1328977-1 : Appliance Orchestration Manager fails due to memory corruption

Links to More Info: BT1328977

Component: F5OS-A

Symptoms:
Appliance Orchestration Manager fails, leading to a restart of the docker container. We can observe a core as well.

Conditions:
There are no preconditions. It is happening to memory corruption in the systems. The issue is not consistent.

Impact:
OMD restarts; this will not generally disturb the tenant's functionality.

Workaround:
N/A

Fix:
Fixed the issues related to memory corruptions in the appliance Orchestration Manager.

1328729 : Slow memory leak when processing tenant telemetry

Links to More Info: BT1328729

Component: F5OS-A

Symptoms:
The system will eventually run out of memory. Up until the point of service restart, the memory utilization will negatively impact running tenants, causing potential memory allocation errors.

Conditions:
When a BIG-IP tenant version </= 15.1.7 is running.

Impact:
Excessive memory utilization will impact operational performance of the F5OS and tenants.

Workaround:
The mitigation is to update a BIG-IP tenant version to 15.1.8 or newer, or to update to F5OS 1.5.1.

1327701-4 : Space in SNMP community/user/target name causing snmpd container restart

Component: F5OS-A

Symptoms:
When there is a space in any SNMP community/user/target name configuration, this will cause an F5OS snmpd service restart.

Conditions:
When there is a space in an SNMP community/user/target name configuration.

Impact:
F5OS snmpd restarts.

Workaround:
Reconfigure the SNMP community/user/target without a space in the name.

Fix:
Added a space restriction in SNMP community/user/target name configuration so the user can no longer configure with a space.

1315121-1 : Key migration failure and potential corruption updating to 1.5.0 or later with deployed tenants

Links to More Info: BT1315121

Component: F5OS-A

Symptoms:
When setting a new primary key after upgrading from an older release (such as 1.1.1 or older), where tenants are deployed, to 1.5.0 or newer, the key migration may fail.

The migration failure may cause configuration database corruption for the entire system.

Conditions:
Tenants are deployed on release 1.1.1 or older. Upgrade to 1.5.0 or newer (including through intermediate upgrades, such as 1.1.1 -> 1.3.2 -> 1.5.1). Set new primary key.

Impact:
Setting a new primary key may fail. When this failure occurs, system configuration corruption may occur.

Workaround:
Mitigation to prevent failure:
- Change all tenants to the configured state
- Set a new primary key
- Wait for key migration to complete
- Return tenants to deployed state.

Recovery for corruption:
- Reset device to default configuration
- Set the primary key to the known primary key for a known-good backup
- Restore with known-good backup

Fix:
Fix known causes of database corruption on primary key migration failure. While the primary key configuration may still fail if tenants are in deployed state, it should no longer cause system corruption.

1304657-1 : tcam-manager does not support all the possible system network subnets

Component: F5OS-A

Symptoms:
The connection from the tenant (TMM) to the tcam-manager is continuously restarted.

tcam-mgr logs show the wrong tenant-id and hence rejected connection from the tenant:

msg="INFO" MSG="Connection from client address:10.245.3.1".
msg="ERROR" MSG=" Confd access error obtaining tenant info for tenant:12291 slot:1".
msg="INFO" MSG="neuron_handle_responses: dropping resp to non-existent client".

TMM periodically logs neuron client errors, such as:

notice hudproxy_neuron_client_closed_cb: Neuron client connection terminated
notice pva_sc_frs_neuron_stopped_cb/2373: FRS SC: Neuron client stopped.
notice [DDOS Neuron]Neuron daemon stopped

Conditions:
The 'system network' configuration is changed from its default setting in F5OS.

Impact:
TCAM based features don't work.

Workaround:
Select either the default RFC6598 subnet or any of the unaffected RFC1918 subnets.

Fix:
tcam-manager now correctly calculates the tenant-id for all possible system network subnets.

1297665-1 : Occasionally diagnostic agent reports as unhealthy for unpopulated PSU_Slot in health summary and ihealth reports

Component: F5OS-A

Symptoms:
Diagnostic agent reports as unhealthy for unpopulated PSU_Slot in ihealth reports and "show system health summary" output.

Conditions:
Occurs only when any empty PSU slots are in the system and diagnostic agent receives PSU Input State events in different order.

Impact:
It causes diagnostic agent to report as unhealthy for PSU on the unpopulated slot in health summary.

Workaround:
N/A

1293305-2 : LAG interface status is not updated on the BIG-IP tenant

Links to More Info: BT1293305

Component: F5OS-A

Symptoms:
Symptom 1: Trunk is down in tenant but the LAG is up in F5OS-A.
Symptom 2: LAG is down in F5OS-A but the trunk is up in tenant.

Conditions:
For symptom 1:
1. Set up new rSeries device.
2. Config static LAG and VLAN.
3. Deploy new tenant.
4. In tenant, LAG will be shown as down but interfaces shown as up.
5. This happens only at initial tenant deployment.

For symptom 2:
1. LAG is shown as down in F5OS-A.
2. Trunk is shown as up in tenant.

Impact:
Symptom 1:
On r2x00/r4x00 platforms, as LAG will be in DOWN state, datapath will not be working.

Symptom 2:
On r2x00/r4x00 platforms, LAG status is shown as UP but it's actually DOWN on the platform. Datapath will not be UP, but as LAG is UP in tenant we expect Datapath to be UP.

Symptom 3:
If trunks are used for HA Group the scores associated to the trunks are not deducted from the overall health scores regardless of whether the interfaces in the trunks are up or not.

Workaround:
For symptom 1:
Restarting "system_api_svc_gateway" service on host.
#docker restart system_api_svc_gateway

For symptom 2:
Restarting "system_api_svc_gateway" service on host.
#docker restart system_api_svc_gateway

1290949-1 : Invalid memory read in appliance orchestration manager

Links to More Info: BT1290949

Component: F5OS-A

Symptoms:
"Invalid read" identified in OMD.
During "show cluster events" we are hitting the code flow, where the ConfD API is reading the freed memory. It is leading to an invalid read.

Conditions:
Executing "show cluster events".

Impact:
Using a freed memory may cause unexpected behavior in the system.

Workaround:
N/A

Fix:
Code changes to address memory violations in the code.

1290941-1 : LLDP/STPD/LACPD in rSeries is flooding SEP_POLLERR when dma-agent restarts

Links to More Info: BT1290941

Component: F5OS-A

Symptoms:
Below log is flooded in platform.log when dma-agent restarts
"SEP library in ERR state, sep_client_poll() returns SEP_POLLERR".

Conditions:
dma-agent restart.

Impact:
l2 functions such as LLDP/STPD/LACPD will be affected.

Workaround:
Reboot the device.

Fix:
Fixed code from flooding logs.

1286285-3 : ISO with special characters in name will not import

Component: F5OS-A

Symptoms:
An ISO named with special characters like "()" will not be imported and gets deleted from the import directory silently.

Conditions:
Only when the ISO name contains special characters.

Impact:
User will not have any status on the imported image with a name that contains special characters.

Workaround:
No workaround.

Fix:
The "show system image" API will display the status as "Import error. File name is incorrect."

1286165-1 : Ping failing after removing aggregate ID from interface and adding trunk VLANs in the same commit

Component: F5OS-A

Symptoms:
Ping to self IP of tenant failing.

Conditions:
This issue will be observed only when tried from F5OS ConfD CLI.

Removing aggregate ID and assigning trunk VLANs to an interface in the same commit from ConfD CLI.

Impact:
Ping to self IP of tenant will fail.

Workaround:
From F5OS CLI
1)Remove aggregate ID from interface.
2)commit the changes.
3)Add trunk VLANs to interface and commit the changes.

For example:
1)no interfaces interface 3.0 ethernet config aggregate-id
2)commit; top
3)interfaces interface 3.0 ethernet switched-vlan config trunk-vlans [ 3700 3800 3900 ]
4)commit

Fix:
NA

1285969 : Some aggregation interface names can cause ethernet interfaces in LACP aggregations to be erroneously down

Links to More Info: BT1285969

Component: F5OS-A

Symptoms:
One or more interfaces in LACP aggregations may be considered down when they should not be.

Conditions:
Internally, LACPD hashes interfaces to an integer, and some aggregation interface names hash will collide with ethernet interface name hash. Changes to the these aggregation interfaces can impact the ethernet interface.

Impact:
Traffic through the affected ethernet interface in LACP aggregations may be disrupted. This can cause either degraded performance or traffic failure for LACP aggregations that the interface is a member of.

Workaround:
Only use aggregation interface names that don't hash to the same port numbers as ethernet interfaces.

In order to determine if an existing aggregation interfaces port number conflicts with an ethernet interface, review the lacpd_interface_stat table.

For a VELOS partition, use the lacpd container on any blade in the partition to run tmctl.
For an appliance, use system_lacpd container to run tmctl.

The following example from a rSeries appliance shows the aggregation interface "vlag" with the same port number as interface 1.0

[root@appliance-1 ~]# docker exec -it system_lacpd bash

[root@appliance-1 partition]# tmctl lacpd_interface_stat -s name,port_num
name port_num
---- --------
1.0 1024
10.0 10240
2.0 2048
3.0 3072
4.0 4096
5.0 5120
6.0 6144
7.0 7168
8.0 8192
9.0 9216
mgmt 43008
vlag 1024

If an aggregation interface hashes to the same port number an Ethernet interface:

1. Delete the conflicting aggregation interface

2a. You can either restart the lacpd containers

    or

2b. Reboot the appliance, or for VELOS reboot each blade in the partition.

Fix:
Aggregation interface names will never impact ethernet interfaces in a LACP aggregation.

1282757 : On upgrade, systems might overwrite key due to automatic firmware updating

Links to More Info: K000133379, BT1282757

Component: F5OS-A

Symptoms:
When upgrading to a new version (such as 1.4.0), automatic firmware updates occur, and these interfere with the encryption key retrieval, causing a new key to be generated, which blocks api-service-gateway.

Conditions:
Upgrading to a new version where automatic firmware updates get started at boot-up.

Impact:
The api-service-gateway container does not come up and there is no communication with the tenant.

Workaround:
Docker exec -it system_manager bash
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-key"
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-cert"

Fix:
The encryption key will not generate a new key unless the TPM module has none. The code will continue to retry until it succeeds or ConfD timeout occurs (300 seconds).

1281861 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0

Links to More Info: BT1281861

Component: F5OS-A

Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".

Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.

Impact:
Tenants will not start and are unusable.

Workaround:
To work around this issue, perform one of these actions:

1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".

Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.

1281857-1 : Repeated disabling and enabling of link partner interface might result in datapath corruption

Component: F5OS-A

Symptoms:
Packets received on an interface are corrupted or lost after a link partner interface is repeatedly disabled and then enabled within relatively short windows of time.

Conditions:
A link partner interface is repeatedly disabled and then enabled within relatively short windows of time.

Impact:
Dataplane services on the given interface will be inoperable.

Workaround:
The product must be rebooted to recover.

Fix:
An FPGA firmware fix was implemented to add an additional clock to an internal component that served to isolate noise between the MAC and itself.

1281749-1 : Hashed/encrypted passwords are getting logged

Links to More Info: K000134922, BT1281749

1280365-3 : WebUI and shell admin access unavailable after upgrade to when one of the previously installed images is no longer present

Links to More Info: BT1280365

Component: F5OS-A

Symptoms:
1. WebUI or CLI inaccessible via admin account (that is, ConfD is not up):
[root@appliance-1(XXXXXXXXX) log]# su admin
Failed to connect to server

2. sw-mgmt.debug file will have a line similar to this one (with image version changing depending on which image is missing):
DEBUG: Source file /var/export/chassis/import/.mounts/iso/R2R4/1.1.1-9159/m3/*-services/F5OS*.img does not exist, removing from all_sw.

3. Containers stuck in ImagePullBackOff. For example, system_network container cannot be pulled, and the following error is observed in messages log:

appliance-1 dockerd-current: time="2023-03-24T15:09:26.631359235Z" level=error msg="Not continuing with pull after error: Error: image system_network:1.4.5-f5os-a-1-4-0-candidate.2023-02-14-15-09-15.S9b340f7e not found"

Conditions:
Both of the below conditions:

1. Certain ISO image has been ungracefully removed from the /var/import/staging folder. Examples of ungraceful removals:
-- Deleted via bash (after running chattr -i <image name>)
-- Image name had parentheses in it and as per ID1273021 it is wiped out upon reboot.

2. /var/import/import.json file includes reference to removed image that is listed BEFORE the reference to currently used image.

Impact:
Device webUI is inaccessible. Cannot access ConfD. Root access is working.

Workaround:
Two workarounds:
1. Re-import the deleted image and reboot the box.
2. Remove the whole section that references the deleted image from import.json file and reboot the box.

Fix:
N/A

1273845-1 : Removing or manually adding TLS Certificate & Key on webUI removes whole TLS configuration

Links to More Info: BT1273845

Component: F5OS-A

Symptoms:
Manually adding TLS Certificate & Key on webUI instead of storing through Self-Signed Certificate or removing Certificate & Key removes TLS configuration, which includes verify-client and verify-client-depth.

Conditions:
- When there is an existing Verify Client and Client Depth configuration, and user tries to remove TLS Certificate & Key on Certificate Management screen on webUI.

- When user fills the TLS Certificate & Key on Certificate Management screen on webUI.

Impact:
Verify Client and Client Depth configuration of Certificate Authentication will be changed to default values which disables verification of httpd client certificates.

Workaround:
- Remove or Add TLS Certificate & Key through CLI.
- While creating Self-Signed Certificate, set "Store TLS" field as true
- Re-add Verify Client and Client Depth after removing or manually adding TLS Certificate & Key.

1273445 : Downgrade/upgrade issues are seen because ISO has special characters in the file name★

Links to More Info: BT1273445

Component: F5OS-A

Symptoms:
If a F5OS-A ISO with a filename containing 'special characters' ('+ , * , ? , ^ , $ , ( , ) , [ , ] , { , } , | , ＼') is imported onto the device, and the system is downgraded/upgraded with this ISO, it can result in the upgrade/downgrade failing.

Conditions:
1. Download and import an ISO with a 'special character' in its name (for example,F5OS-A-1.5.0-*.iso.
2. Attempt an upgrade /downgrade.
3. Upgrade/downgrade will fail.

Impact:
Upgrade/downgrade will fail, requiring manual intervention to recover the system.

Workaround:
1. Before performing a platform software upgrade, compare versions referenced by the "show system image" ConfD CLI command with the names of files present in the "/var/import/staging” directory.

If the ISO is not present in /var/import/staging but it is shown in "show system image" command output, then import again to "/var/import/staging”.

2. If there is any ISO file with a name containing a special character present in "/var/import/staging”, remove that version of platform software and re-import it by re-downloading the file with a name that does not include special characters. You may then attempt upgrade.

3. In order to remove that ISO file with a name containing a special characters use the below command.

appliance-1(config)# system image remove iso <iso version>

4. In scenarios where the above command fails or where it is not possible to use above command, please follow the below procedure to delete the image.
  * login to the device using root
  * chattr -i "/var/import/staging/<iso with special characters>”
  * rm -rf "/var/import/staging/<iso with special characters>”

In case downgrade or upgrade failure has already occurred due to this issue, follow these steps to recover the system:

1. Download another copy of the ISO with a proper name to /var/import/staging.

2. Wait for five minutes for it to import. If ConfD is unavailable, you can check the logs in /var/log/sw-mgmt.debug for import status.

3. Once the import is complete, reboot the system. This should recover the system.

Fix:
The fix is to delete the ISO with the special characters when it is being imported.

1273025-1 : Once TACACS server-group is configured on a non-default port, on downgrade virt-handler pod gets into a crash loopbackoff state because of SELinux corruption

Links to More Info: BT1273025

Component: F5OS-A

Symptoms:
Virt-handler pod is crashing upon downgrading from F5OS-A 1.4.0 to F5OS-A 1.3.2, and a tenant is stuck in pending state.

Conditions:
Configure TACACS server-group on a non-default port (that is, other than port 49) and downgrade from F5OS-A 1.4.0 to F5OS-A 1.3.2.

Impact:
Tenant becomes stuck in pending state.

Workaround:
Two workarounds:

1. Configure standard port (49) for the TACACS server instead of a non-standard port. Using the standard port should not trigger these issues. Releases older than F5OS-A 1.4.0 do not correctly support any port other than 49 for the TACACS server.

2. Fix SELinux policy on the appliance:

a. cp selinux module from /usr

cp /usr/etc/selinux/targeted/active/modules/400/f5_appliance to /etc/selinux/targeted/active/modules/400/f5_appliance

b. Reboot the device

reboot

Fix:
Enforce closure of non-standard port every time configuration is updated or system is shut down. This avoids leaving ports open for which SELinux may not have exceptions.

Note this does not address the non-standard port in older releases when downgrading. Non-standard ports for TACACS are still not properly supported in the older release.

1273021-1 : ISOs imported with regex special characters in their names are getting deleted★

Links to More Info: BT1273021

Component: F5OS-A

Symptoms:
When upgraded to ISO that is imported with special regex characters, upgrade fails.

Conditions:
ISO imported with regex special characters present in /var/import/staging.

Impact:
Docker container services will not come up.

Workaround:
If ISO is deleted, or any ISO is present in /var/import/staging with special characters in its name, delete the ISO (if present) and re-import without special characters.

If containers are down, reboot the device for containers to come up.

Fix:
Import of ISO with special characters is blocked.

1273017-1 : LACPD restarts when changing aggregation lag-type through configuration utility webUI

Links to More Info: BT1273017

Component: F5OS-A

Symptoms:
The Link Aggregation Control Protocol Daemon (LACPD) will restart. An LACP aggregation's interface can be permanently down, restricting traffic from passing on that interface.

Conditions:
-An aggregation interface's lag-type is set to static through configuration utility.

Impact:
One or more physical interfaces associated with an LACP aggregation can be erroneously marked down indefinitely, causing either degraded performance, or complete traffic failure.

Performance degradation may not occur, but the LACPD process will always restart.

Workaround:
- Toggle any affected interface to disable and then back to enable.
- Toggle any affected aggregation interface to static and then back to LACP.
- Reboot the system.

Fix:
LACPD will not restart when an aggregation is configured to static through the configuration utility. Few warnings can be logged when this operation occurs. These warnings can be ignored if seen while changing an aggregation's lag-type through configuration utility.

1269989-2 : tcam-manager may get stuck using 100% CPU

Links to More Info: BT1269989

Component: F5OS-A

Symptoms:
After running a QKView or tcam-dump by itself, tcam-manager does not clean up the diagnostic socket, which results in a tight loop and pegging the CPU at 100% utilization. This in turn starves other platform processes (such as dma-agent), which causes performance degradation.

Conditions:
A QKView or tcam-dump, which is included in QKView, is run.

Impact:
Performance degradation.

Workaround:
The issue can be avoided by not running QKView.

Fix:
After tcam-dump completes, the corresponding socket is properly removed.

1267253-2 : LDAP shadowExpire attribute not honored

Links to More Info: BT1267253

Component: F5OS-A

Symptoms:
When using LDAP authentication, usage of the shadowExpire and related attributes will not enforce expiration on the F5 device.

Conditions:
LDAP authentication is configured. LDAP shadowExpire, shadowMax, and related attributes are set such that the user should be expired.

Impact:
User with expired attributes can log into F5 device.

Workaround:
Either remove the user from groups with roles that allow access to the F5 device (for example, F5OS admin role gidNumber) or delete the user.

1253713-3 : CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png

Links to More Info: K000133070, BT1253713

1252377-2 : VXLAN-GPE and GENEVE are disabled by default when software is upgraded from F5OS-A 1.3.0 build to F5OS-A 1.4.0★

Links to More Info: BT1252377

Component: F5OS-A

Symptoms:
When r10000 or r5000 Series hardware is running with F5OS-A 1.3.0, the default settings for VXLAN-GPE and GENEVE are enabled, and hardware disaggregation support for these tunnel protocols is enabled without any explicit configuration.

If the software is upgraded from F5OS-A 1.3.0 to F5OS-A 1.4.0, these protocols will be disabled, and hardware disaggregation is disabled. It is required to enable these two protocols explicitly in the configuration to enabled them in the hardware.

Conditions:
If VXLAN-GPE and GENEVE tunnels are used in the deployment with F5OS-A 1.3.0 software version without any explicit enabled configuration for these two tunnels, and software upgraded to F5OS-A 1.4.0 or later.

Impact:
Hardware disaggregation support for VXLAN-GPE and GENEVE will be disabled if software is upgraded from F5OS-A 1.3.0 to F5OS-A 1.4.0 or later when these two tunnels are using default configuration to enable them.

Workaround:
Use explicit tunnel settings to enable VXLAN-GPE and GENEVE in F5OS-A 1.3.0, or enable these two protocols explicitly after software upgrade from F5OS-A 1.3.0.

Fix:
VXLAN-GPE and GENEVE are disabled in default global configuration and advised to use explicit tunnel configuration settings to enable hardware disaggregation support.

1251981 : Speed on webUI Interfaces screen is empty for 1GB

Links to More Info: BT1251981

Component: F5OS-A

Symptoms:
When interface speed is 1GB, the speed column on this screen is blank. The Edit Interfaces screen has the same issue.

Conditions:
Interface speed is set to 1GB.

Impact:
Speed column will be blank, so user will not see the actual speed.

Workaround:
Use the F5OS CLI to view the interface speed when it is set to 1GB.

Fix:
Speed column is now populated correctly on the Interfaces screen.

1250901-2 : On rSeries FIPS system live upgrade, cavium_n3fips (liquidsec_pf_vf driver) may fail to come into operational state

Links to More Info: BT1250901

Component: F5OS-A

Symptoms:
After a reboot of the system in live upgrade, tenants that were running earlier might not change to a running state. This is due to the HSM board driver stuck in SAFE_STATE instead of OPERATIONAL_STATE.

In some cases, the driver changes to an operational state after some amount of time (approximately 10 minutes). But this time might vary upon detection of reset/link failure in the hardware. In some other systems, the driver becomes stuck in SAFE_STATE indefinitely.

Conditions:
Live upgrade/reboot of the rSeries FIPS system with F5OS-A.

You may observe the below logs in dmesg-
[ 964.105021] liquidsec_pf_vf_driver 0000:ca:00.0: We might have a link issue... resetting
[ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: RESETTING FIRMWARE... CAUTION

Impact:
Running tenants goes to pending state when this issue occurs in a live upgrade.

Workaround:
Check contents of cavium_n3fips file as shown below.
[appliance]# cat /proc/cavium_n3fips/driver_state
HSM 0:OPERATIONAL_STATE

If the driver changes to an operational state, perform
"docker restart fips-support-pod" to help in recovering.

But if the driver state is still "HSM 0:SAFE_STATE", you may need to perform a power cycle reboot (but this will not guarantee recovery).

Fix:
N/A

1249773-2 : QKView may fail to collect all files for platform-monitor container

Links to More Info: BT1249773

Component: F5OS-A

Symptoms:
Very occasionally, QKView view will have a conflict collecting round-robin database (RRD) files in the platform monitor container. The qkview-collect routine may terminate unexpectedly as a result.

Conditions:
QKView capture request happens coincidentally to round-robin database update.

Impact:
RRD files may not be collected.

Workaround:
Rerun QKView.

Fix:
This will be fixed in a future release.

1239325 : Issue when Management IP address is configured to have public internet access on F5OS

Links to More Info: BT1239325

Component: F5OS-A

Symptoms:
The F5OS webUI allows web crawlers access to all content when the Management IP address is configured to have public internet access.

Conditions:
If the Management IP address is configured to have public internet access.

Impact:
This impedes the ability to satisfy internal security compliance mandates.

Workaround:
To mitigate the issue, you can manipulate the contents of the robots.txt file inside the webUI container as demonstrated below:

$ ssh root@10.238.160.60
root@10.238.160.60's password:
[root@appliance-1 ~]# docker exec -it vanquish-gui bash
[root@d6303361e100 /]# cd /app/build
[root@d6303361e100 build]# echo "User-agent: *" > robots.txt
[root@d6303361e100 build]# echo "Disallow: /" >> robots.txt
[root@d6303361e100 build]# cat robots.txt
User-agent: *
Disallow: /
[root@d6303361e100 build]# exit
exit
[root@appliance-1 ~]# exit
logout
Connection to 10.238.160.60 closed.

Fix:
Robots.txt now disallows web crawlers access to any content.

1236857-1 : F5OS OID SNMPv2-MIB::sysDescr provides meaningless information for system controller

Links to More Info: BT1236857

Component: F5OS-A

Symptoms:
After setting up snmpwalk on older version and live upgrading to another version, the snmpwalk is still showing older service version.

Conditions:
1. configure SNMP
2. upgrade system with live upgrade
3. check system version using SNMPv2-MIB::sysDescr (it will be pointing to older version)

example:
SNMPv2-MIB::sysDescr.0 = STRING: Linux 3.10.0-1160.62.1.F5.1.el7_8.x86_64 : Appliance services version <older_version>

Impact:
sysDescr will be displaying older version.

Workaround:
N/A

Fix:
This issue is fixed in latest release.

1234049 : The Add/Edit tenant deployment screen on the r4600 webUI does not have the option for 12 vCPUs in the vCPUs dropdown

Links to More Info: BT1234049

Component: F5OS-A

Symptoms:
The vCPUs dropdown does not have 12 as an option in the Add/Edit tenant deployment screen on the r4600 webUI.

Conditions:
While adding or editing a tenant on the r4600 system via webUI.

Impact:
The user cannot add or edit a tenant with 12 vCPU cores on the webUI.

Workaround:
Users can add/edit a tenant with 12 vCPU cores from the CLI.

Fix:
The webUI will have an additional option for '12' in the vCPUs dropdown thus allowing the user to deploy a tenant with 12 vCPU cores.

1232369 : Intel Microcode update

Links to More Info: BT1232369

Component: F5OS-A

Symptoms:
Intel Microcode update was found to fix an internal regulator power issue. No workaround; requires BIOS update.

Conditions:
Intel Microcode earlier than 0d000389 in the BIOS.

Impact:
Unknown

Workaround:
Upgrade BIOS that includes the new microcode 0d000389 from Intel.

Fix:
BIOS version 2.01.134.1 has been updated from vendor with the updated microcode from Intel.

1232309 : CVE-2020-10754: nmcli did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings

Links to More Info: K000132761, BT1232309

1231357 : Unexpected reboot might occur on r5000/r10000 Series

Links to More Info: BT1231357

Component: F5OS-A

Symptoms:
An unexpected operating system reboot might occur on r5000/r10000 Series.

After the system reboots, in the /var/crash/ directory there will be a new directory created that is named with a timestamp corresponding to the reboot. In that new directory, a file vmcore-dmesg.txt is available with the following error message:

CPU 0: Machine Check Exception: 5 Bank 4: ba00000056000402

Conditions:
Unexpected system reboot.

Impact:
When the reboot occurs, the entire system will reboot and all tenants will stop processing traffic until the reboot is complete. The system will operate normally after the reboot.

Workaround:
None

Fix:
This issue has been corrected.

1230609 : Neighbor interface description is not updated in LLDP neighbor details

Links to More Info: BT1230609

Component: F5OS-A

Symptoms:
Port Description TLV is not displayed under LLDP interface neighbors.

Conditions:
1) enable LLDP on device and on switch
2) enable port description TLV
3) set port description on interface in switch side

Impact:
No impact.

Workaround:
N/A

Fix:
Fixed code to display port description.

1229465-3 : QKView is not collecting core files in /var/crash

Component: F5OS-A

Symptoms:
QKView was designed to collect core files in /var/core only. The operating system kernel can create core files in /var/crash. SEs need to know about these files.

Conditions:
OS kernel creates a core file.

Impact:
Core file not collected by QKView.

Workaround:
Core file can be manually copied from /var/crash.

Fix:
QKView takes a directory listing from /var/crash and collects core files in that directory.

1226505-2 : Average transactions per second impacted in certain cases

Links to More Info: BT1226505

Component: F5OS-A

Symptoms:
There is a reduction in http/https average transactions per second for some file sizes when ASM is configured on BIG-IP tenant on R2000 series.

Conditions:
BIG-IP config: virtual server with asm_rw policy attached to it; virtual server with profiles http, tcp, and websecurity attached to it (visual snippet is at the end of high level details).

CPU: 95-97%

simulated users: 1536

The traffic involved in testing ASM is close to real world traffic conditions.

Impact:
Reduction in average transactions per second when traffic is run for a specified duration with 1536 simulated users.

Impact is seen for http traffic specific to 32kb and 5kb file sizes.

Workaround:
N/A

Fix:
N/A

1226429 : "DEBUG cannot reply twice on the same call" log reporting repeatedly

Links to More Info: BT1226429

Component: F5OS-A

Symptoms:
When the snmpget operation is performed on IF-MIB, the message "DEBUG cannot reply twice on the same call" appears in /var/log/message. The issue is that the DEBUG is enabled in one of the services container so this DEBUG message is logging in /var/log/message.

Conditions:
One of the reproduction steps is to perform the snmpget operation on IF-MIB.

Impact:
No known impact on the functionality. They are DEBUG messages only.

Workaround:
No workaround. The debug messages stops when the snmpget operation is completed.

Fix:
Removed unwanted debug enable from the service container.

1225989-2 : TACACS users only able to access CLI, not webUI

Links to More Info: BT1225989

Component: F5OS-A

Symptoms:
A TACACS user with either admin or operator privilege is unable to log onto the webUI, but can get access through the CLI. This was found to be due to an internal file linking error.

Conditions:
Have a correctly configured TACACS authenticated user access the webUI.

Impact:
The login will not be successful, and an "Authentication failed" message will be displayed. The webUI will be inaccessible.

Workaround:
N/A

Fix:
The file link issue has been resolved, and the problem no longer exists.

1225981-1 : Files greater then 1000 MiB are truncated in QKView

Links to More Info: BT1225981

Component: F5OS-A

Symptoms:
QKView is unable to collect an untrunucated platform.log file that has been rotated.

Conditions:
Rotated copy of the platform.log file is greater than 1000 MiB.

Impact:
Logs are not complete in QKView making it difficult to troubleshoot issues.

Workaround:
Collect the log files manually.

1217169-2 : Disk full: Latest ISO is not getting imported★

Component: F5OS-A

Symptoms:
Not able to import images because /var/export/chassis LVM goes to read-only mode when the memory usage of this LVM is reached by more than 50%.

This LVM is created as VDO (virtual data optimizer) volume, twice the size of the physical partition size, so 50% of the LVM size is equal to 100% of the size of the underlying physical device (partition), on which this LVM is being created.

When the LVM usage reaches more than 50% of LVM size, the LVM metadata is corrupted, causing this issue.

Conditions:
The issue is seen when usage of the LVM /var/export/chassis reaches around 50% by importing more than 12 F5OS-A images on an rSeries low device.

Impact:
Not able to import images once the LVM /var/export/chassis goes to read-only mode.

Workaround:
The workaround is to deport older images from /var/export/chassis/import/iso/ using command below before importing/copying new images.

appliance-1(config)# system image remove iso <old/unused iso version>

or

If it is not possible to delete the images using above command
please follow below steps.

chattr -i /var/import/stagging/<old/unused iso>
rm -rf /var/import/stagging/<old/unused iso>

In case the issue is seen (/var/import/stagging/ becomes read only) the only way to recover the system is perform either pxeboot or usb install on the system.

1215917 : webUI failed to load when downgrading from 1.5.0 to 1.3.1 with self-signed certificate with encrypted RSA key type

Component: F5OS-A

Symptoms:
webUI fails to load.

Conditions:
If the self-signed certificate is enabled with encrypted-RSA/ECDSA, and the system is downgraded to lower versions than 1.5.0

Impact:
webUI fails to load.

Workaround:
Remove the self-signed encrypted certificate before downgrading to lower versions.

Fix:
Added code changes to restrict the downgrade to lower versions if encrypted RSA/ECDSA certificate is available.

1211861 : Configured input values of IP address fields reset to default upon switching the protocol

Links to More Info: BT1211861

Component: F5OS-A

Symptoms:
IP address fields are reset to default values.

Conditions:
When the user changes the protocol and switches back to the previously selected protocol via the "Address" field on the webUI.

Impact:
Values of IP address fields are lost as they are reset to default values.

Workaround:
Users can cancel or navigate away from the screen. When they visit the management interface screen again, the configured values will appear.

Fix:
The "Address" field in the Management Interface section has been removed, and all the IPv4 and IPv6 address fields are always displayed, thereby eliminating the need to switch protocols.

We have added 'X' buttons adjacent to the address fields that can be leveraged to put in default values in case the user does not want to configure the fields for a particular protocol.

1211777 : Configured input values of IP address fields reset to default upon switching the protocol

Links to More Info: BT1211777

Component: F5OS-A

Symptoms:
IP address fields are reset to default values.

Conditions:
When the user changes the protocol and switches back to the previously selected protocol via the "Address" field on the webUI.

Impact:
Values of IP address fields are lost as they are reset to default values.

Workaround:
Users can cancel or navigate away from the screen. When they visit the management interface screen again, the configured values will appear.

Fix:
The "Address" field in the Management Interface section has been removed, and all the IPv4 and IPv6 address fields are always displayed, thereby eliminating the need to switch protocols.

We have added 'X' buttons adjacent to the address fields that can be leveraged to put in default values in case the user does not want to configure the fields for a particular protocol.

1211025 : Firmware update interrupted during OS install★

Links to More Info: BT1211025

Component: F5OS-A

Symptoms:
Firmware update can be interrupted by docker container issues.

Conditions:
Random container issue restarts all containers.

Impact:
If firmware is being updated in that moment, the firmware update will fail and it could cause problems to normal system operation.

Workaround:
Ask the support team to update the LOP firmware.

Fix:
Docker container failure handles routine checks if firmware is being updated and waits until the update is done before handling the failure.

1207485-1 : LACP daemon restarts when changing lag-type of the aggregation

Links to More Info: BT1207485

Component: F5OS-A

Symptoms:
LACP daemon restarts. The system will be unable to process LACPDUs until LACP daemon starts up again.

Conditions:
The issue occurs from changing the lag-type of an aggregation interface that does not have an associated LACP interface.

Impact:
All LACP link aggregations may go down and be unable to process traffic for a short time. The down time, if it occurs, should be less than a few seconds.

Workaround:
Only change an aggregation's lag-type while an associated LACP interface exists.

Fix:
LACP daemon will not restart when changing an aggregation's lag-type while an associated LACP interface does not exist.

1204481 : System may flap external links multiple times during startup or links may fail to come up at all

Links to More Info: K000132166, BT1204481

Component: F5OS-A

Symptoms:
When the system boots up, the interfaces may flap (go up and down) several times in quick succession before coming up and stabilizing.

In some cases, the interfaces fail to come up at all.

If a peer switch is configured to detect excessive link flaps, it may put the port in an err-disable state and prevent the link from coming up.

Conditions:
-- r5000 or r10000 Series appliance

Impact:
If the peer switch triggers a link-flap detection feature, the ports may remain offline until an administrator manually recovers the port on that switch.

Workaround:
There is no workaround for this issue on the rSeries appliance.

An administrator can mitigate this issue by doing one of the following:

- configuring the peer switch to automatically try to recover ports that are disabled for excessive link flapping
- increasing the number of link flaps required in a certain interval before the port is put in a disabled state

Fix:
Disable sending of remote-fault signaling to peer device while the system is booting up.

1190369 : Terminal window not reflecting configured hostname

Component: F5OS-A

Symptoms:
The title of the terminal window does not have the configured hostname.
Currently, all open windows with root login either from PuTTY or any application display as appliance-1.

Conditions:
Connecting to the device using ssh clients like PuTTY.

Impact:
This causes difficulty for a user trying to juggle multiple open SSH sessions during a maintenance window.

1188921-1 : tcpdump not working after upgrade

Links to More Info: BT1188921

Component: F5OS-A

Symptoms:
tcpdump fails with CLI error:
errbuf ERROR:DMAA error, packets cannot be captured
tcpdump: pcap_loop: DMAA error, packets cannot be captured

Error logged:
appliance-1 tcpdumpd-manager[8]: priority="Crit" version=1.0 msgid=0x5406000000000029 msg="DMAA socket failed:" comp="connect" errno=2.

Conditions:
System upgrade has failed to properly update the configuration file, which is responsible for starting tcpdumpd_manager.

Impact:
tcpdumpd_manager will not be able to start and packets cannot be captured. tcpdumpd_manager will continue log this failure to the system log.

Workaround:
None

1188053 : SSH idle-timeout support

Component: F5OS-A

Symptoms:
There was no idle-timeout implemented for SSH session. The SSH session was not getting terminated even if it was idle for a long time.

Conditions:
There was no idle timeout for SSH session.

Impact:
SSH session will not get terminated even if it is idle for long time.

Workaround:
User must close the SSH session.

Fix:
Implemented SSH idle-timeout which is configurable from CLI/RESTCONF. The SSH session will now get terminated if it is idle for the configured idle-timeout. The default value is 0, which means no idle-timeout.

1185701-2 : 'system aaa' command in ConfD to fail with "Error: application communication failure"

Links to More Info: BT1185701

Component: F5OS-A

Symptoms:
System fails to change password and renders system in a degraded state where user management no longer works.
System fails to provide proper user feedback to the user about failed password changes.

Conditions:
This policy option is causing the problem:
system aaa password-policy config retries 5

Impact:
F5OS user password cannot be changed.

Workaround:
Do not change the configuration from default.
system aaa password-policy config retries 5

Fix:
N/A

1185497-3 : Tenant health in the partition shows additional entries that are not part of the tenant configuration

Links to More Info: BT1185497

Component: F5OS-A

Symptoms:
When the admin upgrades the system software from 1.3.x to 1.5.0, the platform updates the tenant's table with additional entries that are not running as part of the tenant's original configuration.

Conditions:
Power cycle or system software upgrades from 1.3.x to 1.5.0.

Impact:
There will not be any impact on the critical functionality of the tenant, and traffic continues to work. However, it does show some unwanted information in the health which could be confusing.

Workaround:
Toggling the affected tenant's running state from "Deployed" to "Provisioned" and back to "Deployed" will fix the state of the tenant in the table.

Fix:
During the power cycle/system upgrade, the platform re-populates the tenant oper status from Openshift and publishes it to Partition. If the REST response of the tenants from Openshift is incomplete, the platform is populating entries under the wrong key/value. As a result, the partition tenant's table ends up with some unwanted entries.
It is a cosmetic issue and will not impact any tenants.

1184821 : Obscure crash in external authenticator

Links to More Info: BT1184821

Component: F5OS-A

Symptoms:
An unexpected sequence of characters in the username or password of an external login could cause a crash in the external authenticator.

Conditions:
Certain malformed usernames or passwords being used for external authentication.

Impact:
The crash in these circumstances would prevent successful login. After analysis, it was deemed there was no security risk or exposure.

Workaround:
Use usernames and passwords for authentication via SSH or webUI that conform to the device username/password requirements.

Fix:
The bug was fixed and a crash no longer occurs.

1184429-1 : Specifying "operation not supported" as an iHealth QKView description or SR number will disable iHealth uploading

Links to More Info: BT1184429

Component: F5OS-A

Symptoms:
The phrase "operation not supported" was scanned for communication with iHealth to indicate an error. By using this as a description or as an SR case, this will trigger an error, preventing the ability to upload to iHealth.

Conditions:
The phrase "operation not supported" is used as an iHealth QKView description or SR number.

Impact:
Unable to upload iHealth through the iHealth upload service on the device.

Workaround:
Do not use the phrase "operation not supported" as a description or an SR case number when uploading to iHealth.

Fix:
Fix to check for errors will scan for http error code instead of scanning the text of the http body.

1181721 : Add additional commands and files to QKView collection

Component: F5OS-A

Symptoms:
There is no change in functionality. The fix adds new commands and files to QKView collection.

Conditions:
Additional commands and files are added to the QKView collection and they will be collected whenever QKView is requested.

Impact:
Additional commands and files are added to the QKView collection.

Workaround:
Only new commands and files will not be collected as part of QKView collection. Old commands and files will get collected in QKView.

Fix:
Additional commands and files are added to the QKView collection.

1167761-2 : Directory indexing enabled for management webUI

Links to More Info: BT1167761

Component: F5OS-A

Symptoms:
Directory indexing is enabled for management webUI.

Conditions:
When the management IP is followed by the name of any directory that is contained in the webUI, the build directories and file contents are visible on the browser.

Impact:
The webUI build directories and file contents are visible on the browser.

Workaround:
None

Fix:
Disabled directory indexing.

1165973-2 : Application error while using the CLI command "show components"

Links to More Info: BT1165973

Component: F5OS-A

Symptoms:
The user receives an error message using the CLI (show components -> Error: application error) when there is a faulty sensor in the hardware.

Conditions:
When the system has the faulty sensor.

Impact:
Application error seen in the ConfD CLI while trying to execute "show components". The webUI is affected as well.

Workaround:
N/A

Fix:
We have added a check at diag-agent to not throw the application error; it will show data for the healthy components.

1137121-3 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0

Links to More Info: BT1137121

Component: F5OS-A

Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".

Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.

Impact:
Tenants will not start and are unusable.

Workaround:
To work around this issue, perform one of these actions:

1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".

Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.

1136597-3 : LDAP user with admin and operator role gets only operator permissions

Links to More Info: BT1136597

Component: F5OS-A

Symptoms:
An LDAP user configured with groups for both admin and operator roles only receives operator permissions.

Conditions:
LDAP user configured with gidNumber assignments for both admin and operator roles.

Impact:
A user with this config would be assigned only operator permissions.

Workaround:
Only configure the gidNumber for the desired role in LDAP for the user. Do not configure multiple roles for the same user.

Fix:
There was an error in the NACM rules for ConfD config. The role logic has been fixed.

• The F5 Networks Technical Support website: http://www.f5.com/support/
• The MyF5 website: https://my.f5.com/manage/s/
• The F5 DevCentral website: http://devcentral.f5.com/

Generated: Wed Aug 30 17:10:06 2023 UTC

©2023 F5, Inc. All rights reserved.