an LCD firmware update is required. During that update, the appliance is rebooted or power-cycled, causing the LCD application update not to complete.
Impact:
The LCD application has not been updated and needs to be updated to get the latest features and bug fixes.
Workaround:
After verifying that the automatic firmware update process is complete, wait at least 5 minutes, look at the file /var/F5/system/AFU_COMPLETE, look for "AFU_STATUS: FWU_DONE", restart the system allowing automatic firmware to restart, and reprogram the LCD.
1291305-1 : LACP Mode is passive for a static trunk in tenants running r2800/r4800 platforms
Component: F5OS-A
Symptoms:
LACP Mode set to active or passive mode causes a LAG to participate in negotiation whereas a static LAG configuration does not participate in negotiation. Hence lace-mode does not make sense for static LAG interfaces.
Conditions:
When a static LAG is created on a platform, and a tenant is launched with a VLAN to which the static LAG interface is associated.
Impact:
An LACPd daemon is running on R2800/R4800 platforms which is responsible for running LACP protocol; the tenant is not dependent on LACP mode configurations and hence there will not be any impact. This is more of a display issue where one might confuse displaying LACP mode as passive for a static LAG interface.
Workaround:
There is no workaround for this behavior.
1289929-1 : Tenants fail to come up due to abrupt power cycle
Links to More Info: BT1289929
Component: F5OS-A
Symptoms:
The helper task terminates instantly due to glibc rpm corruption. The abrupt reboot has caused corruption in the container DB.
Conditions:
Abrupt power cycle during AFU Update.
Impact:
Tenant.
Workaround:
Uninstall and reinstall the K3S cluster.
1289633-2 : FIPS devices show incorrect vCPUs
Component: F5OS-A
Symptoms:
1. The Dashboard System Summary shows 36 vCPUs rather than the actual number of vCPUs available for Tenant Deployment.
2. The Add/Edit Tenant deployments screen allows selecting up to 36 vCPUs instead of the maximum vCPUs that the platform supports.
Conditions:
FIPS device.
Impact:
No functional impact.
Workaround:
Users can view the correct value for total vCPUs for tenant deployment on the device from the CLI using the following command:
"show cluster nodes node node-1 state node-info"
1288965-1 : Downgrade/upgrade issues are seen because ISO has special characters in the file name★
Component: F5OS-A
Symptoms:
If an F5OS-A ISO with a filename containing 'special characters' ('+ , * , ? , ^ , $ , ( , ) , [ , ] , { , } , | , \') is imported, and the system is downgraded/upgraded to that version, it can result in the upgrade failing and the ISO being automatically removed.
Conditions:
1. Download and import an ISO with a 'special character' in its name, ex. 'F5OS-A-1.5.0-*.iso'.
2. Attempt an upgrade to the imported ISO version.
3. Upgrade will fail.
Impact:
An upgrade to a version of software marked as successfully imported can fail unexpectedly, requiring manual intervention to recover the system.
Workaround:
1. Before performing a platform software upgrade, compare versions referenced by the "show system image" ConfD CLI command with the names of files present in the "/var/import/staging” directory.
If the iso is not present in /var/import/staging but it is shown in "show system image" command output, then import again to "/var/import/staging”.
2. If there is any iso file with a name containing a special character present in "/var/import/staging” remove that version of platform software and re-import it by re-downloading the file with a name that does not include special characters. You may then attempt upgrade.
3.In-order to remove that iso file with a name containing a special characters use below command.
appliance-1(config)# system image remove iso <iso version>
4.In scenarios where above command fails or not possible to use above command
please follow below procedure to delete the image.
* login to the device using root.
* chattr -i "/var/import/staging/<iso with special characters>”
* rm -rf "/var/import/staging/<iso with special characters>”
Incase downgrade or upgrade failure is already happened, because this issue,
follow these steps to recover the system:
1.Download another copy of the ISO with a proper name to /var/import/staging.
2.Wait for five minutes for it to import. if confd is unavailable, you can check the logs in /var/log/sw-mgmt.debug for import status.
3.Once the import is complete, reboot the system. This should recover the system.
1288897-1 : Allowed IP rule name, which contains all underscores, will be deleted while upgrading to F5OS-A 1.7.0 and later versions
Links to More Info: BT1288897
Component: F5OS-A
Symptoms:
Customer are able to create an allowed-ip rule with a name containing all underscores, hyphens or dots, which is not readable.
Conditions:
Creating an allowed-ip rule with a name which contain only allowed special characters.
Impact:
Created allowed-ip rule, with a name containing only underscores, hyphens or dots, will be deleted during upgrade.
Workaround:
Customer must rename the allowed-ip rule name that contain all special characters with a name containing at least one alpha-numeric character before upgrading to F5OS-A 1.7.0 or later Versions.
1285997-4 : LLDP is allowed to configure on interfaces when virtual wire is enabled
Component: F5OS-A
Symptoms:
LLDP is allowed to configure on interfaces although virtual wire is enabled.
Conditions:
1) Enable virtual wire on interface.
2) Attach interfaces to a lag.
3) Enabled LLDP on the interfaces.
Impact:
When virtual wire is enabled, BIG-IP will function in transparent mode and is not expected to see interfaces on either side.
With this issue, F5 interfaces will be visible when LLDP is enabled.
Workaround:
Do not configure LLDP on the interfaces when virtual wire is enabled.
1282493-1 : Crypto devices are not released after tenants are deleted
Component: F5OS-A
Symptoms:
Deleting the tenants does not release the crypto devices that were allocated to those tenants while creating them.
Conditions:
When a software upgrade was initiated incorrectly such as:
1. Upgrading only OS version
2. Upgrading only Service version
Impact:
Crypto devices behavior will be unexpected.
Workaround:
Always upgrade the software with ISO that contains the correct OS and services combination.
1280441-1 : When no parameter is given for 'system aaa tls create-self-signed-cert', encrypted key-type does not ask for passphrase
Links to More Info: BT1280441
Component: F5OS-A
Symptoms:
When requesting a self-signed-cert, if the key-type is encrypted, then a passphrase is required. However, if no parameters are supplied, the key-type is then requested as a mandatory parameter, but won't ask for passphrase if encrypted type is selected.
Conditions:
No parameters passed to the config: system aaa tls create-self-signed-cert.
Impact:
An error indicates that the passphrase wasn't supplied, but it never was asked for in these conditions.
Workaround:
Specify key-type as a parameter and then if encrypted, the passphrase will be requested.
1273221-2 : On rSeries FIPS system, operations which involve reboot, might result in FIPS device failure state
Links to More Info: BT1273221
Component: F5OS-A
Symptoms:
After reboot of the F5OS-A rSeries system in any operations (for example, live upgrade, reboot), FIPS HSM card might not become operational, and tenants that were running earlier might not come into a running state. This is due to the handshake failure between the liquid security driver and the HSM card. The driver gets stuck in SAFE_STATE instead of coming into SECURE_OPERATIONAL_STATE.
The driver state can be checked with the below command on the host system.
[root@appliance-1 ~]# cat /proc/cavium_n3fips/driver_state
HSM 0:SECURE_OPERATIONAL_STATE
[root@appliance-1 ~]#
Conditions:
The issue might occur in a live software upgrade or any situation that involves a reboot of the rSeries FIPS system with F5OS-A.
The below logs will be observed in dmesg repeatedly for every retry of the hand shake between driver and HSM card.
[ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: We might have a link issue... resetting
[ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: RESETTING FIRMWARE... CAUTION
Impact:
FIPS HSM is not operational in the system, which results in FIPS tenants deployed on the F5OS rSeries host do not work as expected. They do not change to a RUNNING state.
Workaround:
As the driver is stuck in "HSM 0:SAFE_STATE", a power reboot will resolve the issue.
Below are the steps to follow:
1. Power off
2. Wait for 5 minutes
3. Power on
1273013-2 : Five percent (5%) deviation can be observed in TPS performance on R10920 and R5920 tenant
Component: F5OS-A
Symptoms:
On R10920 and R5920 tenants, the TPS performance degradation may be observed up to 5%.
Conditions:
When the R10920 and R5920 tenant is deployed.
Impact:
TPS performance may be degraded by 5%.
Workaround:
N/A
1267201-1 : "Unexpected response back from API" error message when deleting ISO
Links to More Info: BT1267201
Component: F5OS-A
Symptoms:
When there are two patch builds using one base version, for example, if there are two ISOs imported, such as 1.3.2 and 1.3.1.
We are unable to delete 1.3.1 when the system is running on 1.3.2; 1.3.2 and 1.3.1 are dependent on 1.3.0 but not on each other.
Upon removal of 1.3.1 ISO we get the error message : "Unexpected response back from API"
Conditions:
When there are two patch builds using one base version, for example, if there are two ISOs imported, such as 1.3.2 and 1.3.1.
Impact:
Unable to remove the inactive ISO to free space for importing new ISOs.
Workaround:
We can manually delete the ISOs using chattr -i ISOfile, followed by deleting the file manually.
1249873-3 : sPVA hardware offload not working correctly on r10k
Component: F5OS-A
Symptoms:
The DOS attack traffic is distributed unevenly on different TMMs, and some DOS attack traffic is not handed off to hardware due to a misconfigured DOS group.
Conditions:
Any DOS vector traffic going through the r10k device
Impact:
Reduced performance for DOS attack and hardware offload is not active.
Workaround:
No workaround exists for older F5OS releases. Need to upgrade to any latest F5OS version from F5OS-A 1.6.0 or later.
1231889-2 : Deleting default VLANs and creating them in a partition other than common partition is not supported on BIG-IP tenants running on R2800/R4800 platforms
Links to More Info: BT1231889
Component: F5OS-A
Symptoms:
VLANs created upon BIG-IP tenant bring-up are considered to be default VLANs and they are not supposed to be deleted and created in a different partition other than the common partition. When a VLAN that is in the common partition is deleted and created in a different partition, the subsequent default VLANs will not have a default VLAN-member associated to it.
Conditions:
When VLANs created upon tenant bring-up are deleted and created in different partitions other than the common partition.
Impact:
Partitions other than the common partition cannot have default VLANs. VLANs created in other partitions will not be operational in the data path.
Workaround:
Workaround is to create the VLAN-member for the default VLANs pushed from platform post moving a VLAN from common to another partition.
1211853-5 : Hardware offload features may affect packets destined for unrelated tenants
Component: F5OS-A
Symptoms:
When a tenant requests that hardware assist be enabled for an L4 connection, syn cookie protection, DDoS protection, or allowlist/denylist, it is possible that packets destined for other tenants on the same VLAN will be affected by the hardware assist entry.
Conditions:
Hardware assist must have been activated for a specific flow or DDoS profile, and packets must be present for unrelated tenants that are on the same VLAN and contain the same IP destination and/or IP source address as the hardware assist activation.
Impact:
Packets destined for unrelated tenants may receive unexpected handling as a result of hardware assist matching those packets. For example, packets for an unrelated tenant on the same VLAN might be unexpectedly dropped if they have the same IP destination address as the activated DDoS hardware assist.
Workaround:
Ensure that tenants all use unique VLANs or that tenants that share a VLAN use unique IP source/destination addresses for their traffic.
1211233 : F5OS dashboard in webUI displays the system root file system usage, not the entire disk
Links to More Info: BT1211233
Component: F5OS-A
Symptoms:
The Dashboard page displays disk usage information that can be misleading.
For example, on an r5900 the following information may be shown:
Storage Capacity: 109.4GB
System Storage Free: 89.1GB
System Storage Used: 15%
However, the storage capacity is a value taken from the root (/) filesystem. It does not represent the entire 800GB disk, and does not show information about the file systems where tenant images reside.
Conditions:
View Dashboard page in webUI.
Impact:
This is a cosmetic issue.
Workaround:
Linux commands such as "df -hl -t ext4" will provide detailed information about disk usage.
Another breakdown of the disk partition use can also be seen using "lsblk /dev/nvme0n1". Note that nvme0n1 is the physical disk of interest.
Example from rSeries appliance:
# lsblk /dev/nvme0n1
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259:0 0 683.5G 0 disk
|-nvme0n1p1 259:1 0 1G 0 part /boot/efi
|-nvme0n1p2 259:2 0 1G 0 part /boot
|-nvme0n1p3 259:3 0 455.3G 0 part
| `-partition_tenant-root 253:2 0 455.3G 0 lvm /var/F5/system/cbip-disks
|-nvme0n1p4 259:4 0 113.9G 0 part
| `-vdo_vol 253:3 0 227.7G 0 vdo
| `-partition_image-export_chassis 253:4 0 227.7G 0 lvm /var/export/chassis
1204433-2 : "Appliance-mode" flag in license should not be used to enable appliance-mode
Links to More Info: BT1204433
Component: F5OS-A
Symptoms:
Appliance-mode enabled using license will not get reflected in "show tenants" CLI.
Conditions:
The issue is seen when "appliance-mode" is enabled through license.
Impact:
Appliance-mode enabled using license will not get reflected in "show tenants" CLI.
Workaround:
Appliance-mode can be configured from CLI.
1188105-1 : K3SClusterUpgrade status shown as Done before cluster pods running up on appliance
Links to More Info: BT1188105
Component: F5OS-A
Symptoms:
When an appliance upgrades the k3s (Lite Weight Kubernetes) to newer version, the K3S Cluster Upgrade status goes to Done state before bringing cluster pods up and running.
Conditions:
When Upgrade of K3S cluster gets triggered, the cluster upgrade status gets updated in ConfD before bringing cluster pods up.
Impact:
No functional impact. But the information published can be misleading.
Workaround:
With K3sClusterupdate status also checks for the cluster pods status to see if the cluster came up properly.
1186597-1 : K3S install status in f5OS ConfD is improved
Links to More Info: BT1186597
Component: F5OS-A
Symptoms:
K3S install status is not showing the actual cluster install status.
Conditions:
The issue is seen during Cluster deployment.
Impact:
Actual K3S install status is not reflected in "show cluster install-status" CLI.
Workaround:
"kubectl get pods -A" can be used to check the pod status.
1184513-1 : F5OS audit log reports duration values in microseconds, using "ms" abbreviation
Links to More Info: BT1184513
Component: F5OS-A
Symptoms:
The F5OS audit log reports the duration of some calls that occur through RESTCONF. These duration values use an "ms" unit, which in this case stands for microseconds, not milliseconds.
For example:
<INFO> 23-Aug-2022::18:28:00.602 appliance-1 confd[106]: audit user: netsupport/7502531 RESTCONF: response with http: HTTP/1.1 /restconf/data//openconfig-system:system/f5-system-image:image/remove 400 duration 122160290 ms
This operation took ~122 seconds, not ~1.4 days.
Conditions:
Using the F5OS audit log.
Impact:
Difficult to interpret audit log.
Workaround:
Interpret the duration values as being in microseconds, not milliseconds.
1184441-2 : VXLAN-GPE and GENEVE tunnel support
Component: F5OS-A
Symptoms:
VXLAN-GPE and GENEVE tunnel support can cause host-generated UDP frames with destination ports matching system configured destination ports for VXLAN-GPE or GENEVE to be treated as VXLAN-GPE or GENEVE traffic even if the underlying frame is not VXLAN-GPE or GENEVE. Frames fitting this characteristic may have a bad UDP checksum forced onto the frame if frame fails basic VXLAN-GPE or GENEVE protocol checks.
Conditions:
Administrator configures VXLAN-GPE and/or GENEVE tunnel support.
Impact:
Minimal.
Workaround:
Tunnels are disable by default. This issue is only observed if tunnels are enabled.
1144005-2 : TPS drop of ~14% from F5OS-A 1.1.0 and later on r10000 series platforms
Links to More Info: BT1144005
Component: F5OS-A
Symptoms:
A TPS drop of approximately 12-14% was observed when running 512KB L7 HTTP tests on r10000 series platforms.
Increased CPU usage, and larger tcp_lro receive packet sizes and some packet drops were observed when it is running with full capacity.
Conditions:
Upgrading F5OS-A software version from 1.0.0 to a later software version.
Impact:
If F5OS software is upgraded from F5OS-A 1.0.0 to any later version, including F5OS-A 1.1.0, there will a maximum drop of 14% in TPS from device actually supported in F5OS-A 1.0.0.
Workaround:
No mitigation currently available.
1127393-3 : Error message is not displayed when user configures more than 3 DNS servers in ConfD CLI or webUI
Component: F5OS-A
Symptoms:
When user tries to configure more than 3 DNS server entries in F5OS-A using command "system dns servers server" or from webUI, no error message is displayed. System allows only 3 DNS servers, but user will be allowed to configure more than 3.
Conditions:
Configure DNS server in F5OS-A using ConfD CLI or webUI.
Impact:
No impact. Even though user configures more than 3, system will take only 3 entries.
Workaround:
NA
1099069-2 : Issues with pulling files from F5OS device using SCP
Links to More Info: BT1099069
Component: F5OS-A
Symptoms:
Unable to pull packet capture files off of the F5OS device using SCP from admin.
Conditions:
Download packet capture files using SCP from the admin account.
Impact:
Unable to download packet capture files through SCP from admin.
Workaround:
N/A
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support website: http://www.f5.com/support/
- The MyF5 website: https://my.f5.com/manage/s/
- The F5 DevCentral website: http://devcentral.f5.com/