Applies To:
Show VersionsF5OS-A
- 1.5.2
F5OS-A Release Information
Version: 1.5.2
Build: 21056.LTS
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Cumulative fixes from F5OS-A v1.5.1 that are included in this release
Cumulative fixes from F5OS-A v1.5.0 that are included in this release
Known Issues in F5OS-A v1.5.x
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description |
1379845-1 | CVE-2023-3341 | K000137582 | CVE-2023-3341:bind: stack exhaustion in control channel code may lead to DoS |
1322817-4 | CVE-2023-2828 | K000135312 | BIND vulnerability CVE-2023-2828 |
1091853-5 | CVE-2022-23308 | K32760744, BT1091853 | CVE-2022-23308: libxml2 vulnerability |
1378313-3 | CVE-2020-22218 | K000138219 | CVE-2020-22218: libssh2: use-of-uninitialized-value in _libssh2_transport_read |
1194881-5 | CVE-2022-2795 CVE-2021-25220 |
K78285929 | Bind vulnerabilities: CVE-2021-25220 and CVE-2022-2795 |
Functional Change Fixes
None
F5OS-A Fixes
ID Number | Severity | Links to More Info | Description |
1496837 | 1-Blocking | BT1496837 | User-manager's ConfD socket getting closed. |
1360905-3 | 1-Blocking | BT1360905 | Unexpected log messages in /var/log/boot.log post-integrity recovery |
1332781-4 | 1-Blocking | BT1332781 | A remote user with the same username as the local F5OS user will be granted the local user's roles |
1326157-2 | 1-Blocking | BT1326157 | Observed multiple containers restarting and cores generating after PXE installation |
1496977-1 | 2-Critical | Remote GID mappings to F5OS roles are disconnected for TACACS+/RADIUS authentication methods. | |
1469925-1 | 2-Critical | Timezone changes are not reflected in the log messages until the hardware is rebooted | |
1436153-1 | 2-Critical | F5OS upgrades fail when SNMP configuration contains special characters. | |
1397145-2 | 2-Critical | BT1397145 | Unable to add blade to Openshift cluster, if VELOS partition root password is expired or locked |
1388477-2 | 2-Critical | Default GID group mapping authorized even when GID mapped to different group ID | |
1378805-4 | 2-Critical | BT1378805 | Error occurs when changing LAG type for an existing LAG interface on webUI |
1366337-2 | 2-Critical | BT1366337 | Adding a system raid drive fails after successful removal |
1365985-2 | 2-Critical | BT1365985 | GID role mapping may not work with secondary GID |
1365821-2 | 2-Critical | BT1365821 | Traffic loss of 5-10 seconds after disable/enable of LACP Lag member on r5000/r10000 |
1355277-4 | 2-Critical | BT1355277 | Incorrect Vlan Listeners when a Static FDB is configured |
1352449-7 | 2-Critical | BT1352449 | iHealth upload is failing with error "certificate signed by unknown authority" |
1352421-2 | 2-Critical | BT1352421 | L2 services (LACP/LLDP) are down on r2000 and r4000 series appliances |
1332997-2 | 2-Critical | Device stuck at "unmounting containers" after performing reboot | |
1330717-2 | 2-Critical | BT1330717 | LLDP neighbors are not getting discovered |
1328405-2 | 2-Critical | BT1328405 | F5OS system stopped generating tmstat snapshots |
1317793-1 | 2-Critical | BT1317793 | F5OS qat-support-pod service crashed with SIGBUS error |
1314917-2 | 2-Critical | BT1314917 | Command "show system health components component psu-2" results in errors |
1313329-2 | 2-Critical | BT1313329 | Downloaded F5OS ISO file missing after reboot |
1311953-1 | 2-Critical | BT1311953 | Platform-services-deployment service does not come up when system reboots early after PXE install |
1305909 | 2-Critical | BT1305909 | iHealth upload not supported on F5OS-A |
1305005-3 | 2-Critical | BT1305005 | Error handling in F5OS file-download API |
1304765-2 | 2-Critical | BT1304765 | A remote LDAP user with an admin role is unable to make config changes through the F5 webUI |
1301837-3 | 2-Critical | BT1301837 | A remote admin user is not able to enter the ConfD config mode when logged in from SSH |
1300749-2 | 2-Critical | BT1300749 | Syslog target files do not use the hostname configured via system user interface. |
1298329-2 | 2-Critical | BT1298329 | Tcpdump capture fails |
1296997-2 | 2-Critical | BT1296997 | Large core files can cause system instability |
1295657-1 | 2-Critical | BT1295657 | ARP probes to rSeries management IP are answered by both mgmt and mgmt0-system |
1294341-1 | 2-Critical | The system freezes if abruptly rebooted during software upgrade process. | |
1291461-3 | 2-Critical | BT1291461 | LCD shutdown does not work on r2800 and r4800 platforms |
1283641-1 | 2-Critical | BT1283641 | Docker network is not updating as part of internal IP ranges configurations |
1280749-2 | 2-Critical | BT1280749 | OCSP server state data and actual configured data is different in ConfD CLI |
1271973-2 | 2-Critical | BT1271973 | Disabling 1G/10G BaseT interface in F5OS does not make the link down on the peer port |
1270473-3 | 2-Critical | BT1270473 | On firmware upgrade from CLI, wrong console message displayed |
1267205-1 | 2-Critical | BT1267205 | Status field in "show system image" reports error when upgrading to 1.5.0★ |
1256897-4 | 2-Critical | BT1256897 | Deleting an ECDSA curve using the CLI takes a while to restart the http-server with the default RSA certificate. |
1252445-2 | 2-Critical | BT1252445 | QKView is collecting iptable dump only for filter table but not for raw, mangle, and nat |
1252377-4 | 2-Critical | BT1252377 | VXLAN-GPE and GENEVE are disabled by default when software is upgraded from F5OS-A 1.3.0 build to F5OS-A 1.4.0★ |
1240749-1 | 2-Critical | BT1240749 | F5OS systems send incomplete DDoS stats response to the tenants |
1229449-1 | 2-Critical | BT1229449 | Username is not logged on rSeries appliance when webUI authentication fails |
1225701-1 | 2-Critical | BT1225701 | Filenames with special characters in /var/import/staging cause upgrade to fail |
1205345-5 | 2-Critical | BT1205345 | RADIUS remote authentication uses internal system IP address as system identifier in requests |
1204985-2 | 2-Critical | BT1204985 | The root-causs of F5OS-A upgrade compatibility check failures are hidden in /var/log/sw-util.log. |
1204433-2 | 2-Critical | BT1204433 | "Appliance-mode" flag in license should not be used to enable appliance-mode |
1136725-2 | 2-Critical | BT1136725 | An iptables CLI error |
1099069-2 | 2-Critical | BT1099069 | Issues with pulling files from F5OS device using SCP |
1069365-3 | 2-Critical | BT1069365 | Error shown when configuring known-host for file transfer when FIPS mode is enabled` |
1047689-4 | 2-Critical | BT1047689 | Sw_rbcast core file found on system |
1492621 | 3-Major | Config-restore fails when backup file has expiry-status field for admin or root user | |
1486697-1 | 3-Major | BT1486697 | Configuring Expiry-status of root and admin user should not be allowed. |
1469385-1 | 3-Major | BT1469385 | GUI freezes during LDAP user authentication if no remote GID mapped locally. |
1466397-2 | 3-Major | BT1466397 | LDAP authentication is consuming several minutes to authenticate via GUI and SSH. |
1441505 | 3-Major | BT1441505 | iHealth upload client may fail if ConfD database is offline. |
1441425-1 | 3-Major | The rSeries appliance log shows "PSU voltage out value < lower limit, value=0". | |
1437765 | 3-Major | BT1437765 | Restoration of system configuration database may fail if admin user was previously modified |
1436373 | 3-Major | iHealth upload not supported on F5OS-A | |
1429721-1 | 3-Major | SCP as non-root user does not report errors correctly for bad/non-existent files. | |
1393269-1 | 3-Major | BT1393269 | Error log: "PINGLOOP Failed to ssh to 127.0.0.1" |
1388945-1 | 3-Major | Fan speed randomly shows as '0'. | |
1388745-1 | 3-Major | BT1388745 | Large numbers of platform-hal errors logged in platform.log: "Requested Sensor, data, or record not present." |
1379625-4 | 3-Major | BT1379625 | Changing the max-age attribute in password policy is not reflecting immediately |
1359897-2 | 3-Major | BT1359897 | rSeries link down events can be missed |
1351529-2 | 3-Major | BT1351529 | Fixing the log issue stating "UNSUPPORTED STP state" when STP global is configured |
1349465-4 | 3-Major | BT1349465 | Partition s/w upgrade compatibility check doesn't use correct target version |
1338521-2 | 3-Major | BT1338521 | Unable to login when accessing F5OS GUI through a network proxy on a port other than 443. |
1329161-3 | 3-Major | BT1329161 | In non-FIPS mode, added support for the SSH-RSA host key algorithm |
1324737-1 | 3-Major | BT1324737 | The output of the command "ethtool --show-priv-flags" on all interfaces needs to be collected in QKView |
1316097-3 | 3-Major | BT1316097 | LAGs not programmed when adding VLAN to LAG |
1315149-4 | 3-Major | BT1315149 | Users authenticated via TACACS+ cannot log in via serial console |
1312169-2 | 3-Major | BT1312169 | User expiration is not configurable nor viewable on the webUI |
1311049-1 | 3-Major | BT1311049 | For a system that has interfaces with 1GB speed, the network tab on the webUI dashboard is not showing all information |
1306649-1 | 3-Major | BT1306649 | Rapid removal and re-insertion of 10G optics may result in link failure |
1301169-1 | 3-Major | BT1301169 | K3S goes down when OMD is restarted |
1300805-1 | 3-Major | BT1300805 | Allowing the tenant configuration with more memory than max memory in the appliance |
1296525-2 | 3-Major | BT1296525 | qkview may capture log files truncated in a reverse way |
1294581-2 | 3-Major | BT1294581 | webUI header shows FQDN for IP address field instead of management IP |
1290617-2 | 3-Major | BT1290617 | Display option "universal-time" is not supported |
1290053-1 | 3-Major | VELOS Software version may not be collected consistently across platform by QKView | |
1289633-2 | 3-Major | BT1289633 | FIPS devices show incorrect vCPUs |
1289029-3 | 3-Major | BT1289029 | Toggling lag-type can sometimes cause an F5OS LACP aggregation to pass traffic while the peer does not have LACP configured. |
1288937-2 | 3-Major | BT1288937 | Interface persists with removed VLAN |
1284269-1 | 3-Major | BT1284269 | Config restore fails if it contains an SNMP user |
1270837-2 | 3-Major | BT1270837 | The Account Locked field on the Edit User page does not lock out users nor display correct locked status |
1270309-1 | 3-Major | BT1270309 | Audit.log may log incorrect username initially for users logging into the CLI, remotely-authenticated users may see hostname in prompt reported as "appliance-1", and remotely-authenticated LDAP users may experience lengthy delays when authenticating |
1256437-1 | 3-Major | BT1256437 | Interface with a default route with gateway is NOT available |
1240565-2 | 3-Major | BT1240565 | Not allowing special characters "/*!<>^,/" in SNMP community/user/target name |
1211673-2 | 3-Major | BT1211673 | Default tenant disk size is based on tenant image type |
1205409-2 | 3-Major | BT1205409 | Cannot export or download files from diags/shared/tcpdump path |
1181929-3 | 3-Major | BT1181929 | F5OS install may partially fail, leaving system with mismatched OS and services★ |
1132569-1 | 3-Major | BT1132569 | "cdb_exists failed" error logged in platform.log during boot up |
1008701-2 | 3-Major | BT1008701 | Using curl to access 'scp:' URIs on the partition management IP does not work |
1128877-2 | 4-Minor | BT1128877 | Mount command added to QKView collection |
Cumulative fixes from F5OS-A v1.5.1 that are included in this release
Functional Change Fixes
None
F5OS-A Fixes
ID Number | Severity | Links to More Info | Description |
1326837 | 1-Blocking | BT1326837 | Using UI, unable to configure the account expiry date for the user as the request is not delivered to the backend. |
1326541-2 | 1-Blocking | BT1326541 | In r2000 and r4000 systems, alarm LED is not set when there are alerts raised in the system |
1315121-1 | 1-Blocking | BT1315121 | Key migration failure and potential corruption updating to 1.5.0 or later with deployed tenants |
1315065-4 | 1-Blocking | BT1315065 | RSA-1024 SSH public keys should not be allowed in FIPS mode |
1314453-1 | 1-Blocking | BT1314453 | Datapath is broken when LAG type is changed from LACP to Static on r2000/r4000 platforms |
1293305-2 | 1-Blocking | BT1293305 | LAG interface status is not updated on the BIG-IP tenant |
1281857-1 | 1-Blocking | BT1281857 | Repeated disabling and enabling of link partner interface might result in datapath corruption |
1217169-2 | 1-Blocking | BT1217169 | Disk full: Latest ISO is not getting imported★ |
1188921-1 | 1-Blocking | BT1188921 | tcpdump not working after upgrade |
1184429-1 | 1-Blocking | BT1184429 | Specifying "operation not supported" as an iHealth QKView description or SR number will disable iHealth uploading |
1328977-1 | 2-Critical | BT1328977 | Appliance Orchestration Manager fails due to memory corruption |
1328729 | 2-Critical | BT1328729 | Slow memory leak when processing tenant telemetry |
1327701-4 | 2-Critical | BT1327701 | Space in SNMP community/user/target name causing snmpd container restart |
1326725-4 | 2-Critical | BT1326725 | Unable to generate SNMP Trap for IPV6 |
1304657-1 | 2-Critical | BT1304657 | Tcam-manager does not support all the possible system network subnets |
1286165-1 | 2-Critical | BT1286165 | Ping failing after removing aggregate ID from interface and adding trunk VLANs in the same commit |
1285149-3 | 2-Critical | BT1285149 | Patch releases report the wrong version in various log files. |
1280237-1 | 2-Critical | BT1280237 | Notification streams are sometimes empty using 'restconf/streams/platform-stats/json' API endpoint |
1297665-1 | 3-Major | BT1297665 | Occasionally diagnostic agent reports as unhealthy for unpopulated PSU_Slot in health summary and ihealth reports |
1286285-3 | 3-Major | BT1286285 | ISO with special characters in name will not import |
Cumulative fixes from F5OS-A v1.5.0 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description |
1292405-1 | CVE-2022-25147 | K000137702, BT1292405 | CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64 |
1284193-1 | CVE-2021-20277 CVE-2021-25217 CVE-2022-28733 |
K000132893, BT1284193 | GRUB2 vulnerability CVE-2022-28733, Samba vulnerability CVE-2021-20277, DHCP vulnerability CVE-2021-25217 |
1273581-1 | CVE-2023-25690 | K000133098, BT1273581 | CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy |
1266197-2 | CVE-2022-4254 | K000136157, BT1266197 | CVE-2022-4254 sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters |
1263941-2 | CVE-2023-22809 | K000132667, BT1263941 | CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user |
1253713-3 | CVE-2020-15999 | K000133070, BT1253713 | CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png |
1232309 | CVE-2020-10754 | K000132761, BT1232309 | CVE-2020-10754: nmcli did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings |
1183909-2 | CVE-2018-20060 CVE-2019-11236 CVE-2019-11324 CVE-2018-18074 | K000133448, BT1183909 | Python urllib3 vulnerabilities CVE-2018-20060, CVE-2019-11236, CVE-2019-11324, CVE-2018-18074 |
1166149-1 | CVE-2021-27803 | K000135433, BT1166149 | CVE-2021-27803 wpa_supplicant: Use-after-free in P2P provision discovery |
1281141-1 | CVE-2022-37434 | K67213091, BT1281141 | CVE-2022-37434 in zlib-1.2.7-20.el7_9 |
1207189-3 | CVE-2022-38178 | K000137229, BT1207189 | CVE-2022-38178 in bind-license-32:9.11.4-26.P2.el7_9.7 |
1207185-2 | CVE-2022-38178 | K000137229, BT1207185 | CVE-2022-38178 in bind-export-libs-32:9.11.4-26.P2.el7_9.7 |
1207181-2 | CVE-2022-38177 | K27155546, BT1207181 | CVE-2022-38177 in bind-license-32:9.11.4-26.P2.el7_9.7 |
1281749-1 | CVE-2023-36494 | K000134922, BT1281749 | Hashed/encrypted passwords are getting logged |
Functional Change Fixes
None
F5OS-A Fixes
ID Number | Severity | Links to More Info | Description |
1290949-1 | 1-Blocking | BT1290949 | Invalid memory read in appliance orchestration manager |
1290941-1 | 1-Blocking | BT1290941 | LLDP/STPD/LACPD in rSeries is flooding SEP_POLLERR when dma-agent restarts |
1285969 | 1-Blocking | BT1285969 | Some aggregation interface names can cause ethernet interfaces in LACP aggregations to be erroneously down |
1282757 | 1-Blocking | K000133379, BT1282757 | On upgrade, systems might overwrite key due to automatic firmware updating |
1281861 | 1-Blocking | BT1281861 | Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0 |
1281165-1 | 1-Blocking | CVE-2023-0767 in nss-tools-3.67.0-4.el7_9 | |
1281157-1 | 1-Blocking | CVE-2023-0767 in nss-sysinit-3.67.0-4.el7_9 | |
1281149-1 | 1-Blocking | CVE-2023-0767 in nss-3.67.0-4.el7_9 | |
1273445 | 1-Blocking | BT1273445 | Downgrade/upgrade issues are seen because ISO has special characters in the file name★ |
1269989-2 | 1-Blocking | BT1269989 | tcam-manager may get stuck using 100% CPU |
1267253-2 | 1-Blocking | BT1267253 | LDAP shadowExpire attribute not honored |
1250901-2 | 1-Blocking | BT1250901 | On rSeries FIPS system live upgrade, cavium_n3fips (liquidsec_pf_vf driver) may fail to come into operational state |
1232369 | 1-Blocking | BT1232369 | Intel Microcode update |
1226505-2 | 1-Blocking | BT1226505 | Average transactions per second impacted in certain cases |
1225989-2 | 1-Blocking | BT1225989 | TACACS users only able to access CLI, not webUI |
1280365-3 | 2-Critical | K000133253, BT1280365 | WebUI and shell admin access unavailable after upgrade to when one of the previously installed images is no longer present★ |
1273025-1 | 2-Critical | BT1273025 | Once TACACS server-group is configured on a non-default port, on downgrade virt-handler pod gets into a crash loopbackoff state because of SELinux corruption |
1273021-1 | 2-Critical | BT1273021 | ISOs imported with regex special characters in their names are getting deleted★ |
1249773-2 | 2-Critical | BT1249773 | QKView may fail to collect all files for platform-monitor container |
1231357 | 2-Critical | BT1231357 | Unexpected reboot might occur on r5000/r10000 Series |
1215917 | 2-Critical | webUI failed to load when downgrading from 1.5.0 to 1.3.1 with self-signed certificate with encrypted RSA key type | |
1211025 | 2-Critical | BT1211025 | Firmware update interrupted during OS install★ |
1204481 | 2-Critical | K000132166, BT1204481 | System may flap external links multiple times during startup or links may fail to come up at all |
1184821 | 2-Critical | BT1184821 | Obscure crash in external authenticator |
1137121-3 | 2-Critical | BT1137121 | Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0 |
1136597-3 | 2-Critical | BT1136597 | LDAP user with admin and operator role gets only operator permissions |
1273845-1 | 3-Major | BT1273845 | Removing or manually adding TLS Certificate & Key on webUI removes whole TLS configuration |
1273017-1 | 3-Major | BT1273017 | LACPD restarts when changing aggregation lag-type through configuration utility webUI |
1251981 | 3-Major | BT1251981 | Speed on webUI Interfaces screen is empty for 1GB |
1239325 | 3-Major | BT1239325 | Issue when Management IP address is configured to have public internet access on F5OS |
1236857-1 | 3-Major | BT1236857 | F5OS OID SNMPv2-MIB::sysDescr provides meaningless information for system controller |
1234049 | 3-Major | BT1234049 | The Add/Edit tenant deployment screen on the r4600 webUI does not have the option for 12 vCPUs in the vCPUs dropdown |
1230609 | 3-Major | BT1230609 | Neighbor interface description is not updated in LLDP neighbor details |
1229465-3 | 3-Major | QKView is not collecting core files in /var/crash | |
1226429 | 3-Major | BT1226429 | "DEBUG cannot reply twice on the same call" log reporting repeatedly |
1207485-1 | 3-Major | BT1207485 | LACP daemon restarts when changing lag-type of the aggregation |
1188053 | 3-Major | SSH idle-timeout support | |
1185701-2 | 3-Major | BT1185701 | 'system aaa' command in ConfD to fail with "Error: application communication failure" |
1185497-3 | 3-Major | BT1185497 | Tenant health in the partition shows additional entries that are not part of the tenant configuration |
1181721 | 3-Major | Add additional commands and files to QKView collection | |
1165973-2 | 3-Major | BT1165973 | Application error while using the CLI command "show components" |
1118109-2 | 3-Major | CVE-2019-15605: HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed | |
1225981-1 | 4-Minor | BT1225981 | Files greater then 1000 MiB are truncated in QKView |
1211861 | 4-Minor | BT1211861 | Configured input values of IP address fields reset to default upon switching the protocol |
1211777 | 4-Minor | BT1211777 | Configured input values of IP address fields reset to default upon switching the protocol |
1190369 | 4-Minor | Terminal window not reflecting configured hostname | |
1167761-2 | 4-Minor | BT1167761 | Directory indexing enabled for management webUI |
Cumulative fix details for F5OS-A v1.5.2 that are included in this release
1496977-1 : Remote GID mappings to F5OS roles are disconnected for TACACS+/RADIUS authentication methods.
Component: F5OS-A
Symptoms:
Remote GID mappings (on a TACACS+ or RADIUS server) to F5OS GIDs/roles are not working correctly. When attempting to configure a remote mapping, it results in the access rejection with a message similar to below:
[root@system ~]# ssh radius_or_tacacs_user@<F5OS system mgmt IP>
Password:
Last login: <date> from <source IP>
No valid role group found in user groups: '9000'
Connection to <mgmt IP> closed.
Conditions:
A remote GID mapping is configured for a role in F5OS and the authentication method used for remote users is RADIUS or TACACS+.
Impact:
Remote users cannot log in to the system.
Workaround:
Configure remote user's GIDs in a way that they correspond to the GIDs in F5OS for the desired role(s). Then, remove any remote GID mappings in the F5OS configuration.
Fix:
Fixed remote GID mapping to F5OS roles for TACACS+/RADIUS authentication methods.
1496837 : User-manager's ConfD socket getting closed.
Links to More Info: BT1496837
Component: F5OS-A
Symptoms:
After repeating the change of network type and device reboot, the device goes into a state where the user-manager is not interacting with ConfD.
Conditions:
- Change remote GID role and check '/etc/gid-map.txt' file if the value is reflected.
- Switch network type and reboot the device.
Repeat the above process until '/etc/gid-map.txt' file is not been updated correctly.
Impact:
Any ConfD configuration change that goes though user-manager fails. This includes any of the user password changes, or remote GID changes.
Workaround:
Rebooting the system will get the correct GID value from the ConfD and update the '/etc/gid-max.txt' file.
Fix:
The user-manager has no reason to use NSS to lookup any PW/group info, as it deals exclusively with the local user database.
Additionally, there is a ZMQ service that belongs in authentication-mgr (which understands remote authentication) that is in the user-manager container. It forces user-manager to use an ‘/etc/resolv.conf’ that can reference remote sources.
If the user-manager trips over a lookup that goes to LDAP (usually a local-db miss), it can be very slow and time out. The ConfD->user-manager channel is sensitive of slow responses, and shuts down subscriber/callpoint handler/daemon that takes over 15 to 30 seconds to respond. When this happens, the user-manager is going to see an EOF on its ConfD sockets.
This fix forces the user-manager to only lookup on local database.
1492621 : Config-restore fails when backup file has expiry-status field for admin or root user
Component: F5OS-A
Symptoms:
For a root or admin user, if the value for Expiry-status in the backup file is not set to enabled, then config-restore fails.
Conditions:
During backup, if the "Expiry-status" value for admin or root user is not set to enabled, then restore fails with the backup.
Impact:
Database config-restore fails.
Workaround:
For admin and root user, comment Expiry-status in the backup file and try to restore.
Fix:
Added NACM rules in ConfD for successful config-restore.
1486697-1 : Configuring Expiry-status of root and admin user should not be allowed.
Links to More Info: BT1486697
Component: F5OS-A
Symptoms:
Expiry-status of root and admin users are allowed to be configured and there is a chance of locking out these users.
Conditions:
This is for root and admin user. If Expiry-status of any user is marked as Locked, that user cannot login to the system.
Impact:
Possibility of default users like root and admin getting locked out.
Workaround:
None
Fix:
Disabled Expiry-status on GUI for admin and root users thus it cannot be configured. The Expiry-status field for these two user will now always display the default value "Enabled".
1469925-1 : Timezone changes are not reflected in the log messages until the hardware is rebooted
Component: F5OS-A
Symptoms:
After configuring timezone, /var/log/messages are logged with old timezone till the hardware is rebooted.
Conditions:
Configure timezone from ConfD and verify /var/log/message.
Impact:
The log messages are logged with old timezone.
Workaround:
After configuring timezone, rebooting the hardware resolves the issue.
Fix:
Added code changes to reflect the new timezone changes in /var/log/messages without rebooting the hardware.
1469385-1 : GUI freezes during LDAP user authentication if no remote GID mapped locally.
Links to More Info: BT1469385
Component: F5OS-A
Symptoms:
The LDAP remote user authentication freezes for a long time (more than a minute).
Conditions:
When trying to authenticate a remote LDAP user through the GUI without mapping any of the remote user GIDs to the F5OS local roles.
Impact:
Authentication freezes for a long period before rejecting the user.
Workaround:
One of the remote GIDs should be mapped to the local F5OS roles.
Fix:
Map the remote GID(s) to the F5OS role(s) to authenticate remote LDAP users successfully.
1466397-2 : LDAP authentication is consuming several minutes to authenticate via GUI and SSH.
Links to More Info: BT1466397
Component: F5OS-A
Symptoms:
LDAP authentication is working fine. However, authentication takes several minutes, which lacks a user-friendly experience.
Conditions:
- Configure LDAP server-group.
- Configure LDAP_ALL as an authentication-method.
- Log in using LDAP user via GUI or SSH.
Impact:
The user is forced to wait for several minutes to get the result of LDAP authentication.
Workaround:
None
Fix:
Removed unnecessary GID lookup to speed up LDAP authentication.
1441505 : iHealth upload client may fail if ConfD database is offline.
Links to More Info: BT1441505
Component: F5OS-A
Symptoms:
If the ConfD service goes offline when migrating primary key, executing the iHealth upload commands (for example, show system diagnostics ihealth), and in the event of performing any other activity, then the iHealth service may generate a core file.
Conditions:
If the ConfD service goes offline when migrating primary key, executing the iHealth upload commands (for example, show system diagnostics ihealth), and in the event of performing any other activity, then the iHealth service may generate a core file.
Impact:
A core file may be generated.
Workaround:
The iHealth client will restart if it cores. Repeat the iHealth commands after the ConfD database is up and running.
Fix:
Hardening is added in the iHealth client to avoid generating a core file in certain events.
1441425-1 : The rSeries appliance log shows "PSU voltage out value < lower limit, value=0".
Component: F5OS-A
Symptoms:
The following message appears in the logs:
66305 psu-1 psu-fault EVENT Network Access "PSU voltage out value < lower limit, value=0" "2023-12-08 09:00:00.900082135 UTC".
Conditions:
The conditions that trigger this issue are unknown at this time.
Impact:
Users see several "PSU voltage out value < lower limit, value=0" logged messages, which could be falsely reported.
Workaround:
None
Fix:
None
1437765 : Restoration of system configuration database may fail if admin user was previously modified
Links to More Info: BT1437765
Component: F5OS-A
Symptoms:
The restoration of the System Configuration Database fails with this error:
appliance-1(config)# system database config-restore name config_database1 proceed yes
Error: access denied
Database config-restore failed.
Conditions:
In F5OS-A 1.5.1, the expiry status of the ‘admin’ user has been modified even before the System Configuration Database is saved and restored on the device that is currently installed after RMA/factory or F5OS clean install.
Impact:
Unable to restore the System Configuration Database.
Workaround:
1. In F5OS-A 1.5.1, it is recommended not to lock or modify the expiry status of the ‘admin’ user on the RMA/factory or clean installed appliance. If modified, enable the user before taking the backup.
2. Edit the System Configuration Database backup file. For the admin and root user, remove the next line which is highlighted by the arrow, then restore the configuration using the modified file:
<username>admin</username>
<config>
<username>admin</username>
<password><REMOVED></password>
<last-change>0</last-change>
<expiry-date>-1</expiry-date>
<role>admin</role>
<expiry-status>enabled</expiry-status> <---
1436373 : iHealth upload not supported on F5OS-A
Component: F5OS-A
Symptoms:
The iHealth upload service has changed its authentication schema to OKTA, and requires a Client ID and Client Secret rather than a User ID and Password. Version 1.5.1 (and previous versions) of F5OS-A do not support this authentication schema.
Conditions:
Always
Impact:
Users will not be able to directly upload QKView files to iHealth from the appliance because of change in the authentication schema.
Workaround:
1. Use the file export feature to download the QKView from the appliance to a local PC.
2. Sign on to ihealth.f5.com.
3. Use the upload feature to upload the QKView to the iHealth service.
Fix:
Added Client ID and Client Secret in the iHealth page on webUI. User can upload QKView files to iHealth.
1436153-1 : F5OS upgrades fail when SNMP configuration contains special characters.
Component: F5OS-A
Symptoms:
As part of some security fixes, added a special character restriction in SNMP configuration in F5OS-A 1.5.1. This resulted in an upgrade failure to 1.5.1. If an upgrade to 1.5.1 is successful, the SNMP configuration will get deleted implicitly.
Conditions:
Upgrade to 1.5.1 fails when the SNMP configuration contains any special characters. The restricted special characters are: /*!<>^,/
Impact:
If the user encounters this issue, the system will go to an inaccessible state and require a forced downgrade.
Workaround:
Delete the SNMP configuration (community, target, or user) containing special characters before performing an upgrade to 1.5.1.
Fix:
The special characters in the SNMP configuration do not inject any security issues and can have special characters. Hence, the special characters restriction is removed in F5OS-A 1.5.2 and F5OS-A 1.8.0.
1429721-1 : SCP as non-root user does not report errors correctly for bad/non-existent files.
Component: F5OS-A
Symptoms:
Using SCP to retrieve files from F5OS as "admin" or other non-root users should report a proper error when attempting to access an invalid directory or non-existent file.
Instead, the SCP command does nothing, reports no error, and exits with an on-zero exit status.
Conditions:
Attempt to read a non-existent/inaccessible file via SCP.
Impact:
The user is not informed about the failed SCP operation and the reason for the failure.
Fix:
SCP server software now reports errors the invalid/inaccessible filenames.
1397145-2 : Unable to add blade to Openshift cluster, if VELOS partition root password is expired or locked
Links to More Info: BT1397145
Component: F5OS-A
Symptoms:
If a VELOS partition root password is expired or locked, the system may be unable to add the blade to the Openshift cluster (or manage the cluster).
The "show cluster" command output will report that a blade is reachable ("able to ping"), but will not be able to connect to it ("able to SSH"):
ABLE ABLE
IN READY TO TO PARTITION
INDEX NAME INSERTED CLUSTER CLUSTER PING SSH STATE LABEL
--------------------------------------------------------------------------------------------------
1 blade-1.chassis.local true false false true false Not In Cluster
2 blade-2.chassis.local true false false true false Not In Cluster
3 blade-3.chassis.local true false false true false Not In Cluster
Conditions:
-- VELOS partition
-- root account in partition is expired or locked
Impact:
- Blade will not join Openshift cluster.
- Unable to deploy Tenants to blade.
Workaround:
Re-enable the root user account for the partition:
system aaa authentication users user root config expiry-status enabled
1393269-1 : Error log: "PINGLOOP Failed to ssh to 127.0.0.1"
Links to More Info: BT1393269
Component: F5OS-A
Symptoms:
"PINGLOOP Failed to ssh to 127.0.0.1" logged in platform.log by Appliance Orchestration Manager.
Conditions:
1. root user locked with expiry status set to "locked".
2. Appliance rebooted after locking root user.
Impact:
Internal processes relying on root user may malfunction.
Workaround:
Avoid locking the root user account by not setting the expiry status to "locked".
Use appliance mode for root user lockdown.
1388945-1 : Fan speed randomly shows as '0'.
Component: F5OS-A
Symptoms:
The fan speed is randomly and incorrectly reported as '0'.
Conditions:
Checking the sensors using GET:bmc/sensors.
Impact:
The fan speed is reported as '0'.
Workaround:
None
Fix:
This issue has been fixed, and the fan speed no longer randomly reports as '0'.
1388745-1 : Large numbers of platform-hal errors logged in platform.log: "Requested Sensor, data, or record not present."
Links to More Info: BT1388745
Component: F5OS-A
Symptoms:
The platform-hal service is intermittently logging a large number of messages similar to the following in platform.log:
appliance-1 platform-hal[8]: priority="Err" msg="Action Error" index=0 message="Requested Sensor, data, or record not present." interface="job-665402" actionKey="GET:lop/pel" jobId=665402
There may be tens of thousands of log messages in some cases.
Conditions:
The conditions that trigger this issue are unknown at this time.
Impact:
The platform.log file becomes filled up with many of these log messages, and they must be filtered out to review the logs effectively.
Workaround:
None
Fix:
None
1388477-2 : Default GID group mapping authorized even when GID mapped to different group ID
Component: F5OS-A
Symptoms:
When a role (group) is mapped to a custom remote group ID (GID), the default GID (e.g. 9000 for admin) is also authorized for the same group.
Conditions:
The admin role (GID 9000), operator role (GID 9001), user role (GID 9002), or the resource-admin role (GID 9003) are assigned non-default GID.
Impact:
Remote users with GIDs 9000, 9001, 9002, or 9003 maintain the default access for their user role.
Workaround:
Do not assign the F5's default admin, operator, and resource admin role IDs (GID) to the remote user groups. These GIDs are 9000, 9001, and 9003 respectively.
For a customer who uses the versions with the issue, if higher privilege user group IDs are anything different from 9000, 9001, and 9003, do not assign 9000, 9001, and 9003 GIDs to any other group in the external directory, and do not assign default F5 role GIDs to any user. The default GIDs 9000, 9001, and 9003 should be entirely unassigned in the directory, or assigned to placeholder groups that are prohibited from user assignment.
See the role GIDs in ConfD CLI with the following command:
show system aaa authentication roles role
See the 'GID' column in the command output and don't assign those GIDs to users.
Fix:
If a remote-GID is configured for a role, the default GID will no longer authenticate for that role.
1379845-1 : CVE-2023-3341:bind: stack exhaustion in control channel code may lead to DoS
Links to More Info: K000137582
1379625-4 : Changing the max-age attribute in password policy is not reflecting immediately
Links to More Info: BT1379625
Component: F5OS-A
Symptoms:
Even after setting max-age value (maximum age, in days, after which password will be expired) less than 7 days, the warning for password expiration is not displaying at the time of next login.
Conditions:
Set max-age attribute to less than 7 (days) and check if password expiration warning is prompted at the time of next login.
Impact:
Password expiration feature is not working as expected.
Workaround:
N/A
Fix:
Fix is provided to sync the max-age value, updated from ConfD CLI, with the user's password expiration attribute in the /etc/shadow on the system.
1378805-4 : Error occurs when changing LAG type for an existing LAG interface on webUI
Links to More Info: BT1378805
Component: F5OS-A
Symptoms:
On the webUI, if a LAG type changes from LACP, an error displays when that LAG type changes back to LACP.
Conditions:
The error occurs when attempting to change the LAG type on an existing LAG interface to a previously used type.
(i.e. Creating a LAG interface with type LACP, changing that type to Static, and then changing it back to LACP)
Impact:
This issue does not affect functionality; however, an unnecessary "Object Already Exist" error pop-up appears.
Workaround:
To avoid the pop-up, change the LAG type to LACP using the CLI in this scenario.
Fix:
Changing the LAG type on an existing LAG interface to a previously used type no longer triggers an error pop-up on the webUI.
1378313-3 : CVE-2020-22218: libssh2: use-of-uninitialized-value in _libssh2_transport_read
Links to More Info: K000138219
1366337-2 : Adding a system raid drive fails after successful removal
Links to More Info: BT1366337
Component: F5OS-A
Symptoms:
If the system is set up using bare-metal installation of 1.5.1 and later versions, the user will not be able to add a SSD after removing an existing SSD from RAID.
Conditions:
The system must have been bare-metal installed using 1.5.1 and later versions.
Impact:
User is unable to remove/add SSD into RAID.
Workaround:
N/A
Fix:
After upgrading to 1.7.0 and later versions, SSD can be added and removed from RAID.
1365985-2 : GID role mapping may not work with secondary GID
Links to More Info: BT1365985
Component: F5OS-A
Symptoms:
When a user in an external authentication system (LDAP, Radius, TACACS) is given a GID for an F5 role, and that GID is a secondary GID, the role assignment may not be discovered. This would result in the inability to access the system or be able to configure the system for that user.
Conditions:
- User in an external authentication system (LDAP, Radius, TACACS)
- GID corresponding to F5 role is a secondary GID (for example, it is not the user's default GID, rather a GID from a group to which the user belongs)
Impact:
Inability to log into the system, or inability to configure the system for the user in question.
Workaround:
The GID for the desired role should be the GID directly mapped to the user in the external authentication system (for example, in LDAP, the gidNumber on the user object should be the F5 role GID), rather than a secondary GID (for example, in LDAP, the gidNumber on a group of which the user is a member).
Fix:
All GID role mappings are properly considered when discovering role assignments for users in external authentication systems.
1365821-2 : Traffic loss of 5-10 seconds after disable/enable of LACP Lag member on r5000/r10000
Links to More Info: BT1365821
Component: F5OS-A
Symptoms:
Disabling and then re-enabling a LACP Lag member can result in traffic loss of up to 10 seconds on r5000/r10000 platforms.
Conditions:
Disable then re-enable LACP Lag member on r5000/r10000 platforms.
Impact:
Traffic loss lasting up to 10 seconds.
Workaround:
N/A
Fix:
Don't hold a mutex while processing the set of links to initialize. Make a copy of the links and release the mutex instead.
1360905-3 : Unexpected log messages in /var/log/boot.log post-integrity recovery
Links to More Info: BT1360905
Component: F5OS-A
Symptoms:
Users may observe the following inappropriate log message in /var/log/boot.log after recovering from integrity failure:
Sep 28 08:45:08 appliance-1 journal: FIPS Integrity Check: This system has been placed in an error state. Try to recover the system using /usr/libexec/ostree_recover utility or reinstall the system. On many devices pressing the escape key followed by '(' key will bring up a menu that allows the system to be restarted.
Conditions:
The integrity failure occurs when the device is in FIPS mode, and a user alters or removes a file, subsequently executing an on-demand integrity test or a boot-up integrity test.
Impact:
There are no noticeable performance issues or anomalies associated with these log messages, and the issue does not affect the overall system performance or user experience. There are no potential risks or security concerns related to the inappropriate log messages.
Workaround:
N/A
Fix:
The code has been modified to provide more user-friendly log messages.
1359897-2 : rSeries link down events can be missed
Links to More Info: BT1359897
Component: F5OS-A
Symptoms:
The rSeries platform can occasionally fail to detect a link going down due to the removal of the cable.
Conditions:
Remove fiber optic cable.
Impact:
Links that are DOWN stay operationally UP. This can lead to erroneous LACP and/or LAG state.
1355277-4 : Incorrect Vlan Listeners when a Static FDB is configured
Links to More Info: BT1355277
Component: F5OS-A
Symptoms:
When a Static FDB is configured on an interface, Vlan Listeners associated with that interface will have an extra Service ID configured for Service ID 1.
Conditions:
A Static FDB is configured on an interface.
Impact:
Extra broadcast traffic will be generated on the system, which could affect performance.
Workaround:
N/A
Fix:
N/A
1352449-7 : iHealth upload is failing with error "certificate signed by unknown authority"
Links to More Info: BT1352449
Component: F5OS-A
Symptoms:
When attempting to use the QKView upload feature, the upload may fail with the message "certificate signed by unknown authority". This is due to a recent change in certificate authority that is inconsistent between F5OS and iHealth.
Conditions:
Always, after mid-September 2023.
Impact:
Unable to upload QKView files to iHealth with a single click.
Workaround:
Users may use the File Export feature to download QKView files to their PCs, and then upload those files to iHealth.
You can find the qkview files in the GUI at System Settings :: File Utilities, then choose "diags/shared" as the base directory, then select "qkview".
Fix:
Certificate authorities used by the iHealth upload feature in F5OS will be updated.
1352421-2 : L2 services (LACP/LLDP) are down on r2000 and r4000 series appliances
Links to More Info: BT1352421
Component: F5OS-A
Symptoms:
LLDP and LACP will appear to be non-functional on the F5OS system.
LLDP/LACP PDUs reach the F5OS system, which can be verified with tcpdump.
Conditions:
-- r2000 and r4000 series appliances.
-- LLDP or LACP is configured.
-- Links are up.
Impact:
L2 protocols fail to negotiate or register inbound data.
Workaround:
Reboot.
1351529-2 : Fixing the log issue stating "UNSUPPORTED STP state" when STP global is configured
Links to More Info: BT1351529
Component: F5OS-A
Symptoms:
A log message appears, stating "UNSUPPORTED STP state" when STP global is configured to RSTP.
Conditions:
Removing the global config (initially set to STP) and setting it to RSTP.
Impact:
Reliable and correct log messages.
Workaround:
NA
1349465-4 : Partition s/w upgrade compatibility check doesn't use correct target version
Links to More Info: BT1349465
Component: F5OS-A
Symptoms:
When performing the partition database compatibility upgrade check (check-version/set-version), the check logic does not always use the correct target version. This potentially can cause the compatibility check to pass, but the actual database upgrade can fail and automatically roll back.
Conditions:
When the target partition version is a patch release (such as 1.5.1, 1.6.1), the compatibility check will use the wrong (base release) version.
Impact:
The check-version/set-version database compatibility check might pass even though the actual upgrade would fail.
Workaround:
Upgrade the controller s/w to version F5OS-C 1.6.1 or later prior to attempting upgrade to a partition patch release.
Fix:
The controller OS services uses the correct partition patch version for the compatibility check.
1338521-2 : Unable to login when accessing F5OS GUI through a network proxy on a port other than 443.
Links to More Info: BT1338521
Component: F5OS-A
Symptoms:
Users are not able to log in to the UI when trying to access F5OS GUI through a network proxy running on a port other than 443.
Conditions:
GUI should be accessed via a network proxy running on a port other than 443.
Impact:
Users are not able to log in to the GUI.
Workaround:
None
Fix:
After the fix, GUI now reads the port along with the hostname from the URL and can use the port in making API calls (including login API calls).
1332997-2 : Device stuck at "unmounting containers" after performing reboot
Component: F5OS-A
Symptoms:
When we open the console session of any tenant on F5OS-A using virtctl console <tenant_name>.
when you reboot the system, during reboot sometimes the system might end up in "unmounting containers"
Conditions:
Open the console session to any of the tenants using virtctl utility and reboot the system.
Impact:
After rebooting, system takes time to fully start up.
Workaround:
Power off and on the system whenever the issue is hit.
Fix:
Fixed the issue related to device stuck at unmounting containers after the reboot.
1332781-4 : A remote user with the same username as the local F5OS user will be granted the local user's roles
Links to More Info: BT1332781
Component: F5OS-A
Symptoms:
If you create a remote user on the RADIUS, TACACS+, or LDAP servers with the same username as a local F5OS user, the remote user will be granted the local user's roles upon authentication.
Conditions:
A remote user is created with the same username as a local user and remote authentication is enabled.
Impact:
Remote user will take the local user's privileges.
Workaround:
Do not create a remote user with the same username as the local user. If you have created already, change the username for either the local user or the remote user.
Fix:
If a remote user is created with the same username as a local user, the remote user's authentication will be rejected. Only the local user will have access to the F5OS system.
1330717-2 : LLDP neighbors are not getting discovered
Links to More Info: BT1330717
Component: F5OS-A
Symptoms:
When a user configures LLDP at one time, the LLDP details will not show up.
Conditions:
Configure LLDP interfaces at one time.
Impact:
The "show lldp" command will not show neighbor details even if the interfaces/ports are connected to a peer switch.
Workaround:
The issue arises when all LLDP interfaces are configured at one time. However, if the LLDP interfaces are disabled and then enabled one by one, the issue is generally not observed.
Fix:
The issue arises when all LLDP interfaces are configured at one time. However, if the LLDP interfaces are disabled and then enabled one by one, the issue is generally not observed.
1329161-3 : In non-FIPS mode, added support for the SSH-RSA host key algorithm
Links to More Info: BT1329161
Component: F5OS-A
Symptoms:
Not able to establish an SSH connection using the SSH-RSA host key algorithm in non-FIPS mode.
Conditions:
Connect to the device from the SSH client using the SSH-RSA host key algorithm in non-FIPS mode.
Impact:
The SSH connection to the device could not be established.
Workaround:
None
Fix:
Added SSH-RSA host key algorithm support in non-FIPS mode.
1328977-1 : Appliance Orchestration Manager fails due to memory corruption
Links to More Info: BT1328977
Component: F5OS-A
Symptoms:
Appliance Orchestration Manager fails, leading to a restart of the docker container. We can observe a core as well.
Conditions:
There are no preconditions. It is happening to memory corruption in the systems. The issue is not consistent.
Impact:
OMD restarts; this will not generally disturb the tenant's functionality.
Workaround:
N/A
Fix:
Fixed the issues related to memory corruptions in the appliance Orchestration Manager.
1328729 : Slow memory leak when processing tenant telemetry
Links to More Info: BT1328729
Component: F5OS-A
Symptoms:
The system will eventually run out of memory. Up until the point of service restart, the memory utilization will negatively impact running tenants, causing potential memory allocation errors.
Conditions:
When a BIG-IP tenant version </= 15.1.7 is running.
Impact:
Excessive memory utilization will impact operational performance of the F5OS and tenants.
Workaround:
The mitigation is to update a BIG-IP tenant version to 15.1.8 or newer, or to update to F5OS 1.5.1.
1328405-2 : F5OS system stopped generating tmstat snapshots
Links to More Info: BT1328405
Component: F5OS-A
Symptoms:
The F5OS system is not generating the tmstat snapshots, which helps us in diagnosing issues.
Conditions:
System is running an affected version of F5OS software (F5OS-A 1.2.0 and above, or F5OS-C 1.6.0 and above).
Impact:
Impacts the supportability of the device; the support teams usually rely on the snapshots while working on field issues.
1327701-4 : Space in SNMP community/user/target name causing snmpd container restart
Links to More Info: BT1327701
Component: F5OS-A
Symptoms:
When there is a space in any SNMP community/user/target name configuration, this will cause an F5OS snmpd service restart.
Conditions:
When there is a space in an SNMP community/user/target name configuration.
Impact:
F5OS snmpd restarts.
Workaround:
Reconfigure the SNMP community/user/target without a space in the name.
Fix:
Added a space restriction in SNMP community/user/target name configuration so the user can no longer configure with a space.
1326837 : Using UI, unable to configure the account expiry date for the user as the request is not delivered to the backend.
Links to More Info: BT1326837
Component: F5OS-A
Symptoms:
Even if the user account is locked using GUI, the authentication is successful for the current user account.
Conditions:
Unable to configure the locking of a user account in the backend.
Impact:
The user account is not locked thus enabling successful authentication.
Workaround:
Added expiry-status to ConfD and UI to define an expiry date for a specific user account with "enabled", "locked", or <string>[YYYY-MM-DD] value.
Or Add expiry-status in ConfD instead of UI to configure expiry of any user account except Admin or Root user account.
Fix:
Added expiry-status to configure expiry of any user account.
1326725-4 : Unable to generate SNMP Trap for IPV6
Links to More Info: BT1326725
Component: F5OS-A
Symptoms:
Generating SNMP traps for IPv6 is not working.
Conditions:
1. Configure SNMP traps for an IPv6 address:
appliance-1# show system snmp
system snmp engine-id state engine-id 80:00:2f:f4:03:00:94:a1:38:33:02
system snmp engine-id state type mac
system snmp state port 5000
system snmp targets target v1_target
state name v1_target
state community c1
state security-model v1
state ipv6 address 2620:128:e8:49:f816:3eff:fe9:248e
state ipv6 port 5011
SECURITY
NAME NAME MODEL
----------------------
c1 c1 [ v1 ]
2. Try to collect SNMP traps on targeted system:
[root@testvm ~]# snmptrapd -Lof 2620:128:e008:4009:f816:3eff:fe09:248e:5011
NET-SNMP version 5.7.2
Impact:
SNMP traps for IPv6 addresses won't work.
Workaround:
N/A
Fix:
We corrected the code for generating SNMP traps for IPv6 addresses.
1326541-2 : In r2000 and r4000 systems, alarm LED is not set when there are alerts raised in the system
Links to More Info: BT1326541
Component: F5OS-A
Symptoms:
When system has any alarm, alarm LED will not be set, and diag-agent is not clearing all the alarms during the boot up.
Conditions:
Applicable for r2000 and r4000 systems.
Impact:
Alarm LED will not be set when system generates any alarm, and diag-agent will not clear all the alarms during the boot up.
Workaround:
When system generates alarms, they can be seen using ConfD.
Fix:
When system generates any alarm, alarm LED will be set and diag-agent will clear all the alarms while during the system boot up.
1326157-2 : Observed multiple containers restarting and cores generating after PXE installation
Links to More Info: BT1326157
Component: F5OS-A
Symptoms:
As a result of "permission denied" errors, some containers begin crashing after a PXE installation. Core files are also generated.
Conditions:
Seen due to a timing issue after PXE installation. Some containers come up before they can be supported.
Impact:
Containers crash or functionality is impacted. Core files are generated.
Workaround:
Modify the /var/docker/config/platform.yml with information below:
+ selinux_labeler:
+ container_name: selinux_labeler
+ image: +${platform_services_registry}/system_network:1.4.14
+ volumes:
+ - /var/F5/system:/var/F5/partition:z
+ labels:
+ f5.service.type: "system"
identifier:
container_name: system_latest_vers
image: ${platform_services_registry}/system_network:1.4.14
+ depends_on:
+ - selinux_labeler
Then, restart the platform-services-deployment.service.
Fix:
Containers should not be crashing after a PXE installation now. No core files should be generated.
1324737-1 : The output of the command "ethtool --show-priv-flags" on all interfaces needs to be collected in QKView
Links to More Info: BT1324737
Component: F5OS-A
Symptoms:
Before, output from the command "ethtool --show-priv-flags" was not being collected in QKView for any of the interfaces.
Conditions:
The user generates a QKView file. The output of the command "ethtool --show-priv-flags" is missing in the 'Commands' section of the QKView.
Impact:
Having access to this command's output will help to identify if the 'vf-true-promisc-support' flag is SET/UNSET. This additional information can help the support team debug issues.
Workaround:
N/A
Fix:
Output for the command "ethtool --show-priv-flags" is now collected for each interface in the 'Commands' section of QKView.
1322817-4 : BIND vulnerability CVE-2023-2828
Links to More Info: K000135312
1317793-1 : F5OS qat-support-pod service crashed with SIGBUS error
Links to More Info: BT1317793
Component: F5OS-A
Symptoms:
Sometimes, a script inside qat-support-pod cannot handle when it gets a SIGBUS signal.
Conditions:
Intermittently seen without any specific conditions.
Impact:
No functional impact, only a core file gets generated.
Workaround:
N/A
Fix:
We haven't seen this issue since the fix went in. However, since there isn't a specific use case to repro, the exact scenario can't be tested.
1316097-3 : LAGs not programmed when adding VLAN to LAG
Links to More Info: BT1316097
Component: F5OS-A
Symptoms:
Traffic from a LAG is not reaching the tenant.
Conditions:
1) Add a VLAN to a LAG and add that VLAN to a tenant in the same commit.
2) Configuration read following blade reboot.
Impact:
LAGs are not programmed; traffic doesn't reach tenant.
Workaround:
Workaround for condition (1): Add the VLAN to the LAG, commit; then add the VLAN to the tenant.
Fix:
Fix usage of mutexes to prevent deadlock with LAG programming is happening in parallel with VLAN programming.
1315149-4 : Users authenticated via TACACS+ cannot log in via serial console
Links to More Info: BT1315149
Component: F5OS-A
Symptoms:
If remote authentication is configured to use TACACS+, users authenticated via TACACS+ cannot log in via the system serial console.
SELinux errors in /var/log/audit/audit.log similar to the following:
type=AVC msg=audit(1691528610.427:121): avc: denied { name_connect } for pid=13249 comm="login" dest=49 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
Conditions:
-- TACACS+ remote authentication.
-- Attempting to log in to system via serial console.
Impact:
Only locally-defined users can log in to the system via serial console.
Workaround:
Configure the SELinux policy to allow this traffic. On a VELOS chassis, these instructions must be run on each system controller separately.
1. Connect to the F5OS system via SSH as root.
2. Examine the SELinux audit denials and confirm all of them are associated with traffic that should be allowed:
grep 'denied.*name_connect.*comm="login"' /var/log/audit/audit.log > /root/login-audit-denials.log
cat /root/login-audit-denials.log
Remove entries from the file /root/login-audit-denials.log that you do not want to allow.
3. After confirming the contents of the file /root/login-audit-denials.log, run the following commands to create and install an SELinux policy to allow that traffic:
audit2allow -M login.allowtacacs < /root/login-audit-denials.log
semodule -i login.allowtacacs.pp
Fix:
A missing SELinux exception has been added. Users authenticated via TACACS+ are now able to log in via serial console without having to manually add the exception or turning off SELinux.
1315121-1 : Key migration failure and potential corruption updating to 1.5.0 or later with deployed tenants
Links to More Info: BT1315121
Component: F5OS-A
Symptoms:
When setting a new primary key after upgrading from an older release (such as 1.1.1 or older), where tenants are deployed, to 1.5.0 or newer, the key migration may fail.
The migration failure may cause configuration database corruption for the entire system.
Conditions:
Tenants are deployed on release 1.1.1 or older. Upgrade to 1.5.0 or newer (including through intermediate upgrades, such as 1.1.1 -> 1.3.2 -> 1.5.1). Set new primary key.
Impact:
Setting a new primary key may fail. When this failure occurs, system configuration corruption may occur.
Workaround:
Mitigation to prevent failure:
- Change all tenants to the configured state
- Set a new primary key
- Wait for key migration to complete
- Return tenants to deployed state.
Recovery for corruption:
- Reset device to default configuration
- Set the primary key to the known primary key for a known-good backup
- Restore with known-good backup
Fix:
Fix known causes of database corruption on primary key migration failure. While the primary key configuration may still fail if tenants are in deployed state, it should no longer cause system corruption.
1315065-4 : RSA-1024 SSH public keys should not be allowed in FIPS mode
Links to More Info: BT1315065
Component: F5OS-A
Symptoms:
When logging into an F5OS or BIG-IP system that is in FIPS mode, RSA-1024 SSH public keys should not be allowed to make the connection. Users should instead be prompted for a password.
Conditions:
User creates a RSA-1024 SSH public key and uses it to connect to the system, while the system is in FIPS mode.
Impact:
The user is allowed to authenticate with the key, which should not be allowed.
Workaround:
N/A
Fix:
Users cannot authenticate with a RSA-1024 SSH public key while the system is in FIPS mode.
1314917-2 : Command "show system health components component psu-2" results in errors
Links to More Info: BT1314917
Component: F5OS-A
Symptoms:
When a second PSU is added to an R2/R4 device, the system health does not show psu-2 as a known component.
Conditions:
After inserting a second PSU, if a power cycle or system reboot happens, sometimes diag-agent as diag-agent is not completely up; it is missing the bmc-events generated for PSU presence and updating as not present.
Impact:
This will cause diag-agent to update the PSU as not present, and it will not be shown in "show system health".
Workaround:
Provided below platform-hal psf action as work around, which will generate bmc-events for psu-presence again.
docker exec -ti platform-hal psf run POST:bmc/rearm-sensor-events sensorNumber=1
docker exec -ti platform-hal psf run POST:bmc/rearm-sensor-events sensorNumber=2
Fix:
Updated diag-agent to initiate bmc re-arm sensors only once diag-agent is up properly, so that it does not miss any bmc-events.
1314453-1 : Datapath is broken when LAG type is changed from LACP to Static on r2000/r4000 platforms
Links to More Info: BT1314453
Component: F5OS-A
Symptoms:
On r2000 and r4000 platforms, we can create a LAG as type LACP with a BIG-IP tenant. Later, when the datapath is up and running, if we change the LAG type to Static, the datapath on the tenant is broken. The platform sends the state of the members of the LAG as DOWN and hence LAG is DOWN on the BIG-IP tenant.
Conditions:
When LAG type is changed from LACP to Static.
Impact:
Datapath is completely broken while using the LAG configured.
Workaround:
Bringing the DOWN members of the LAG back to UP by below configurations
1. interfaces interface <ifc name> config admin disable
This will make interface to DOWN state and then move back to enabled state.
2. interfaces interface <ifc name> config admin enable
Fix:
Datapath no longer breaks when changing the LAG type from LACP.
1313329-2 : Downloaded F5OS ISO file missing after reboot
Links to More Info: BT1313329
Component: F5OS-A
Symptoms:
The system deletes the ISOs which are not verified. If a user reboots the system while an ISO import in progress, the ISO "fails" the verification and is deleted.
Conditions:
Seen if a user reboots the system while an ISO import is in progress (e.g. verifying state).
Impact:
ISO file will be deleted.
Workaround:
Download the ISO again and wait until it has been verified to reboot.
Fix:
There is no longer an issue with rebooting the system while an ISO import is in progress.
1312169-2 : User expiration is not configurable nor viewable on the webUI
Links to More Info: BT1312169
Component: F5OS-A
Symptoms:
User expiration is not configurable nor viewable on the webUI.
Conditions:
Trying to configure/view user expiration on webUI.
Impact:
The user cannot view or modify the expiry information for a system user account.
Workaround:
The expiry information for a user account can be viewed or configured at CLI.
Fix:
On the webUI the "Account Locked" widget will be replaced by the "Expiry Status" configuration which will allow locking the user in a similar fashion as the CLI.
1311953-1 : Platform-services-deployment service does not come up when system reboots early after PXE install
Links to More Info: BT1311953
Component: F5OS-A
Symptoms:
Observed that platform-services-deployment service fails to come up if the system reboots while image import is in-progress after a system PXE install.
Conditions:
Issue only happens after PXE install if the system reboot is triggered while image import is in-progress. The platform-services-deployment startup script was not waiting long enough to setup the env_var file by sw-mgmt.
Impact:
Platform-services-deployment does not come up for the system.
Workaround:
N/A
Fix:
Implemented retry mechanism in platform-services-deployment startup script which will wait for the env_var file setup by sw-mgmt service.
1311049-1 : For a system that has interfaces with 1GB speed, the network tab on the webUI dashboard is not showing all information
Links to More Info: BT1311049
Component: F5OS-A
Symptoms:
If a system has an interface with a speed of 1GB, when the user opens the Network tab on the webUI dashboard, the data that is supposed to be shown on the system graphic (such as interface speed and operational status) are not shown.
Conditions:
A system that has an interface with 1GB speed.
Impact:
The system graphic on the Network tab of the webUI dashboard is not showing interface information.
Workaround:
N/A
Fix:
Now the code is made to handle any port speed coming from the back-end response.
1306649-1 : Rapid removal and re-insertion of 10G optics may result in link failure
Links to More Info: BT1306649
Component: F5OS-A
Symptoms:
An interface link remains down.
Conditions:
Removing and re-insertion of the SFP module within a few seconds.
Impact:
Interface link remains down.
Workaround:
There are two workarounds:
1. After removing the SFP module, wait for 2 to 3 minutes before re-inserting the SFP module. This may not work 100% of the time.
2. Reboot the appliance.
1305909 : iHealth upload not supported on F5OS-A
Links to More Info: BT1305909
Component: F5OS-A
Symptoms:
The iHealth upload service has changed its authentication schema to OKTA, and requires a Client ID and Client Secret rather than a User ID and Password. Version 1.5.1 (and previous versions) of F5OS-A do not support this authentication schema.
Conditions:
Always
Impact:
Users will not be able to directly upload QKView files to iHealth from the appliance because of change in the authentication schema.
Workaround:
1. Use the file export feature to download the QKView from the appliance to a local PC.
2. Sign on to ihealth.f5.com.
3. Use the upload feature to upload the QKView to the iHealth service.
Fix:
Added Client ID and Client Secret fields in the iHealth page on webUI. User can upload QKView files to iHealth.
1305005-3 : Error handling in F5OS file-download API
Links to More Info: BT1305005
Component: F5OS-A
Symptoms:
Upon file download failure, API is returning an Apache error page that isn't an F5OS-specific error and isn't aligned with other F5OS API errors. This is a negative user experience.
Conditions:
Due to unhandled errors, when data not in the FormData format are passed through a Curl request, an Apache error page is thrown, misaligning from other F5OS APIs errors.
Impact:
There is no functional impact. It is a negative user experience.
Workaround:
N/A
Fix:
All errors are handled in the file-download API and aligned with other F5OS APIs errors with no more Apache error pages in error cases.
1304765-2 : A remote LDAP user with an admin role is unable to make config changes through the F5 webUI
Links to More Info: BT1304765
Component: F5OS-A
Symptoms:
When a remote user's GID is mapped to the F5OS system's local GID, the GID mapping is not parsed correctly by the system. If the remote GID is known to the F5 system, there is no issue. For example, a mapping of the form 9000:9000 works fine. However, mapping of the form 5555:9000, 6666:9000 etc. will not work.
Conditions:
Local GID is being mapped to a remote GID.
Impact:
The admin user mapped to a remote GID cannot access the ConfD config mode.
Fix:
Update the system to the version with the fix.
1304657-1 : Tcam-manager does not support all the possible system network subnets
Links to More Info: BT1304657
Component: F5OS-A
Symptoms:
The connection from the tenant (TMM) to the tcam-manager is continuously restarts.
tcam-mgr logs show the wrong tenant-id and hence rejected connection from the tenant:
msg="INFO" MSG="Connection from client address:10.245.3.1".
msg="ERROR" MSG=" Confd access error obtaining tenant info for tenant:12291 slot:1".
msg="INFO" MSG="neuron_handle_responses: dropping resp to non-existent client".
TMM periodically logs neuron client errors, such as:
notice hudproxy_neuron_client_closed_cb: Neuron client connection terminated
notice pva_sc_frs_neuron_stopped_cb/2373: FRS SC: Neuron client stopped.
Conditions:
The 'system network' configuration is changed from its default setting in F5OS.
Impact:
TCAM based features don't work.
Workaround:
Select either the default RFC6598 subnet or any of the unaffected RFC1918 subnets.
Fix:
Tcam-manager now correctly calculates the tenant-id for all possible system network subnets.
1301837-3 : A remote admin user is not able to enter the ConfD config mode when logged in from SSH
Links to More Info: BT1301837
Component: F5OS-A
Symptoms:
When a remote user's GID is mapped to the F5OS system's local GID, the GID mapping is not parsed correctly by the system. If the remote GID is known to the F5 system, there is no issue. For example, a mapping of the form 9000:9000 works fine. However, mapping of the form 5555:9000, 6666:9000 etc. will not work.
Conditions:
Local GID is being mapped to a remote GID.
Impact:
The admin user mapped to a remote GID cannot access the ConfD config mode.
Workaround:
No workaround.
Fix:
Update the system to the version with the fix.
1301169-1 : K3S goes down when OMD is restarted
Links to More Info: BT1301169
Component: F5OS-A
Symptoms:
K3S went down and failed to come up when OMD restarted due to memory corruption.
Conditions:
This is caused by not having essential flags in the system.
The appliance OMD is dependent on the flags inside /var/omd directory.
Impact:
When K3S goes down, the cluster is down, which results in service down.
Workaround:
When the cluster goes down due to missing flags, it can be brought back up by clearing the stale flags and tokens. Please contact F5 Support.
Follow instructions in https://my.f5.com/manage/s/article/K08061420
Fix:
1. Logs are in place if the /var/omd/ flags gets deleted or added.
2. Cluster will come up even if it is going to a bad state.
1300805-1 : Allowing the tenant configuration with more memory than max memory in the appliance
Links to More Info: BT1300805
Component: F5OS-A
Symptoms:
This will not have any functional impact.
Tenant configuration will be accepted but the tenant won't be up. And we see a failure message in "show tenants" with resource allocation failed.
Conditions:
Configuring the tenant with the memory that is beyond the max limit.
Impact:
It is the faulty config for the tenant. No impact on the existing/running tenants.
Workaround:
Delete the config and re-configure with valid memory.
1300749-2 : Syslog target files do not use the hostname configured via system user interface.
Links to More Info: BT1300749
Component: F5OS-A
Symptoms:
Syslog target files, for example: /var/F5/system/log/platform.log, use a hardcoded nodename for every device as a hostname.
Conditions:
No special conditions.
Impact:
In a remote log collector, source IPs are the only way to differentiate among devices.
Workaround:
It is possible to do an irule workaround that replaces custom strings in syslog traffic depending on the client's IP address. This iRule is applied to the virtual server on another LTM that consumes the syslog traffic and load balances.
when CLIENT_DATA {
switch [IP::client_addr] {
"10.10.10.10" { UDP::payload replace 38 11 "ABCDC01F5OS01" }
"10.10.10.20" { UDP::payload replace 38 11 "ABCDC01F5OS02" }
}
}
Below is the example message after irule workaround.
Jul 31 03:33:50 10.10.10.10 2023-07-31T07:33:50.181136+00:00 appliance-1 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 0 (1:Enabled 2:Disabled ... )".
to this
Jul 31 06:00:01 10.10.10.10 2023-07-31T10:00:01.356324+00:00 ABCDC01F5OS01 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 1 (1:Enabled 2:Disabled ... )".
Jul 31 06:00:04 10.10.10.20 2023-07-31T10:00:04.983677+00:00 ABCDC01F5OS02 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 0 (1:Enabled 2:Disabled ... )".
Fix:
Infrastructure to use the system hostname user configuration in the syslog target logs has been added with a knob and it is enabled by default. It can be turned off if old behavior is preferred.
1298329-2 : Tcpdump capture fails
Links to More Info: BT1298329
Component: F5OS-A
Symptoms:
SELinux shared label set by identifier container for the common path shared across all the containers. This issue started when node-agent container was introduced without dependency.
The system repeatedly logs this message to the platform log:
tcpdumpd-manager[8]: priority="Crit" version=1.0 msgid=0x5406000000000018 msg="[] global_dmaa_comm init_comm failed ret:" this=0x17c6b50 ret=3.
Conditions:
This issue seems to occur when downgrading a system to an affected version.
Impact:
Tcpdump capture fails.
Workaround:
This issue can be resolved by doing the following:
1. Log into the system as root
2. Edit /var/docker/config/platform.yml
3. Locate the configuration for 'tcpdumpd-manager', and replace the volume that reads:
- /var/F5/system:/var/tcpdump:z
with:
- /var/F5/system:/var/tcpdump
4. Save the file
5. Reboot the appliance
Fix:
Root cause of this issue was fixed as part of ID1326157.
1297665-1 : Occasionally diagnostic agent reports as unhealthy for unpopulated PSU_Slot in health summary and ihealth reports
Links to More Info: BT1297665
Component: F5OS-A
Symptoms:
Diagnostic agent reports as unhealthy for unpopulated PSU_Slot in ihealth reports and "show system health summary" output.
Conditions:
Occurs only when any empty PSU slots are in the system and diagnostic agent receives PSU Input State events in different order.
Impact:
It causes diagnostic agent to report as unhealthy for PSU on the unpopulated slot in health summary.
Workaround:
N/A
1296997-2 : Large core files can cause system instability
Links to More Info: BT1296997
Component: F5OS-A
Symptoms:
When a system generates and stores large core files, it can cause the system unstable.
Conditions:
F5OS generates a large core file.
Impact:
F5OS core-writing script does not check filesystem availability before writing a core file and can fill up the filesystem, causing catastrophic system instability until disk-space is reclaimed.
Workaround:
None
Fix:
F5OS now takes into account the available filesystem space before writing a core file. If the core file is too large then it will be truncated and deleted to maintain system stability. The system log message will indicate if the core file was too large to safely write.
1296525-2 : qkview may capture log files truncated in a reverse way
Links to More Info: BT1296525
Component: F5OS-A
Symptoms:
qkview captures log files, but may truncate them if too large (greater than 100 MB). A regression was introduced such that the most recent log entries would be truncated rather than the oldest.
Conditions:
Collection of qkview.
Impact:
Log entries may be missing in qkview capture.
Workaround:
When running a qkview capture, specify the maxfilesize argument to 1000 (1 GB).
system diagnostics qkview capture maxfilesize 1000
Fix:
QKview now collects the tail end of log files.
1295657-1 : ARP probes to rSeries management IP are answered by both mgmt and mgmt0-system
Links to More Info: BT1295657
Component: F5OS-A
Symptoms:
Intermittent management connectivity issues.
Conditions:
ARP probers to rSeries mgmt-ip.
Impact:
Intermittent management connectivity issues.
Workaround:
A temporary workaround is to update the arp-related kernel paraments on the mgmt interface.
sysctl -w net.ipv4.conf.mgmt.arp_ignore=2
sysctl -w net.ipv4.conf.mgmt.arp_announce=1
sysctl -w net.ipv4.conf.mgmt.rp_filter=1
1294581-2 : webUI header shows FQDN for IP address field instead of management IP
Links to More Info: BT1294581
Component: F5OS-A
Symptoms:
When user accesses F5OS webUI using FQDN, the header shows the FQDN for the IP address instead of showing the actual management IP address.
Conditions:
When user accesses F5OS webUI using FQDN.
Impact:
There is no impact on functionality. The IP address label on the login screen is renamed to Address. The header displays the management IP instead of the FQDN.
Workaround:
To view the management IP address, navigate to the Management IP screen.
Fix:
Login using FQDN shows the IP address on the header instead of the FQDN. Additionally, the IP address label on the login screen is renamed to Address.
1294341-1 : The system freezes if abruptly rebooted during software upgrade process.
Component: F5OS-A
Symptoms:
The system software upgrade process freezes infinitely if the system rebooted abruptly.
Conditions:
This issue occurs if the system is rebooted abruptly when the software upgrade is triggered.
Impact:
Not able to perform upgrade/downgrade to other build as the process is frozen in upgrade state.
Workaround:
None
Fix:
It is possible to upgrade/downgrade to a new build even after the system is frozen due to an abrupt reboot.
1293305-2 : LAG interface status is not updated on the BIG-IP tenant
Links to More Info: BT1293305
Component: F5OS-A
Symptoms:
Symptom 1: Trunk is down in tenant but the LAG is up in F5OS-A.
Symptom 2: LAG is down in F5OS-A but the trunk is up in tenant.
Conditions:
For symptom 1:
1. Set up new rSeries device.
2. Config static LAG and VLAN.
3. Deploy new tenant.
4. In tenant, LAG will be shown as down but interfaces shown as up.
5. This happens only at initial tenant deployment.
For symptom 2:
1. LAG is shown as down in F5OS-A.
2. Trunk is shown as up in tenant.
Impact:
Symptom 1:
On r2x00/r4x00 platforms, as LAG will be in DOWN state, datapath will not be working.
Symptom 2:
On r2x00/r4x00 platforms, LAG status is shown as UP but it's actually DOWN on the platform. Datapath will not be UP, but as LAG is UP in tenant we expect Datapath to be UP.
Symptom 3:
If trunks are used for HA Group the scores associated to the trunks are not deducted from the overall health scores regardless of whether the interfaces in the trunks are up or not.
Workaround:
For symptom 1:
Restarting "system_api_svc_gateway" service on host.
#docker restart system_api_svc_gateway
For symptom 2:
Restarting "system_api_svc_gateway" service on host.
#docker restart system_api_svc_gateway
1292405-1 : CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64
Links to More Info: K000137702, BT1292405
1291461-3 : LCD shutdown does not work on r2800 and r4800 platforms
Links to More Info: BT1291461
Component: F5OS-A
Symptoms:
In F5OS-A versions 1.4.0 and later, the button on the LCD menu that is used to shut down the system, when pressed, does not shutdown the system.
Conditions:
With F5OS-A 1.4.0 or later installed, from the LCD touchscreen, click the System button. Select Shutdown from the menu. Click the Shutdown button at the 'Shutdown the system?' prompt.
Impact:
The LCD touchscreen is lacking functionality the user is expecting it to have.
Workaround:
In an external terminal, connect to the unit's AOM. Select P for "Power on/off host subsystem", and then 0 for "Turn host subsystem off". Or, if the system is off, 1 for "Turn host subsystem on"
Fix:
Going into the AOM menu and powering off or powering on the system works as expected and achieves the same thing as using the LCD Shutdown button.
1290949-1 : Invalid memory read in appliance orchestration manager
Links to More Info: BT1290949
Component: F5OS-A
Symptoms:
"Invalid read" identified in OMD.
During "show cluster events" we are hitting the code flow, where the ConfD API is reading the freed memory. It is leading to an invalid read.
Conditions:
Executing "show cluster events".
Impact:
Using a freed memory may cause unexpected behavior in the system.
Workaround:
N/A
Fix:
Code changes to address memory violations in the code.
1290941-1 : LLDP/STPD/LACPD in rSeries is flooding SEP_POLLERR when dma-agent restarts
Links to More Info: BT1290941
Component: F5OS-A
Symptoms:
Below log is flooded in platform.log when dma-agent restarts
"SEP library in ERR state, sep_client_poll() returns SEP_POLLERR".
Conditions:
dma-agent restart.
Impact:
l2 functions such as LLDP/STPD/LACPD will be affected.
Workaround:
Reboot the device.
Fix:
Fixed code from flooding logs.
1290617-2 : Display option "universal-time" is not supported
Links to More Info: BT1290617
Component: F5OS-A
Symptoms:
The display option "universal-time" is a built-in third-party command that F5OS does not support.
Conditions:
User attempts to access the built-in third-party command "universal-time."
Impact:
The correct output for "universal-time" is not displayed. Proper documentation for this third-party command also cannot be found.
Workaround:
N/A
Fix:
F5OS has suppressed this display option.
1290053-1 : VELOS Software version may not be collected consistently across platform by QKView
Component: F5OS-A
Symptoms:
The QKView version format is different as collected by F5OS-A and F5OS-C, and this is reflected when the QKView is displayed by the iHealth service.
Conditions:
This always occurred when capturing a QKView.
Impact:
Occasional parsing difficulties on the iHealth service.
Workaround:
Examine the /etc/PRODUCT file contained in file collection for the host subpackage.
Fix:
Version information format as reported in the manifest.json file within a QKView is now consistent between F5OS-A and F5OS-C.
1289633-2 : FIPS devices show incorrect vCPUs
Links to More Info: BT1289633
Component: F5OS-A
Symptoms:
1. The Dashboard System Summary shows 36 vCPUs rather than the actual number of vCPUs available for Tenant Deployment.
2. The Add/Edit Tenant deployments screen allows selecting up to 36 vCPUs instead of the maximum vCPUs that the platform supports.
Conditions:
FIPS device.
Impact:
No functional impact.
Workaround:
Users can view the correct value for total vCPUs for tenant deployment on the device from the CLI using the following command:
"show cluster nodes node node-1 state node-info"
Fix:
vCPUs information will show appropriately on the dashboard based on the platform support, and Add/Edit Tenant deployment screen will have vCPU options up to the maximum that the platform supports and not beyond that.
1289029-3 : Toggling lag-type can sometimes cause an F5OS LACP aggregation to pass traffic while the peer does not have LACP configured.
Links to More Info: BT1289029
Component: F5OS-A
Symptoms:
An F5OS LACP aggregation can sometimes allow traffic to pass when it should not.
Conditions:
1) With peer devices that cause link status to flap on aggregation configurations: Toggle F5OS aggregation lag-type from LACP, to STATIC. Toggle peer aggregation from LACP to STATIC. Toggle F5OS aggregation lag-type from STATIC to LACP.
2) Create an aggregation interface with STATIC lag-type, change the lag-type to LACP, then create a lacp interface. Configure the peer aggregation as a STATIC aggregation.
Impact:
Traffic will pass on an aggregation when LACP has not negotiated for affected interfaces.
Workaround:
Disable, then enable affected interfaces.
Fix:
Under no scenario will traffic pass on an interface in a LACP aggregation that has not negotiated LACP with its peer.
1288937-2 : Interface persists with removed VLAN
Links to More Info: BT1288937
Component: F5OS-A
Symptoms:
When a VLAN is deleted while being referenced by an interface or LAG, it cannot be de-referenced from the interface/LAG.
Conditions:
Delete the VLAN before removing the VLAN from the interface.
Impact:
Cannot add the interface to a LAG after deleting VLAN(s) that used the interface.
Workaround:
Recreate the removed VLAN, then edit the interface which shows defined VLAN, remove the defined VLAN, then remove the recreated VLAN.
Fix:
With the fix, the user will be able to view and remove the VLAN in the Add/Edit Interface/LAG screen even if the VLAN was deleted, and thus will be able to detach it from the interface/LAG.
1286285-3 : ISO with special characters in name will not import
Links to More Info: BT1286285
Component: F5OS-A
Symptoms:
An ISO named with special characters like "()" will not be imported and gets deleted from the import directory silently.
Conditions:
Only when the ISO name contains special characters.
Impact:
User will not have any status on the imported image with a name that contains special characters.
Workaround:
No workaround.
Fix:
The "show system image" API will display the status as "Import error. File name is incorrect."
1286165-1 : Ping failing after removing aggregate ID from interface and adding trunk VLANs in the same commit
Links to More Info: BT1286165
Component: F5OS-A
Symptoms:
Ping to self IP of tenant failing.
Conditions:
This issue will be observed only when tried from F5OS ConfD CLI.
Removing aggregate ID and assigning trunk VLANs to an interface in the same commit from ConfD CLI.
Impact:
Ping to self IP of tenant will fail.
Workaround:
From F5OS CLI
1)Remove aggregate ID from interface.
2)commit the changes.
3)Add trunk VLANs to interface and commit the changes.
For example:
1)no interfaces interface 3.0 ethernet config aggregate-id
2)commit; top
3)interfaces interface 3.0 ethernet switched-vlan config trunk-vlans [ 3700 3800 3900 ]
4)commit
Fix:
NA
1285969 : Some aggregation interface names can cause ethernet interfaces in LACP aggregations to be erroneously down
Links to More Info: BT1285969
Component: F5OS-A
Symptoms:
One or more interfaces in LACP aggregations may be considered down when they should not be.
Conditions:
Internally, LACPD hashes interfaces to an integer, and some aggregation interface names hash will collide with ethernet interface name hash. Changes to the these aggregation interfaces can impact the ethernet interface.
Impact:
Traffic through the affected ethernet interface in LACP aggregations may be disrupted. This can cause either degraded performance or traffic failure for LACP aggregations that the interface is a member of.
Workaround:
Only use aggregation interface names that don't hash to the same port numbers as ethernet interfaces.
In order to determine if an existing aggregation interfaces port number conflicts with an ethernet interface, review the lacpd_interface_stat table.
For a VELOS partition, use the lacpd container on any blade in the partition to run tmctl.
For an appliance, use system_lacpd container to run tmctl.
The following example from a rSeries appliance shows the aggregation interface "vlag" with the same port number as interface 1.0
[root@appliance-1 ~]# docker exec -it system_lacpd bash
[root@appliance-1 partition]# tmctl lacpd_interface_stat -s name,port_num
name port_num
---- --------
1.0 1024
10.0 10240
2.0 2048
3.0 3072
4.0 4096
5.0 5120
6.0 6144
7.0 7168
8.0 8192
9.0 9216
mgmt 43008
vlag 1024
If an aggregation interface hashes to the same port number an Ethernet interface:
1. Delete the conflicting aggregation interface
2a. You can either restart the lacpd containers
or
2b. Reboot the appliance, or for VELOS reboot each blade in the partition.
Fix:
Aggregation interface names will never impact ethernet interfaces in a LACP aggregation.
1285149-3 : Patch releases report the wrong version in various log files.
Links to More Info: BT1285149
Component: F5OS-A
Symptoms:
F5OS-A patch files are not correctly set for patch versions.
Conditions:
Patch version release.
Impact:
Patch releases falsely report it as a non-patched release in log files.
Workaround:
None
Fix:
None
1284269-1 : Config restore fails if it contains an SNMP user
Links to More Info: BT1284269
Component: F5OS-A
Symptoms:
Error when restoring the config
appliance-1(config)# system database config-restore name with.mgmt.snmpuser.xml
A clean configuration is required before restoring to a previous configuration.
Please perform a reset-to-default operation if you have not done so already.
Proceed? [yes/no]: yes
Error: access denied
Database config-restore failed.
Conditions:
Backup contains an SNMP user.
Impact:
Cannot restore configuration.
Workaround:
There are two possible workarounds.
Workaround 1:
- Edit the configuration backup and remove the SNMP user related configuration.
- Restore the backup
Workaround 2:
- Create a SNMP user in device before restoring backup.
- Restore the backup
Fix:
Issue is fixed. Now the user can take a configuration backup and restore it, even with an SNMP user configured.
1284193-1 : GRUB2 vulnerability CVE-2022-28733, Samba vulnerability CVE-2021-20277, DHCP vulnerability CVE-2021-25217
Links to More Info: K000132893, BT1284193
1283641-1 : Docker network is not updating as part of internal IP ranges configurations
Links to More Info: BT1283641
Component: F5OS-A
Symptoms:
Docker network needs to be updated as per network-range-type.
Conditions:
Configuring the network-range type is not affective on docker network.
Impact:
This bug causes docker network to not update as per network-range-type.
Workaround:
Edit the/etc/sysconfig/docker file manually and restart the docker.
Fix:
The root cause was '/etc/sysconfig/docker' getting overridden while running pre-deployment-setup. This task fixes the above issue.
1282757 : On upgrade, systems might overwrite key due to automatic firmware updating
Links to More Info: K000133379, BT1282757
Component: F5OS-A
Symptoms:
When upgrading to a new version (such as 1.4.0), automatic firmware updates occur, and these interfere with the encryption key retrieval, causing a new key to be generated, which blocks api-service-gateway.
Conditions:
Upgrading to a new version where automatic firmware updates get started at boot-up.
Impact:
The api-service-gateway container does not come up and there is no communication with the tenant.
Workaround:
docker exec -it system_manager bash
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-key"
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-cert"
Fix:
The encryption key will not generate a new key unless the TPM module has none. The code will continue to retry until it succeeds or ConfD timeout occurs (300 seconds).
1281861 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0
Links to More Info: BT1281861
Component: F5OS-A
Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".
Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.
Impact:
Tenants will not start and are unusable.
Workaround:
To work around this issue, perform one of these actions:
1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".
Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.
1281857-1 : Repeated disabling and enabling of link partner interface might result in datapath corruption
Links to More Info: BT1281857
Component: F5OS-A
Symptoms:
Packets received on an interface are corrupted or lost after a link partner interface is repeatedly disabled and then enabled within relatively short windows of time.
Conditions:
A link partner interface is repeatedly disabled and then enabled within relatively short windows of time.
Impact:
Dataplane services on the given interface will be inoperable.
Workaround:
The product must be rebooted to recover.
Fix:
An FPGA firmware fix was implemented to add an additional clock to an internal component that served to isolate noise between the MAC and itself.
1281749-1 : Hashed/encrypted passwords are getting logged
Links to More Info: K000134922, BT1281749
1281165-1 : CVE-2023-0767 in nss-tools-3.67.0-4.el7_9
Component: F5OS-A
Symptoms:
An attacker may create a PKCS 12 certificate bundle to exploit mishandling of PKCS 12 Safe Bag attributes, leading to arbitrary memory writes.
Conditions:
NA
Impact:
NA
Workaround:
NA
Fix:
Upgraded to a non-vulnerable version of nss-tools.
1281157-1 : CVE-2023-0767 in nss-sysinit-3.67.0-4.el7_9
Component: F5OS-A
Symptoms:
An attacker may create a PKCS 12 certificate bundle to exploit mishandling of PKCS 12 Safe Bag attributes, leading to arbitrary memory writes.
Conditions:
NA
Impact:
NA
Workaround:
NA
Fix:
Updated to a non-vulnerable version of nss-sysinit.
1281149-1 : CVE-2023-0767 in nss-3.67.0-4.el7_9
Component: F5OS-A
Symptoms:
An attacker may create a PKCS 12 certificate bundle to exploit mishandling of PKCS 12 Safe Bag attributes, leading to arbitrary memory writes.
Conditions:
NA
Impact:
NA
Workaround:
NA
Fix:
Upgraded to a non-vulnerable NSS version.
1280749-2 : OCSP server state data and actual configured data is different in ConfD CLI
Links to More Info: BT1280749
Component: F5OS-A
Symptoms:
The OCSP server data shown from non-config mode in the ConfD CLI is different from actual configured data.
Conditions:
- Showing state data related to OCSP server from ConfD CLI.
Impact:
Inability to check the actual OCSP server value from non-config mode.
Workaround:
Workaround is to run 'show running-config' from non-config mode.
Fix:
When the user sets new values for the OCSP server configuration, the state data is updated as well so that the user can see the actual values from non-config mode.
1280365-3 : WebUI and shell admin access unavailable after upgrade to when one of the previously installed images is no longer present★
Links to More Info: K000133253, BT1280365
Component: F5OS-A
Symptoms:
1. WebUI or CLI inaccessible via admin account (that is, ConfD is not up):
[root@appliance-1(XXXXXXXXX) log]# su admin
Failed to connect to server
2. sw-mgmt.debug file will have a line similar to this one (with image version changing depending on which image is missing):
DEBUG: Source file /var/export/chassis/import/.mounts/iso/R2R4/1.1.1-9159/m3/*-services/F5OS*.img does not exist, removing from all_sw.
3. Containers stuck in ImagePullBackOff. For example, system_network container cannot be pulled, and the following error is observed in messages log:
appliance-1 dockerd-current: time="2023-03-24T15:09:26.631359235Z" level=error msg="Not continuing with pull after error: Error: image system_network:1.4.5-f5os-a-1-4-0-candidate.2023-02-14-15-09-15.S9b340f7e not found"
Conditions:
Both of the below conditions:
1. Certain ISO image has been ungracefully removed from the /var/import/staging folder. Examples of ungraceful removals:
-- Deleted via bash (after running chattr -i <image name>)
-- Image name had parentheses in it and as per ID1273021 it is wiped out upon reboot.
2. /var/import/import.json file includes reference to removed image that is listed BEFORE the reference to currently used image.
Impact:
Device webUI is inaccessible. Cannot access ConfD. Root access is working.
Workaround:
Two workarounds:
1. Re-import the deleted image and reboot the box.
2. Remove the whole section that references the deleted image from import.json file and reboot the box.
Fix:
N/A
1280237-1 : Notification streams are sometimes empty using 'restconf/streams/platform-stats/json' API endpoint
Links to More Info: BT1280237
Component: F5OS-A
Symptoms:
When using the 'restconf/streams/platform-stats/json' API endpoint, the JSON object could be empty instead of being populated with platform stats.
Conditions:
The initial discovery of platform-stat had a logic flaw which prevented drive information from being correctly discovered. This caused the rest of the JSON object from being populated.
Impact:
The platform-stats notification stream endpoint would return an empty object instead of platform-stat data.
Workaround:
N/A
Fix:
The logic flaw has been resolved and the platform-stat notification stream is fully populated with stat information.
1273845-1 : Removing or manually adding TLS Certificate & Key on webUI removes whole TLS configuration
Links to More Info: BT1273845
Component: F5OS-A
Symptoms:
Manually adding TLS Certificate & Key on webUI instead of storing through Self-Signed Certificate or removing Certificate & Key removes TLS configuration, which includes verify-client and verify-client-depth.
Conditions:
- When there is an existing Verify Client and Client Depth configuration, and user tries to remove TLS Certificate & Key on Certificate Management screen on webUI.
- When user fills the TLS Certificate & Key on Certificate Management screen on webUI.
Impact:
Verify Client and Client Depth configuration of Certificate Authentication will be changed to default values which disables verification of httpd client certificates.
Workaround:
- Remove or Add TLS Certificate & Key through CLI.
- While creating Self-Signed Certificate, set "Store TLS" field as true
- Re-add Verify Client and Client Depth after removing or manually adding TLS Certificate & Key.
1273581-1 : CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy
Links to More Info: K000133098, BT1273581
1273445 : Downgrade/upgrade issues are seen because ISO has special characters in the file name★
Links to More Info: BT1273445
Component: F5OS-A
Symptoms:
If a F5OS-A ISO with a filename containing 'special characters' ('+ , * , ? , ^ , $ , ( , ) , [ , ] , { , } , | , \') is imported onto the device, and the system is downgraded/upgraded with this ISO, it can result in the upgrade/downgrade failing.
Conditions:
1. Download and import an ISO with a 'special character' in its name (for example,F5OS-A-1.5.0-*.iso.
2. Attempt an upgrade /downgrade.
3. Upgrade/downgrade will fail.
Impact:
Upgrade/downgrade will fail, requiring manual intervention to recover the system.
Workaround:
1. Before performing a platform software upgrade, compare versions referenced by the "show system image" ConfD CLI command with the names of files present in the "/var/import/staging” directory.
If the ISO is not present in /var/import/staging but it is shown in "show system image" command output, then import again to "/var/import/staging”.
2. If there is any ISO file with a name containing a special character present in "/var/import/staging”, remove that version of platform software and re-import it by re-downloading the file with a name that does not include special characters. You may then attempt upgrade.
3. In order to remove that ISO file with a name containing a special characters use the below command.
appliance-1(config)# system image remove iso <iso version>
4. In scenarios where the above command fails or where it is not possible to use above command, please follow the below procedure to delete the image.
* login to the device using root
* chattr -i "/var/import/staging/<iso with special characters>”
* rm -rf "/var/import/staging/<iso with special characters>”
In case downgrade or upgrade failure has already occurred due to this issue, follow these steps to recover the system:
1. Download another copy of the ISO with a proper name to /var/import/staging.
2. Wait for five minutes for it to import. If ConfD is unavailable, you can check the logs in /var/log/sw-mgmt.debug for import status.
3. Once the import is complete, reboot the system. This should recover the system.
Fix:
The fix is to delete the ISO with the special characters when it is being imported.
1273025-1 : Once TACACS server-group is configured on a non-default port, on downgrade virt-handler pod gets into a crash loopbackoff state because of SELinux corruption
Links to More Info: BT1273025
Component: F5OS-A
Symptoms:
Virt-handler pod is crashing upon downgrading from F5OS-A 1.4.0 to F5OS-A 1.3.2, and a tenant is stuck in pending state.
Conditions:
Configure TACACS server-group on a non-default port (that is, other than port 49) and downgrade from F5OS-A 1.4.0 to F5OS-A 1.3.2.
Impact:
Tenant becomes stuck in pending state.
Workaround:
Two workarounds:
1. Configure standard port (49) for the TACACS server instead of a non-standard port. Using the standard port should not trigger these issues. Releases older than F5OS-A 1.4.0 do not correctly support any port other than 49 for the TACACS server.
2. Fix SELinux policy on the appliance:
a. cp selinux module from /usr
cp /usr/etc/selinux/targeted/active/modules/400/f5_appliance to /etc/selinux/targeted/active/modules/400/f5_appliance
b. Reboot the device
reboot
Fix:
Enforce closure of non-standard port every time configuration is updated or system is shut down. This avoids leaving ports open for which SELinux may not have exceptions.
Note this does not address the non-standard port in older releases when downgrading. Non-standard ports for TACACS are still not properly supported in the older release.
1273021-1 : ISOs imported with regex special characters in their names are getting deleted★
Links to More Info: BT1273021
Component: F5OS-A
Symptoms:
Downgrade/upgrade issues are seen when upgraded ISO has special characters in the file name
If an F5OS-A ISO with a filename containing 'special characters' ('+ , * , ? , ^ , $ , ( , ) , [ , ] , { , } , | , \') is imported, and the system is downgraded/upgraded to that version, it can result in the upgrade failing and the ISO being automatically removed.
Conditions:
1. Download and import an ISO with a 'special character' in its name, example 'F5OS-A-1.5.0-*.iso'.
2. Attempt an upgrade to the imported ISO version.
3. Upgrade will fail.
Impact:
An upgrade to a version of software marked as successfully imported can fail unexpectedly, requiring manual intervention to recover the system.
Docker container services will not come up.
Workaround:
1. Before performing a platform software upgrade, compare versions referenced by the "show system image" ConfD CLI command with the names of files present in the "/var/import/staging” directory.
If the iso is not present in /var/import/staging but it is shown in "show system image" command output, then import again to "/var/import/staging”.
2. If there is any iso file with a name containing a special character present in "/var/import/staging” remove that version of platform software and re-import it by re-downloading the file with a name that does not include special characters. You may then attempt upgrade.
3.In-order to remove that iso file with a name containing a special characters use below command.
appliance-1(config)# system image remove iso <iso version>
4.In scenarios where above command fails or not possible to use above command
please follow below procedure to delete the image.
* login to the device using root.
* chattr -i "/var/import/staging/<iso with special characters>”
* rm -rf "/var/import/staging/<iso with special characters>”
Incase downgrade or upgrade failure is already happened, because this issue,
follow these steps to recover the system:
1.Download another copy of the ISO with a proper name to /var/import/staging.
2.Wait for five minutes for it to import. if confd is unavailable, you can check the logs in /var/log/sw-mgmt.debug for import status.
3.Once the import is complete, reboot the system. This should recover the system.
Fix:
Import of ISO with special characters is blocked.
1273017-1 : LACPD restarts when changing aggregation lag-type through configuration utility webUI
Links to More Info: BT1273017
Component: F5OS-A
Symptoms:
The Link Aggregation Control Protocol Daemon (LACPD) will restart. An LACP aggregation's interface can be permanently down, restricting traffic from passing on that interface.
Conditions:
-An aggregation interface's lag-type is set to static through configuration utility.
Impact:
One or more physical interfaces associated with an LACP aggregation can be erroneously marked down indefinitely, causing either degraded performance, or complete traffic failure.
Performance degradation may not occur, but the LACPD process will always restart.
Workaround:
- Toggle any affected interface to disable and then back to enable.
- Toggle any affected aggregation interface to static and then back to LACP.
- Reboot the system.
Fix:
LACPD will not restart when an aggregation is configured to static through the configuration utility. Few warnings can be logged when this operation occurs. These warnings can be ignored if seen while changing an aggregation's lag-type through configuration utility.
1271973-2 : Disabling 1G/10G BaseT interface in F5OS does not make the link down on the peer port
Links to More Info: BT1271973
Component: F5OS-A
Symptoms:
An external switch connected to one of the 1G/10G BaseT interfaces will show link-up even when the interface is disabled in F5OS.
Conditions:
When a 1G/10G BaseT interface is connected to an external switch and is disabled in F5OS.
Impact:
The external switch link-up is misleading since the interface is actually disabled on the F5 system.
Fix:
Disabling 1G/10G BaseT interfaces in F5OS now brings the link down.
1270837-2 : The Account Locked field on the Edit User page does not lock out users nor display correct locked status
Links to More Info: BT1270837
Component: F5OS-A
Symptoms:
Changing the Account Locked field on the Edit User page does not lockout a user, nor does the field correctly represent the locked status of a user.
Conditions:
Using the Account Locked field in the webUI.
Impact:
Users are allowed to log in even if the Account Locked status is changed to True and the account is truly locked.
Users are unable to log in even if the Account Locked status is changed to False, and the account is truly unlocked.
Workaround:
To lock or unlock a user, use the CLI to set the user's expiry date to 1 for locked and -1 for unlocked.
Following is an example:
Locked
(config)# system aaa authentication users user <username> config expiry-date 1
(config)# commit
Un-locked
(config)# system aaa authentication users user <username> config expiry-date -1
(config)# commit
Fix:
On the webUI the "Account Locked" widget will be replaced by the "Expiry Status" configuration which will allow locking the user in a similar fashion as the CLI.
1270473-3 : On firmware upgrade from CLI, wrong console message displayed
Links to More Info: BT1270473
Component: F5OS-A
Symptoms:
When the firmware upgrade command from ConfD CLI is executed, on success it displays the below message:
Result FIPS firmware has been set successfully. Please reset HSM to reflect the update!
The HSM reset does a factory reset and wipes the HSM.
Conditions:
On firmware upgrade from ConfD CLI, the wrong console message is displayed to the user.
Impact:
If HSM resets, it factory resets the HSM and wipes it.
Workaround:
Do not reset HSM; instead reboot the system to get the new firmware reflected.
Fix:
N/A
1270309-1 : Audit.log may log incorrect username initially for users logging into the CLI, remotely-authenticated users may see hostname in prompt reported as "appliance-1", and remotely-authenticated LDAP users may experience lengthy delays when authenticating
Links to More Info: BT1270309
Component: F5OS-A
Symptoms:
The audit log may initially show the incorrect username when users log in to the CLI:
For example:
msg="audit" user="[one username]/[number]" cmd="created new session via cli from 192.0.2.1:56166 with ssh".
msg="audit" user="[one username]/[number]" cmd="CLI 'show system state hostname'".
msg="audit" user="[one username]/[number]" cmd="CLI done".
msg="audit" user="[one username]/[number]" cmd="terminated session (reason: normal)".
msg="audit" user="[actual username]/[another number]" cmd="created new session via cli from 192.0.2.1:56166 with ssh".
msg="audit" user="[actual username]/[another number]" cmd="CLI 'exit'".
msg="audit" user="[actual username]/[another number]" cmd="terminated session (reason: normal)".
Or:
confd[121]: audit user: [tenant name]/[number] assigned to groups: admin
confd[121]: audit user: [tenant name]/[number] CLI done
confd[121]: audit user: [tenant name]/[number] terminated session (reason: normal)
confd[121]: audit user: test_user/[number] assigned to groups: admin
If role GID mapping is configured, remotely-authenticated users may see the hostname reported in the prompt as "appliance-1", rather than the correct hostname. For instance:
User f5osadmin last logged in 2023-10-01T01:02:03.123456+00:00, to appliance-1 from 192.0.2.1 using cli-ssh
f5osadmin connected from 192.0.2.1 using ssh on appliance-1.chassis.local
appliance-1#
Remotely-authenticated LDAP users may experience lengthy delays when authenticating via SSH, particularly if one or more of the following are true:
- the LDAP server has a large number of groups
- the LDAP server has many users in groups
- there is noticeable latency between the F5OS system and the LDAP server
Conditions:
When trying to use remote authentication, multiple user accounts have the same UID (user identifier). The user IDs may overlap between multiple remote users, or between remote users and local users.
Impact:
The audit.log will show an incorrect username for the first few entries.
The CLI prompt may display the generic hostname "appliance-1".
Workaround:
To avoid the audit.log reporting an incorrect username, ensure all user accounts have unique user IDs.
If that is not practical, or to work around the other symptoms of this issue, the following procedure will work around the issue; this procedure will be reverted by any software version changes.
1. Log into the rSeries appliance as root
2. Put the script below into /etc/cron.hourly, as a file named "ID1270309-workaround", and then mark it executable ("chmod 755 /etc/cron.hourly/ID1270309-workaround").
===
#!/bin/bash
set -Eeuo pipefail
# f5_confd_cli from different versions of F5OS-A
# 1.5.0 / 1.5.1
# 1.5.1 with the fix for ID1301837
MATCHING_CHECKSUM=( "5496b29958666ab7eeb44e1dbc78afb4c99a08d5" "a5d4a6928fb77fd089ed8289f1162220d30e2c8c" )
# The same file, with the patch below applied to it.
MODIFIED_CHECKSUM=( "37ab85644d33f1fdd1724e284aa694c897a4e898" "8d552eb9f79853dacf762d9ee21c06cc950383f3" )
FILE=/var/lib/controller/f5_confd_cli
CHECKSUM=$(sha1sum "$FILE" | awk '{print $1}')
if [[ "${MATCHING_CHECKSUM[@]}" = *"$CHECKSUM"* ]]; then
:
elif [[ "${MODIFIED_CHECKSUM[@]}" = *"$CHECKSUM"* ]]; then
# Already modified. Nothing to do
exit 0
else
echo >&2 "f5_confd_cli is in unknown state, not modifying."
exit 0
fi
patch -p1 "$FILE" << 'EOF'
--- /var/lib/controller/f5_confd_cli.ID1270309.orig 2023-09-05 15:35:44.651749231 -0700
+++ /var/lib/controller/f5_confd_cli 2023-09-05 15:37:08.894286756 -0700
@@ -180,16 +180,11 @@
echo "System Time: $date"
fi
-# Read the hostname from /system/state/ if it exists,
-# otherwise default to the hostname
-hostname_cli_out=$(echo "show system state hostname" | /var/lib/controller/confd_cli -N)
-
-hname=${HOSTNAME}
-if [[ ! -z "${hostname_cli_out}" ]]; then
- if [[ "$hostname_cli_out" == *"system state hostname"* ]]; then
- hname=$(echo ${hostname_cli_out} | awk '{print $(NF)}')
- fi
+if [ -r /etc/f5_sys_hostname/env ]; then
+ . /etc/f5_sys_hostname/env
fi
+hname=${SYS_CONFIG_HOSTNAME:-$HOSTNAME}
+
if [[ -z "${supplementary_gids}" ]]
then
exec /var/lib/controller/confd_cli -C -H ${hname} -u ${USER} --gid "${primary_gid}"
EOF
===
This script will check and potentially update the login script once an hour to apply the workaround. After a system reboot or the system_manager docker container restarts, there is a potential period of up to an hour before the workaround is reapplied.
This workaround will also only function for specific versions of F5OS software; currently, only for F5OS-A 1.5.0 and F5OS-A 1.5.1.
1269989-2 : tcam-manager may get stuck using 100% CPU
Links to More Info: BT1269989
Component: F5OS-A
Symptoms:
After running a QKView or tcam-dump by itself, tcam-manager does not clean up the diagnostic socket, which results in a tight loop and pegging the CPU at 100% utilization. This in turn starves other platform processes (such as dma-agent), which causes performance degradation.
Conditions:
A QKView or tcam-dump, which is included in QKView, is run.
Impact:
Performance degradation.
Workaround:
The issue can be avoided by not running QKView.
Fix:
After tcam-dump completes, the corresponding socket is properly removed.
1267253-2 : LDAP shadowExpire attribute not honored
Links to More Info: BT1267253
Component: F5OS-A
Symptoms:
When using LDAP authentication, usage of the shadowExpire and related attributes will not enforce expiration on the F5 device.
Conditions:
LDAP authentication is configured. LDAP shadowExpire, shadowMax, and related attributes are set such that the user should be expired.
Impact:
User with expired attributes can log into F5 device.
Workaround:
Either remove the user from groups with roles that allow access to the F5 device (for example, F5OS admin role gidNumber) or delete the user.
1267205-1 : Status field in "show system image" reports error when upgrading to 1.5.0★
Links to More Info: BT1267205
Component: F5OS-A
Symptoms:
Although patch ISOs are removed from the system, services filed still show entry for base service with status as error.
Ex:
VERSION IN
SERVICE STATUS DATE SIZE USE TYPE
------------------------------------------------------
1.3.0-8327 error 1 1 false
1.1.0-7645 error 1 1 false
Conditions:
This occurs after upgrading from a patched version.
Impact:
There is no impact to the system.
Workaround:
Workaround #1: This is for the issue when you have removed older images from prior to the upgrade to F5OS-A-1.5.0.
1. Remove all service entries which status shows as "Error" in show command from the /var/import/import.json file and save and close it.
ex:
{
"date": "2022-11-06",
"platform": "R5R10",
"status": "100",
"source": "/var/export/chassis/import/preserved_sources/F5OS-A-1.3.1-8863.R5R10.CANDIDATE.img",
"version": "1.3.0-8327",
"component": "services",
"port": "2006",
"size": 2519765504,
"error": "",
"subcomponents": []
},
2. Do any of the steps
- systemctl restart sw-mgmt.service
- docker restart system_image_agent
or
reboot the system
3.
Now the system will remove the error flag from "show system image" output and we can delete these services from CLI/webUI.
Workaround #2:
To avoid such error in "show system image" output, first upgrade to 1.5.0 and then remove the older ISO (1.3.2,1.3.1,1.1.1 etc).
1266197-2 : CVE-2022-4254 sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters
Links to More Info: K000136157, BT1266197
1263941-2 : CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user
Links to More Info: K000132667, BT1263941
1256897-4 : Deleting an ECDSA curve using the CLI takes a while to restart the http-server with the default RSA certificate.
Links to More Info: BT1256897
Component: F5OS-A
Symptoms:
After setting a valid ECDSA curve type:
prime256v1 X9.62/SECG curve over a 256 bit prime field
secp384r1 NIST/SECG curve over a 384 bit prime field
and storing into tls the self-signed certificate the GUI will show the certificate info for this URL.
Going into the CLI and deleting the key and certificate:
su admin
config
no system aaa tls config certificate
no system aaa tls config key
commit
removes the ecdsa certificate and key and http-server is restarted with the default created rsa key and certificate.
However, the GUI still has the deleted certificate and continues to use it despite doing a refresh or attempting to log in from another browser window.
Looking at what happens under the covers, it shows that the ecdsa key and certfiicate are deleted and that httpd was restarted (all have new PID's).
The problem seems to happen with ecdsa curves only and might be explained by either of the following:
On linux operating systems, a file isn't completely deleted until the last referring program releases it.
The browser caches the certificate if it's type ecdsa and does not release that cache right away.
We notice that using the default rsa key and certificate seems to fail when the ecdsa is deleted, but after a 60 second timeout, the http-server recovers and everything seems back to normal. I could take a couple timeouts, meaning that two minutes must go by.
Conditions:
After selecting an ECDSA key type (for curve type prime256v1 or secp384r1) and connecting successfully, the key and certificate are deleted from ConfD, resulting in having the http-server use a default created RSA key and certificate.
Impact:
This can be a bit concerning, in that one expects the certificate to be replaced immediately once the key and certificate are removed. From an operational perspective, the flow does not seem to be affected as the webUI continues to work. Eventually the certificate type will no longer be the ECDSA type, but this can take a few minutes, perhaps longer.
Workaround:
To hasten the fix, one can do: docker restart http-server, which usually fixes the issue right away, or a reboot will also accomplish this.
1256437-1 : Interface with a default route with gateway is NOT available
Links to More Info: BT1256437
Component: F5OS-A
Symptoms:
Without default interface, k3s will fail to come up.
Symptoms: Interface with a default route with gateway is NOT available.
Conditions:
Without default interface, k3s will fail to come up.
Impact:
K3s will be down.
Workaround:
rm -f /etc/NetworkManager/system-connections/default-intf
and reboot
Fix:
Delete the file - /etc/NetworkManager/system-connections/default-intf
and reboot.
1253713-3 : CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png
Links to More Info: K000133070, BT1253713
1252445-2 : QKView is collecting iptable dump only for filter table but not for raw, mangle, and nat
Links to More Info: BT1252445
Component: F5OS-A
Symptoms:
When QKView is collected on F5OS, it is displaying data for only filter table but not for nat/mangle/raw in container network.
Conditions:
Collect QKView on F5OS using system diagnostics QKView capture.
Impact:
No impact; iptable dump for filter table is already present.
Workaround:
N/A
Fix:
Updated QKView file to include required iptable commands.
1252377-4 : VXLAN-GPE and GENEVE are disabled by default when software is upgraded from F5OS-A 1.3.0 build to F5OS-A 1.4.0★
Links to More Info: BT1252377
Component: F5OS-A
Symptoms:
When r10000 or r5000 Series hardware is running with F5OS-A 1.3.0, the default settings for VXLAN-GPE and GENEVE are enabled, and hardware disaggregation support for these tunnel protocols is enabled without any explicit configuration.
If the software is upgraded from F5OS-A 1.3.0 to F5OS-A 1.4.0, these protocols will be disabled, and hardware disaggregation is disabled. It is required to enable these two protocols explicitly in the configuration to enabled them in the hardware.
Conditions:
If VXLAN-GPE and GENEVE tunnels are used in the deployment with F5OS-A 1.3.0 software version without any explicit enabled configuration for these two tunnels, and software upgraded to F5OS-A 1.4.0 or later.
Impact:
Hardware disaggregation support for VXLAN-GPE and GENEVE will be disabled if software is upgraded from F5OS-A 1.3.0 to F5OS-A 1.4.0 or later when these two tunnels are using default configuration to enable them.
Workaround:
Use explicit tunnel settings to enable VXLAN-GPE and GENEVE in F5OS-A 1.3.0, or enable these two protocols explicitly after software upgrade from F5OS-A 1.3.0.
Fix:
VXLAN-GPE and GENEVE are disabled in default global configuration and advised to use explicit tunnel configuration settings to enable hardware disaggregation support.
1251981 : Speed on webUI Interfaces screen is empty for 1GB
Links to More Info: BT1251981
Component: F5OS-A
Symptoms:
When interface speed is 1GB, the speed column on this screen is blank. The Edit Interfaces screen has the same issue.
Conditions:
Interface speed is set to 1GB.
Impact:
Speed column will be blank, so user will not see the actual speed.
Workaround:
Use the F5OS CLI to view the interface speed when it is set to 1GB.
Fix:
Speed column is now populated correctly on the Interfaces screen.
1250901-2 : On rSeries FIPS system live upgrade, cavium_n3fips (liquidsec_pf_vf driver) may fail to come into operational state
Links to More Info: BT1250901
Component: F5OS-A
Symptoms:
After a reboot of the system in live upgrade, tenants that were running earlier might not change to a running state. This is due to the HSM board driver stuck in SAFE_STATE instead of OPERATIONAL_STATE.
In some cases, the driver changes to an operational state after some amount of time (approximately 10 minutes). But this time might vary upon detection of reset/link failure in the hardware. In some other systems, the driver becomes stuck in SAFE_STATE indefinitely.
Conditions:
Live upgrade/reboot of the rSeries FIPS system with F5OS-A.
You may observe the below logs in dmesg-
[ 964.105021] liquidsec_pf_vf_driver 0000:ca:00.0: We might have a link issue... resetting
[ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: RESETTING FIRMWARE... CAUTION
Impact:
Running tenants goes to pending state when this issue occurs in a live upgrade.
Workaround:
Check contents of cavium_n3fips file as shown below.
[appliance]# cat /proc/cavium_n3fips/driver_state
HSM 0:OPERATIONAL_STATE
If the driver changes to an operational state, perform
"docker restart fips-support-pod" to help in recovering.
But if the driver state is still "HSM 0:SAFE_STATE", you may need to perform a power cycle reboot (but this will not guarantee recovery).
Fix:
N/A
1249773-2 : QKView may fail to collect all files for platform-monitor container
Links to More Info: BT1249773
Component: F5OS-A
Symptoms:
Very occasionally, QKView view will have a conflict collecting round-robin database (RRD) files in the platform monitor container. The qkview-collect routine may terminate unexpectedly as a result.
Conditions:
QKView capture request happens coincidentally to round-robin database update.
Impact:
RRD files may not be collected.
Workaround:
Rerun QKView.
Fix:
This will be fixed in a future release.
1240749-1 : F5OS systems send incomplete DDoS stats response to the tenants
Links to More Info: BT1240749
Component: F5OS-A
Symptoms:
BIG-IP tenants on F5OS systems receive incomplete/corrupted DDOS stats response, which leads to TMM crash.
Conditions:
Undetermined circumstances on a BIG-IP tenant with AFM provisioning.
Impact:
TMM crashes on the tenant, which affects application traffic. Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
TMM no longer crashes.
1240565-2 : Not allowing special characters "/*!<>^,/" in SNMP community/user/target name
Links to More Info: BT1240565
Component: F5OS-A
Symptoms:
Currently, we are allowing all characters to configure SNMP community/target/user. Because of that someone can use this configuration to inject script and system can be compromised.
Conditions:
Try to configure SNMP community/target/user with below command:
r10900-1(config)# system snmp communities community <script>alert(1)</script config security-model v2c
r10900-1(config-community-<script>alert(1)</script)# commit
Commit complete.
r10900-1(config-community-<script>alert(1)</script)#
r10900-1# show running-config system snmp
system snmp engine-id config value mac
system snmp communities community <script>alert(1)</script
config security-model [ v2c ]
Impact:
We are allowing all characters to configure SNMP community/target/user. Because of that someone can use this configuration to inject script and system can be compromised.
Workaround:
N/A
Fix:
We are restricting special characters /*!<>^,/ (identified as invalid input) as SNMP community/target/user name configuration.
Note: Upgrade will fail if user already has SNMP configuration with restricting special characters /*!<>^,/
1239325 : Issue when Management IP address is configured to have public internet access on F5OS
Links to More Info: BT1239325
Component: F5OS-A
Symptoms:
The F5OS webUI allows web crawlers access to all content when the Management IP address is configured to have public internet access.
Conditions:
If the Management IP address is configured to have public internet access.
Impact:
This impedes the ability to satisfy internal security compliance mandates.
Workaround:
To mitigate the issue, you can manipulate the contents of the robots.txt file inside the webUI container as demonstrated below:
$ ssh root@10.238.160.60
root@10.238.160.60's password:
[root@appliance-1 ~]# docker exec -it vanquish-gui bash
[root@d6303361e100 /]# cd /app/build
[root@d6303361e100 build]# echo "User-agent: *" > robots.txt
[root@d6303361e100 build]# echo "Disallow: /" >> robots.txt
[root@d6303361e100 build]# cat robots.txt
User-agent: *
Disallow: /
[root@d6303361e100 build]# exit
exit
[root@appliance-1 ~]# exit
logout
Connection to 10.238.160.60 closed.
Fix:
Robots.txt now disallows web crawlers access to any content.
1236857-1 : F5OS OID SNMPv2-MIB::sysDescr provides meaningless information for system controller
Links to More Info: BT1236857
Component: F5OS-A
Symptoms:
After setting up snmpwalk on older version and live upgrading to another version, the snmpwalk is still showing older service version.
Conditions:
1. configure SNMP
2. upgrade system with live upgrade
3. check system version using SNMPv2-MIB::sysDescr (it will be pointing to older version)
example:
SNMPv2-MIB::sysDescr.0 = STRING: Linux 3.10.0-1160.62.1.F5.1.el7_8.x86_64 : Appliance services version <older_version>
Impact:
sysDescr will be displaying older version.
Workaround:
N/A
Fix:
This issue is fixed in latest release.
1234049 : The Add/Edit tenant deployment screen on the r4600 webUI does not have the option for 12 vCPUs in the vCPUs dropdown
Links to More Info: BT1234049
Component: F5OS-A
Symptoms:
The vCPUs dropdown does not have 12 as an option in the Add/Edit tenant deployment screen on the r4600 webUI.
Conditions:
While adding or editing a tenant on the r4600 system via webUI.
Impact:
The user cannot add or edit a tenant with 12 vCPU cores on the webUI.
Workaround:
Users can add/edit a tenant with 12 vCPU cores from the CLI.
Fix:
The webUI will have an additional option for '12' in the vCPUs dropdown thus allowing the user to deploy a tenant with 12 vCPU cores.
1232369 : Intel Microcode update
Links to More Info: BT1232369
Component: F5OS-A
Symptoms:
Intel Microcode update was found to fix an internal regulator power issue. No workaround; requires BIOS update.
Conditions:
Intel Microcode earlier than 0d000389 in the BIOS.
Impact:
Unknown
Workaround:
Upgrade BIOS that includes the new microcode 0d000389 from Intel.
Fix:
BIOS version 2.01.134.1 has been updated from vendor with the updated microcode from Intel.
1232309 : CVE-2020-10754: nmcli did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings
Links to More Info: K000132761, BT1232309
1231357 : Unexpected reboot might occur on r5000/r10000 Series
Links to More Info: BT1231357
Component: F5OS-A
Symptoms:
An unexpected operating system reboot might occur on r5000/r10000 Series.
After the system reboots, in the /var/crash/ directory there will be a new directory created that is named with a timestamp corresponding to the reboot. In that new directory, a file vmcore-dmesg.txt is available with the following error message:
CPU 0: Machine Check Exception: 5 Bank 4: ba00000056000402
Conditions:
Unexpected system reboot.
Impact:
When the reboot occurs, the entire system will reboot and all tenants will stop processing traffic until the reboot is complete. The system will operate normally after the reboot.
Workaround:
None
Fix:
This issue has been corrected.
1230609 : Neighbor interface description is not updated in LLDP neighbor details
Links to More Info: BT1230609
Component: F5OS-A
Symptoms:
Port Description TLV is not displayed under LLDP interface neighbors.
Conditions:
1) enable LLDP on device and on switch
2) enable port description TLV
3) set port description on interface in switch side
Impact:
No impact.
Workaround:
N/A
Fix:
Fixed code to display port description.
1229465-3 : QKView is not collecting core files in /var/crash
Component: F5OS-A
Symptoms:
QKView was designed to collect core files in /var/core only. The operating system kernel can create core files in /var/crash. SEs need to know about these files.
Conditions:
OS kernel creates a core file.
Impact:
Core file not collected by QKView.
Workaround:
Core file can be manually copied from /var/crash.
Fix:
QKView takes a directory listing from /var/crash and collects core files in that directory.
1229449-1 : Username is not logged on rSeries appliance when webUI authentication fails
Links to More Info: BT1229449
Component: F5OS-A
Symptoms:
When a user tries to log in via webUI and provides the wrong credentials, the username is not getting logged.
Conditions:
When a user tries to log in via webUI and provides the wrong credentials.
Impact:
Unable to see the user name for whom authentication has failed.
Fix:
N/A
1226505-2 : Average transactions per second impacted in certain cases
Links to More Info: BT1226505
Component: F5OS-A
Symptoms:
There is a reduction in http/https average transactions per second for some file sizes when ASM is configured on BIG-IP tenant on R2000 series.
Conditions:
BIG-IP config: virtual server with asm_rw policy attached to it; virtual server with profiles http, tcp, and websecurity attached to it (visual snippet is at the end of high level details).
CPU: 95-97%
simulated users: 1536
The traffic involved in testing ASM is close to real world traffic conditions.
Impact:
Reduction in average transactions per second when traffic is run for a specified duration with 1536 simulated users.
Impact is seen for http traffic specific to 32kb and 5kb file sizes.
Workaround:
N/A
Fix:
N/A
1226429 : "DEBUG cannot reply twice on the same call" log reporting repeatedly
Links to More Info: BT1226429
Component: F5OS-A
Symptoms:
When the snmpget operation is performed on IF-MIB, the message "DEBUG cannot reply twice on the same call" appears in /var/log/message. The issue is that the DEBUG is enabled in one of the services container so this DEBUG message is logging in /var/log/message.
Conditions:
One of the reproduction steps is to perform the snmpget operation on IF-MIB.
Impact:
No known impact on the functionality. They are DEBUG messages only.
Workaround:
No workaround. The debug messages stops when the snmpget operation is completed.
Fix:
Removed unwanted debug enable from the service container.
1225989-2 : TACACS users only able to access CLI, not webUI
Links to More Info: BT1225989
Component: F5OS-A
Symptoms:
A TACACS user with either admin or operator privilege is unable to log onto the webUI, but can get access through the CLI. This was found to be due to an internal file linking error.
Conditions:
Have a correctly configured TACACS authenticated user access the webUI.
Impact:
The login will not be successful, and an "Authentication failed" message will be displayed. The webUI will be inaccessible.
Workaround:
N/A
Fix:
The file link issue has been resolved, and the problem no longer exists.
1225981-1 : Files greater then 1000 MiB are truncated in QKView
Links to More Info: BT1225981
Component: F5OS-A
Symptoms:
QKView is unable to collect an untrunucated platform.log file that has been rotated.
Conditions:
Rotated copy of the platform.log file is greater than 1000 MiB.
Impact:
Logs are not complete in QKView making it difficult to troubleshoot issues.
Workaround:
Collect the log files manually.
1225701-1 : Filenames with special characters in /var/import/staging cause upgrade to fail
Links to More Info: BT1225701
Component: F5OS-A
Symptoms:
Coping images with special characters in the filename to /var/import/staging causes the sw-mgmt service to exit. The system is unable to change versions.
Conditions:
Copy or import an image with special characters in the filename to /var/import/staging. Then, try to upgrade.
Impact:
sw-mgmt service is exiting, and the system will not upgrade.
Workaround:
Remove the image the special characters using the commands below in a bash prompt:
chattr -i /var/import/staging/<iso with special characters>
rm -rf /var/import/staging/<iso with special characters>
Then, restart sw-mgmt.service:
systemctl restart sw-mgmt.service
Fix:
We have modified sw-mgmt to remove any images containing special characters.
1217169-2 : Disk full: Latest ISO is not getting imported★
Links to More Info: BT1217169
Component: F5OS-A
Symptoms:
Not able to import images because /var/export/chassis LVM goes to read-only mode when the memory usage of this LVM is reached by more than 50%.
This LVM is created as VDO (virtual data optimizer) volume, twice the size of the physical partition size, so 50% of the LVM size is equal to 100% of the size of the underlying physical device (partition), on which this LVM is being created.
When the LVM usage reaches more than 50% of LVM size, the LVM metadata is corrupted, causing this issue.
Conditions:
The issue is seen when usage of the LVM /var/export/chassis reaches around 50% by importing more than 12 F5OS-A images on an rSeries low device.
Impact:
Not able to import images once the LVM /var/export/chassis goes to read-only mode.
Workaround:
The workaround is to deport older images from /var/export/chassis/import/iso/ using command below before importing/copying new images.
appliance-1(config)# system image remove iso <old/unused iso version>
or
If it is not possible to delete the images using above command
please follow below steps.
chattr -i /var/import/stagging/<old/unused iso>
rm -rf /var/import/stagging/<old/unused iso>
In case the issue is seen (/var/import/stagging/ becomes read only) the only way to recover the system is perform either pxeboot or usb install on the system.
1215917 : webUI failed to load when downgrading from 1.5.0 to 1.3.1 with self-signed certificate with encrypted RSA key type
Component: F5OS-A
Symptoms:
webUI fails to load.
Conditions:
If the self-signed certificate is enabled with encrypted-RSA/ECDSA, and the system is downgraded to lower versions than 1.5.0
Impact:
webUI fails to load.
Workaround:
Remove the self-signed encrypted certificate before downgrading to lower versions.
Fix:
Added code changes to restrict the downgrade to lower versions if encrypted RSA/ECDSA certificate is available.
1211861 : Configured input values of IP address fields reset to default upon switching the protocol
Links to More Info: BT1211861
Component: F5OS-A
Symptoms:
IP address fields are reset to default values.
Conditions:
When the user changes the protocol and switches back to the previously selected protocol via the "Address" field on the webUI.
Impact:
Values of IP address fields are lost as they are reset to default values.
Workaround:
Users can cancel or navigate away from the screen. When they visit the management interface screen again, the configured values will appear.
Fix:
The "Address" field in the Management Interface section has been removed, and all the IPv4 and IPv6 address fields are always displayed, thereby eliminating the need to switch protocols.
We have added 'X' buttons adjacent to the address fields that can be leveraged to put in default values in case the user does not want to configure the fields for a particular protocol.
1211777 : Configured input values of IP address fields reset to default upon switching the protocol
Links to More Info: BT1211777
Component: F5OS-A
Symptoms:
IP address fields are reset to default values.
Conditions:
When the user changes the protocol and switches back to the previously selected protocol via the "Address" field on the webUI.
Impact:
Values of IP address fields are lost as they are reset to default values.
Workaround:
Users can cancel or navigate away from the screen. When they visit the management interface screen again, the configured values will appear.
Fix:
The "Address" field in the Management Interface section has been removed, and all the IPv4 and IPv6 address fields are always displayed, thereby eliminating the need to switch protocols.
We have added 'X' buttons adjacent to the address fields that can be leveraged to put in default values in case the user does not want to configure the fields for a particular protocol.
1211673-2 : Default tenant disk size is based on tenant image type
Links to More Info: BT1211673
Component: F5OS-A
Symptoms:
There is no impact on functionality.
Previously, default tenant disk size was 77GB regardless of image type.
After the fix:
T1 type image - 22GB
T2 type - 45GB
T4 - 142GB
ALL - 82GB
Based on image type, default storage size will be used.
Conditions:
Tenants are created with default disk size of 77Gb although their image size is different.
Fix: create tenant disk based on image type.
Impact:
No functionality impact
Workaround:
No Functionality impact.
Fix:
No Functionality impact.
1211025 : Firmware update interrupted during OS install★
Links to More Info: BT1211025
Component: F5OS-A
Symptoms:
Firmware update can be interrupted by docker container issues.
Conditions:
Random container issue restarts all containers.
Impact:
If firmware is being updated in that moment, the firmware update will fail and it could cause problems to normal system operation.
Workaround:
Ask the support team to update the LOP firmware.
Fix:
Docker container failure handles routine checks if firmware is being updated and waits until the update is done before handling the failure.
1207485-1 : LACP daemon restarts when changing lag-type of the aggregation
Links to More Info: BT1207485
Component: F5OS-A
Symptoms:
LACP daemon restarts. The system will be unable to process LACPDUs until LACP daemon starts up again.
Conditions:
The issue occurs from changing the lag-type of an aggregation interface that does not have an associated LACP interface.
Impact:
All LACP link aggregations may go down and be unable to process traffic for a short time. The down time, if it occurs, should be less than a few seconds.
Workaround:
Only change an aggregation's lag-type while an associated LACP interface exists.
Fix:
LACP daemon will not restart when changing an aggregation's lag-type while an associated LACP interface does not exist.
1207189-3 : CVE-2022-38178 in bind-license-32:9.11.4-26.P2.el7_9.7
Links to More Info: K000137229, BT1207189
1207185-2 : CVE-2022-38178 in bind-export-libs-32:9.11.4-26.P2.el7_9.7
Links to More Info: K000137229, BT1207185
1205409-2 : Cannot export or download files from diags/shared/tcpdump path
Links to More Info: BT1205409
Component: F5OS-A
Symptoms:
The diags/shared/tcpdump path gives access to the tcpdump files captured for system diagnostics. However, these files could not be downloaded from the webUI to the local system.
Conditions:
- User generates a tcpdump file for system diagnostics
- User navigates to the diags/shared/tcpdump path in the webUI and tries to download file, resulting in an error
Impact:
Unable to download tcpdump files from diags/shared/tcpdump path in the webUI. Hence, a user cannot access these files from the webUI.
Workaround:
Create /var/docker/config/platform.override.yml with these contents:
version: '2.1'
services:
http-server:
volumes:
- /var/F5/system/shared/tcpdump:/var/shared/tcpdump
Then, restart platform-services.
Fix:
User is now able to download and export files from diags/shared/tcpdump path to any required destination without any errors.
1205345-5 : RADIUS remote authentication uses internal system IP address as system identifier in requests
Links to More Info: BT1205345
Component: F5OS-A
Symptoms:
When configured for RADIUS remote authentication, the F5OS systems send internal system IP address as Network Access Server (NAS) system identifier (NAS-IP-Address or NAS-IPv6-Address), rather than a system management IP.
On VELOS systems, the NAS-IPv6-Address will be a link-local IPv6 address in fe80::/64.
On rSeries appliances, the NAS-IP-Address will be an address in the internal address range (RFC6598 by default), e.g. 100.65.60.2.
Conditions:
RADIUS remote authentication for system users.
Impact:
RADIUS authentication servers may ignore or reject authentication requests due to an unknown system identifier in the requests.
Workaround:
None.
1204985-2 : The root-causs of F5OS-A upgrade compatibility check failures are hidden in /var/log/sw-util.log.
Links to More Info: BT1204985
Component: F5OS-A
Symptoms:
When performing a live upgrade, if the upgrade compatibility check fails, users can only see "System database upgrade compatibility check failed" error message. The applicable information about what failed is neither displayed nor shown in platform.log/velos.log.
Conditions:
1. Perforrm a live-upgrade.
2. If the upgrade compatibility check fails, users can only see "System database upgrade compatibility check failed" error message. The applicable information about what failed is neither displayed nor shown in platform.log/velos.log.
Impact:
Upgrade failure logs are not logged in platform.log/velos.log.
Workaround:
None
Fix:
This issue is fixed and displays the error scenarios in platform.log/velos.log.
1204481 : System may flap external links multiple times during startup or links may fail to come up at all
Links to More Info: K000132166, BT1204481
Component: F5OS-A
Symptoms:
When the system boots up, the interfaces may flap (go up and down) several times in quick succession before coming up and stabilizing.
In some cases, the interfaces fail to come up at all.
If a peer switch is configured to detect excessive link flaps, it may put the port in an err-disable state and prevent the link from coming up.
Conditions:
-- r5000 or r10000 Series appliance
Impact:
If the peer switch triggers a link-flap detection feature, the ports may remain offline until an administrator manually recovers the port on that switch.
Workaround:
There is no workaround for this issue on the rSeries appliance.
An administrator can mitigate this issue by doing one of the following:
- configuring the peer switch to automatically try to recover ports that are disabled for excessive link flapping
- increasing the number of link flaps required in a certain interval before the port is put in a disabled state
Fix:
Disable sending of remote-fault signaling to peer device while the system is booting up.
1204433-2 : "Appliance-mode" flag in license should not be used to enable appliance-mode
Links to More Info: BT1204433
Component: F5OS-A
Symptoms:
Appliance-mode enabled using license will not get reflected in "show tenants" CLI.
Conditions:
The issue is seen when "appliance-mode" is enabled through license.
Impact:
Appliance-mode enabled using license will not get reflected in "show tenants" CLI.
Workaround:
Appliance-mode can be configured from CLI.
Fix:
Appliance-mode can be configured from CLI.
1194881-5 : Bind vulnerabilities: CVE-2021-25220 and CVE-2022-2795
Links to More Info: K78285929
1190369 : Terminal window not reflecting configured hostname
Component: F5OS-A
Symptoms:
The title of the terminal window does not have the configured hostname.
Currently, all open windows with root login either from PuTTY or any application display as appliance-1.
Conditions:
Connecting to the device using ssh clients like PuTTY.
Impact:
This causes difficulty for a user trying to juggle multiple open SSH sessions during a maintenance window.
1188921-1 : tcpdump not working after upgrade
Links to More Info: BT1188921
Component: F5OS-A
Symptoms:
tcpdump fails with CLI error:
errbuf ERROR:DMAA error, packets cannot be captured
tcpdump: pcap_loop: DMAA error, packets cannot be captured
Error logged:
appliance-1 tcpdumpd-manager[8]: priority="Crit" version=1.0 msgid=0x5406000000000029 msg="DMAA socket failed:" comp="connect" errno=2.
Conditions:
System upgrade has failed to properly update the configuration file, which is responsible for starting tcpdumpd_manager.
Impact:
tcpdumpd_manager will not be able to start and packets cannot be captured. tcpdumpd_manager will continue log this failure to the system log.
Workaround:
None
Fix:
Improved tcpdumpd_manager start-up routine to check for line-dma-agent socket availability.
1188053 : SSH idle-timeout support
Component: F5OS-A
Symptoms:
There was no idle-timeout implemented for SSH session. The SSH session was not getting terminated even if it was idle for a long time.
Conditions:
There was no idle timeout for SSH session.
Impact:
SSH session will not get terminated even if it is idle for long time.
Workaround:
User must close the SSH session.
Fix:
Implemented SSH idle-timeout which is configurable from CLI/RESTCONF. The SSH session will now get terminated if it is idle for the configured idle-timeout. The default value is 0, which means no idle-timeout.
1185701-2 : 'system aaa' command in ConfD to fail with "Error: application communication failure"
Links to More Info: BT1185701
Component: F5OS-A
Symptoms:
System fails to change password and renders system in a degraded state where user management no longer works.
System fails to provide proper user feedback to the user about failed password changes.
Conditions:
This policy option is causing the problem:
system aaa password-policy config retries 5
Impact:
F5OS user password cannot be changed.
Workaround:
Do not change the configuration from default.
system aaa password-policy config retries 5
Fix:
N/A
1185497-3 : Tenant health in the partition shows additional entries that are not part of the tenant configuration
Links to More Info: BT1185497
Component: F5OS-A
Symptoms:
When the admin upgrades the system software from 1.3.x to 1.5.0, the platform updates the tenant's table with additional entries that are not running as part of the tenant's original configuration.
Conditions:
Power cycle or system software upgrades from 1.3.x to 1.5.0.
Impact:
There will not be any impact on the critical functionality of the tenant, and traffic continues to work. However, it does show some unwanted information in the health which could be confusing.
Workaround:
Toggling the affected tenant's running state from "Deployed" to "Provisioned" and back to "Deployed" will fix the state of the tenant in the table.
Fix:
During the power cycle/system upgrade, the platform re-populates the tenant oper status from Openshift and publishes it to Partition. If the REST response of the tenants from Openshift is incomplete, the platform is populating entries under the wrong key/value. As a result, the partition tenant's table ends up with some unwanted entries.
It is a cosmetic issue and will not impact any tenants.
1184821 : Obscure crash in external authenticator
Links to More Info: BT1184821
Component: F5OS-A
Symptoms:
An unexpected sequence of characters in the username or password of an external login could cause a crash in the external authenticator.
Conditions:
Certain malformed usernames or passwords being used for external authentication.
Impact:
The crash in these circumstances would prevent successful login. After analysis, it was deemed there was no security risk or exposure.
Workaround:
Use usernames and passwords for authentication via SSH or webUI that conform to the device username/password requirements.
Fix:
The bug was fixed and a crash no longer occurs.
1184429-1 : Specifying "operation not supported" as an iHealth QKView description or SR number will disable iHealth uploading
Links to More Info: BT1184429
Component: F5OS-A
Symptoms:
The phrase "operation not supported" was scanned for communication with iHealth to indicate an error. By using this as a description or as an SR case, this will trigger an error, preventing the ability to upload to iHealth.
Conditions:
The phrase "operation not supported" is used as an iHealth QKView description or SR number.
Impact:
Unable to upload iHealth through the iHealth upload service on the device.
Workaround:
Do not use the phrase "operation not supported" as a description or an SR case number when uploading to iHealth.
Fix:
Fix to check for errors will scan for http error code instead of scanning the text of the http body.
1183909-2 : Python urllib3 vulnerabilities CVE-2018-20060, CVE-2019-11236, CVE-2019-11324, CVE-2018-18074
Links to More Info: K000133448, BT1183909
1181929-3 : F5OS install may partially fail, leaving system with mismatched OS and services★
Links to More Info: BT1181929
Component: F5OS-A
Symptoms:
After an attempted upgrade, administrators are unable to access the system via management UI, or log into the system as any user other than "root".
A message such as the following in the platform log:
priority=Fatal msgid=0x3501000000000021 msg=OStree rebase to version 1.2.0-10139 failed.
Conditions:
The first part of an F5OS software upgrade fails, but the system continues on and performs subsequent steps of the upgrade.
Impact:
The system may be completely inoperative, or the system may be running with different OS and services versions, which could lead to unknown problems.
Workaround:
If this issue occurs, contact F5 Support for assistance.
1181721 : Add additional commands and files to QKView collection
Component: F5OS-A
Symptoms:
There is no change in functionality. The fix adds new commands and files to QKView collection.
Conditions:
Additional commands and files are added to the QKView collection and they will be collected whenever QKView is requested.
Impact:
Additional commands and files are added to the QKView collection.
Workaround:
Only new commands and files will not be collected as part of QKView collection. Old commands and files will get collected in QKView.
Fix:
Additional commands and files are added to the QKView collection.
1167761-2 : Directory indexing enabled for management webUI
Links to More Info: BT1167761
Component: F5OS-A
Symptoms:
Directory indexing is enabled for management webUI.
Conditions:
When the management IP is followed by the name of any directory that is contained in the webUI, the build directories and file contents are visible on the browser.
Impact:
The webUI build directories and file contents are visible on the browser.
Workaround:
None
Fix:
Disabled directory indexing.
1166149-1 : CVE-2021-27803 wpa_supplicant: Use-after-free in P2P provision discovery
Links to More Info: K000135433, BT1166149
1165973-2 : Application error while using the CLI command "show components"
Links to More Info: BT1165973
Component: F5OS-A
Symptoms:
The user receives an error message using the CLI (show components -> Error: application error) when there is a faulty sensor in the hardware.
Conditions:
When the system has the faulty sensor.
Impact:
Application error seen in the ConfD CLI while trying to execute "show components". The webUI is affected as well.
Workaround:
N/A
Fix:
We have added a check at diag-agent to not throw the application error; it will show data for the healthy components.
1137121-3 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0
Links to More Info: BT1137121
Component: F5OS-A
Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".
Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.
Impact:
Tenants will not start and are unusable.
Workaround:
To work around this issue, perform one of these actions:
1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".
Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.
1136725-2 : An iptables CLI error
Links to More Info: BT1136725
Component: F5OS-A
Symptoms:
An iptables command error:
[root@appliance(appliance.chassis.local) ~]# iptables -L
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Conditions:
When a parallel iptables query is happening, this error displays.
Impact:
The iptables can get disturbed.
User may not be able to view the iptables.
Workaround:
During iptables listing, it uses DNS and reverse DNS lookup if "-n" option is not used, which will make iptables hold the lock for longer durations.
Fix:
Added "-n" option in all places where iptables listing is happening.
1136597-3 : LDAP user with admin and operator role gets only operator permissions
Links to More Info: BT1136597
Component: F5OS-A
Symptoms:
An LDAP user configured with groups for both admin and operator roles only receives operator permissions.
Conditions:
LDAP user configured with gidNumber assignments for both admin and operator roles.
Impact:
A user with this config would be assigned only operator permissions.
Workaround:
Only configure the gidNumber for the desired role in LDAP for the user. Do not configure multiple roles for the same user.
Fix:
There was an error in the NACM rules for ConfD config. The role logic has been fixed.
1132569-1 : "cdb_exists failed" error logged in platform.log during boot up
Links to More Info: BT1132569
Component: F5OS-A
Symptoms:
This occurs unconditionally upon every reboot. It doesn't have any functional impact.
Conditions:
Upon every reboot.
Impact:
No impact.
Workaround:
N/A
Fix:
Boot or reboot the device and check platform.log. The issue should no longer occur.
1128877-2 : Mount command added to QKView collection
Links to More Info: BT1128877
Component: F5OS-A
Symptoms:
Mount command was not provided in QKView diagnostics file.
Conditions:
Always.
Impact:
Mount data is currently collected, but may be missing data provided by the mount command.
Workaround:
Run mount command on system and copy results from device.
Fix:
Mount command will be executed in QKView.
1118109-2 : CVE-2019-15605: HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
Component: F5OS-A
Symptoms:
A flaw was found in the Node.js code where a specially crafted HTTP(s) request sent to a Node.js server failed to properly process the HTTP(s) headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is deployed behind a proxy server that reuses connections.
Conditions:
An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is deployed behind a proxy server that reuses connections.
Impact:
An unauthorized user can gain access to the system.
Workaround:
N/A
Fix:
http-parser has been updated to http-parser-2.7.1-8.el7_7.2
1099069-2 : Issues with pulling files from F5OS device using SCP
Links to More Info: BT1099069
Component: F5OS-A
Symptoms:
Unable to pull packet capture files off of the F5OS device using SCP from admin.
Conditions:
Download packet capture files using SCP from the admin account.
Impact:
Unable to download packet capture files through SCP from admin.
Workaround:
N/A
Fix:
Added support to download files from more directories.
1069365-3 : Error shown when configuring known-host for file transfer when FIPS mode is enabled`
Links to More Info: BT1069365
Component: F5OS-A
Symptoms:
"Host unreachable" error is sometimes displayed when FIPS mode is enabled, if a user tries to configure known-host. The ssh-keyscan fails, as ssh-keyscan is not using FIPS approved ciphers.
Conditions:
- FIPS mode is enabled
- User configures known-host for file transfer
Impact:
"Host unreachable" error is thrown.
Workaround:
N/A
Fix:
Updated ssh-keyscan to use FIPS approved ciphers when FIPS mode is enabled.
1047689-4 : Sw_rbcast core file found on system
Links to More Info: BT1047689
Component: F5OS-A
Symptoms:
Partition_sw_rbcast producing core.
Conditions:
Starting a tenant which requires the sw_rbcast container running in the following platforms:
- r5x00
- r10x00
- VELOS
Impact:
The sw_rbcast process crashes and produces a core file.
Workaround:
None
Fix:
A new version of sw_rbcast correctly handles tenant broadcast packets.
1008701-2 : Using curl to access 'scp:' URIs on the partition management IP does not work
Links to More Info: BT1008701
Component: F5OS-A
Symptoms:
Attempting to upload a tenant image via
"curl filename scp:IMAGES"
would fail, even though
"scp filename admin@mgmt-ip:IMAGES"
works.
Conditions:
Accessing ssh/scp via curl rather that the scp application.
Impact:
Cannot use curl to copy files.
Workaround:
Use scp directly rather than curl.
Fix:
The ssh/scp server has been fixed to correctly interpret the file/directory names supplied by the 'curl' command.
Known Issues in F5OS-A v1.5.x
F5OS-A Issues
ID Number | Severity | Links to More Info | Description |
1359277-2 | 1-Blocking | BT1359277 | ConfD CLI timed out and subsequently sees Error: application communication failure |
1319573 | 1-Blocking | BIG-IP tenants created before F5OS-A 1.3.0 may be allocated a smaller disk than required | |
1314169-4 | 1-Blocking | BT1314169 | Tenant service-id mismatch between fdb mac-table and service-instance entries |
1292541 | 1-Blocking | Loading saved configuration on BIG-IP fails if host modifications are made after "tmsh save sys config" on R2800/R4800 platforms | |
1291353-1 | 1-Blocking | BT1291353 | LCD application does not update if appliance is power-cycled during firmware update |
1289929-1 | 1-Blocking | BT1289929 | Tenants fail to come up due to abrupt power cycle |
1288965-1 | 1-Blocking | Downgrade/upgrade issues are seen because ISO has special characters in the file name★ | |
1282493-1 | 1-Blocking | Crypto devices are not released after tenants are deleted | |
1273013-2 | 1-Blocking | Five percent (5%) deviation can be observed in TPS performance on R10920 and R5920 tenant | |
1253717-3 | 1-Blocking | BT1253717 | iavf driver crashes intermittently on r2000 or r4000 systems during system reboot |
1249873-2 | 1-Blocking | BT1249873 | sPVA hardware offload not working correctly on r10k |
1184441-2 | 1-Blocking | BT1184441 | VXLAN-GPE and GENEVE tunnel support |
1519005 | 2-Critical | Libvirt core file is generated when the system is rebooted. | |
1498521 | 2-Critical | Unable to remove the ISO images that share the same minor version with the running version | |
1472285-1 | 2-Critical | Server error occurs when trying to create LAG. | |
1469401-1 | 2-Critical | ARP request for mgmt interface IP resolving to mgmt0-system inferface's mac | |
1464729 | 2-Critical | Incorrect system-manager version is used in upgrade check while upgrading from 1.3.2 to 1.5.1 | |
1380705-2 | 2-Critical | BIG-IP tenant is stuck during boot up after doing tenant upgrade from 15.1.x to 17.1.x | |
1341701-2 | 2-Critical | BT1341701 | Unable to launch tenant, as VF interface is getting incorrect name while attaching to tenant. |
1330797-3 | 2-Critical | BT1330797 | Interfaces removed from LACP trunk due to traffic congestion |
1330793-3 | 2-Critical | BT1330793 | Interfaces removed from LACP trunk due to traffic congestion |
1325893-3 | 2-Critical | A vqf-dm system software core file is occasionally observed on system reboot | |
1293245 | 2-Critical | BT1293245 | During upgrade/downgrade, VM failed to come up and remained in pending state |
1273221-2 | 2-Critical | BT1273221 | On rSeries FIPS system, operations which involve reboot, might result in FIPS device failure state |
1211853-3 | 2-Critical | BT1211853 | Hardware offload features may affect packets destined for unrelated tenants |
1188105-1 | 2-Critical | BT1188105 | K3SClusterUpgrade status shown as Done before cluster pods running up on appliance |
1186597-1 | 2-Critical | BT1186597 | K3S install status in f5OS ConfD is improved |
1169617-3 | 2-Critical | BT1169617 | BIG-IP tenant intermittently showing wrong status |
1154733-1 | 2-Critical | BT1154733 | LLDP error on management interface |
1144005-2 | 2-Critical | BT1144005 | TPS drop of ~14% from F5OS-A 1.1.0 and later on r10000 series platforms |
1126865-3 | 2-Critical | BT1126865 | F5OS HAL lock up if the LCD module is not responding. |
1558897 | 3-Major | Log messages related to multus in /var/log/messages | |
1505497-1 | 3-Major | During remote logging server configuration, selectors help menu does not display when using Tab key. | |
1505185 | 3-Major | Resource-manager pod runs in the default namespace | |
1504089-1 | 3-Major | System integrity check logs are logged with default name instead of system hostname in platform.log file | |
1455913-1 | 3-Major | Tcpdump on F5OS does not honor the -c flag | |
1451181-1 | 3-Major | The Rest API call to list core files returns 500 error when no core files found. | |
1411137-1 | 3-Major | BT1411137 | Audit log entries are missing when creating or deleting objects via UI or API |
1391637-1 | 3-Major | BT1391637 | LCD panel, indicator, and F5 logo light turned off after system upgrade |
1365977-4 | 3-Major | BT1365977 | Container daemons running as PID 1 cannot be cored on-demand |
1354341-3 | 3-Major | BT1354341 | Changing a VLAN from trunked (tagged) to native (untagged) on a LAG in a single transaction can cause traffic outage |
1352353-4 | 3-Major | BT1352353 | Remove integrity-check configurable option from CLI |
1346873-1 | 3-Major | BT1346873 | Timezone configuration logs "Timezone is invalid" warning |
1330273-2 | 3-Major | BT1330273 | When MAC masquerade is enabled on r5k/r10k/r12k systems with a live upgrade, an FDB entry is seen on Active and Standby |
1322685-1 | 3-Major | BT1322685 | Tcpdump sessions are terminated when interfaces are enabled or disabled. |
1315261 | 3-Major | QAT devices not populated in ConfD | |
1306197-2 | 3-Major | BT1306197 | The "show system image" command is taking more time than expected to display the output |
1293013-1 | 3-Major | BT1293013 | "show components component storage state disks disk state" is not auto populating |
1291305-1 | 3-Major | BT1291305 | LACP Mode is passive for a static trunk in tenants running r2800/r4800 platforms |
1288897-1 | 3-Major | BT1288897 | Allowed IP rule name, which contains all underscores, will be deleted while upgrading to F5OS-A 1.7.0 and later versions |
1287993-1 | 3-Major | BT1287993 | Incorrect PSU mismatch indication for two Murata M1845 PSUs operating at different AC input voltages |
1285997-1 | 3-Major | LLDP is allowed to configure on interfaces when virtual wire is enabled | |
1284681 | 3-Major | BT1284681 | IPv6 connections made through port 80 fail |
1280833 | 3-Major | BT1280833 | The error message is not correct when enabling client-cert (Client Certificate Authentication) before setting verify-client (Client Certificate Verification) to true |
1280441-1 | 3-Major | BT1280441 | When no parameter is given for 'system aaa tls create-self-signed-cert', encrypted key-type does not ask for passphrase |
1231889-2 | 3-Major | BT1231889 | Deleting default VLANs and creating them in a partition other than common partition is not supported on BIG-IP tenants running on R2800/R4800 platforms |
1231609-2 | 3-Major | BT1231609 | exclude-cores "true" option still includes the core files in webUI/CLI |
1213185-3 | 3-Major | BT1213185 | ISO file not copied during clean install from USB DVD/CD-ROM device★ |
1211233 | 3-Major | BT1211233 | F5OS dashboard in webUI displays the system root file system usage, not the entire disk |
1209077-2 | 3-Major | BT1209077 | Unable to remove unused ISOs or services if used by openshift |
1196005-2 | 3-Major | BT1196005 | K3S pods version is shown incorrect★ |
1182605-2 | 3-Major | BT1182605 | Boot marker logs do not provide enough information |
1156005-2 | 3-Major | BT1156005 | system-host-config fails to handle order of DNS search path in /etc/resolv.conf |
1132605-3 | 3-Major | BT1132605 | Copied ISO file does not have the immutable bit set after F5OS USB install |
1127393-3 | 3-Major | Error message is not displayed when user configures more than 3 DNS servers in ConfD CLI or webUI | |
1126677-2 | 3-Major | BT1126677 | Inconsistencies with time zones displayed in controller and log files |
1430293-1 | 4-Minor | BT1430293 | Disk requirement validation is not implemented when tenant is in "Configured/Provision" state |
1345721-1 | 4-Minor | BT1345721 | The "show system state boot-time" command does not display any entry |
1210577-2 | 4-Minor | BT1210577 | Supportability: the confd_cmd utility is now included in the system controller container |
1184513-1 | 4-Minor | BT1184513 | F5OS audit log reports duration values in microseconds, using "ms" abbreviation |
Known Issue details for F5OS-A v1.5.x
1558897 : Log messages related to multus in /var/log/messages
Component: F5OS-A
Symptoms:
Intermittently, during resizing of the tenant leads continuous display of log messages from multus every minute in /var/log/messages.
Conditions:
When tenant is resized, we are seeing log messages related to multus every minute in /var/log/messages.
Impact:
No impact on functionality.
Workaround:
Please reboot the system. This will fix the issue.
1519005 : Libvirt core file is generated when the system is rebooted.
Component: F5OS-A
Symptoms:
An incorrect Libvirt core file is generated when the system is rebooted intermittently. However, the tenant is healthy and functional after the reboot.
Conditions:
Intermittently, when the system reboots.
Impact:
A Libvirt core file is generated, however the tenant is healthy and functional.
Workaround:
None
1505497-1 : During remote logging server configuration, selectors help menu does not display when using Tab key.
Component: F5OS-A
Symptoms:
While configuring the remote logging server, using the Tab key does not display selector help menu.
Conditions:
While configuring the remote logging server, using the Tab key does not display selector help menu.
Impact:
No help menu is displayed
Workaround:
Use ? key to get help in selectors menu, while configuring remote server.
1505185 : Resource-manager pod runs in the default namespace
Component: F5OS-A
Symptoms:
After downgrading from 1.7.0 or any higher version to any lower version below 1.7.0, a pod name 'resource-manager' runs in the default namespace.
Conditions:
When the system downgrades from 1.7.0 or higher version to 1.5.2 or any lower version.
Impact:
No functionality is impacted.
Workaround:
This pod can be ignored
1504089-1 : System integrity check logs are logged with default name instead of system hostname in platform.log file
Component: F5OS-A
Symptoms:
Logs for the system integrity check are recorded with the default name rather than the system hostname in the platform.log file.
Conditions:
Enable fips-licensce on the device and set the system hostname to a different value than default.
But system integrity check logs are logged with default name in the platform.log file.
Impact:
No functional impact, but integrity check logs are logged with default name.
Workaround:
None
1498521 : Unable to remove the ISO images that share the same minor version with the running version
Component: F5OS-A
Symptoms:
Removal of ISO fails when a same minor version is shared. And the base version has been imported for the first time as part of the ISO that has been deleted.
Conditions:
The major and minor version of the current ISO must be same as the ISO version that has been removed/deleted. And the base version has been imported for the first time as part of the ISO that has been deleted.
Impact:
Unable to remove the unused ISO.
Workaround:
For controller/appliance, you must remove the ISO on a software version that includes different minor release. For example, you can remove 1.6.1-5555 while running ISO version 1.5.X or 1.7.X.
1472285-1 : Server error occurs when trying to create LAG.
Component: F5OS-A
Symptoms:
The following server error occurs and does not create LAG:
"Failure for data/openconfig-interfaces:interface API".
Conditions:
Using GUI and trying to access the LAG tab under Network Settings.
Impact:
The LAG page displays Server Error.
Workaround:
Try reopening the LAG tab several times.
1469401-1 : ARP request for mgmt interface IP resolving to mgmt0-system inferface's mac
Component: F5OS-A
Symptoms:
1. Configure IP on mgmt0-system from ConfD.
2. Configure IP on mgmt using linux command.
3. ARP request to mgmt-ip resolves to MAC of mgmt0-system.
Conditions:
Configuring IP on mgmt interface using linux and nmcli/ip commands.
Impact:
No impact
Workaround:
None
1464729 : Incorrect system-manager version is used in upgrade check while upgrading from 1.3.2 to 1.5.1
Component: F5OS-A
Symptoms:
The incorrect system-manager version is used while upgrading F5OS-A from one patch release to another patch release. This causes issue in database compatibility checks and provide incorrect validation results.
Conditions:
When upgrading from one patch release (such as 1.3.2) to other patch release (such as 1.5.1).
Impact:
The database compatibility checks often , occasionally indicating success even in cases of incompatibility.
Workaround:
None
1455913-1 : Tcpdump on F5OS does not honor the -c flag
Component: F5OS-A
Symptoms:
When using Tcpdump on F5OS with the -c flag, Tcpdump will not stop after receiving the given number of packets.
Conditions:
A Tcpdump session is started with the -c or --count flag.
Impact:
The Tcpdump session will not terminate after receiving the requested number of packets and will continue until manually terminated.
Workaround:
N/A
1451181-1 : The Rest API call to list core files returns 500 error when no core files found.
Component: F5OS-A
Symptoms:
The ConfD List Core Files Rest API call request returns a 500 ERROR when no core files are found rather than returning an empty list.
Example:
https://10.10.10.1:8888/restconf/data/openconfig-system:system/f5-system-diagnostics-qkview:diagnostics/f5-system-diagnostics-qkview:core-files/f5-system-diagnostics-qkview:list
Conditions:
1. No core files exist on the system.
2. The Rest API for querying the list of core files is made.
Impact:
Limited, but may affect automation.
Workaround:
Automation can respond to 500 error.
1430293-1 : Disk requirement validation is not implemented when tenant is in "Configured/Provision" state
Links to More Info: BT1430293
Component: F5OS-A
Symptoms:
There is no validation for tenant storage size while tenant is in Configured or Provisioned state.
Conditions:
Tenant in Configured or Provisioned state
Impact:
Any disk size, or even less than required size as well.
Workaround:
None
1411137-1 : Audit log entries are missing when creating or deleting objects via UI or API
Links to More Info: BT1411137
Component: F5OS-A
Symptoms:
When creating or deleting multiple remote-server related objects via UI or API, multiple restart happens causing log message drop.
Conditions:
While creating or deleting multiple objects related to remote-server, rsyslog restart everytime to apply new configuration. Due to the restart, some log messages are dropped.
Impact:
Log messages are dropped due to multiple restarts of the rsyslog.
Workaround:
None
1391637-1 : LCD panel, indicator, and F5 logo light turned off after system upgrade
Links to More Info: BT1391637
Component: F5OS-A
Symptoms:
The system's LCD panel, as well as LCD indicator and the F5 logo light are off. In the user interface, an error reading 'Module communication error detected' can be seen.
Conditions:
Upgrading a r2600 appliance from F5OS-A 1.3.2 to F5OS-A 1.5.1 with LCD current version 1.01.063.00.1 and LCD target version 1.01.067.00.1.
Impact:
LCD panel, indicator, and F5 logo light on the system are off, and an error reading 'Module communication error detected' can be found in the user interface.
Workaround:
Reboot the system.
1380705-2 : BIG-IP tenant is stuck during boot up after doing tenant upgrade from 15.1.x to 17.1.x
Component: F5OS-A
Symptoms:
When F5OS reboots followed by a tenant upgrade from 15.1.x to 17.1.x, the tenants are getting stuck in boot up. This is applicable for both FIPS and normal license.
Symptoms:
[ 183.888473] [ OK ] Started dracut initqueue hook.
[ OK ] Reached target Remote File Systems (Pre).
[ OK ] Reached target Remote File Systems.
dracut-initqueue[251]: Warning: dracut-initqueue timeout - starting timeout scripts
[* ] A start job is running for dev-disk...54e.device (3min 36s / no limit)
The problem does not occur in all the deployed tenants. The main cause is that the BIG-IP tenant fails to boot when its LVM cache/metadata is not synced or is corrupted.
Conditions:
Host reboots followed by guest upgrade.
Tenants get rebooted and retain LVM info, the host gets rebooted, and tenants lose LVM info. There is a timing issue for LVM caching.
Impact:
Datapath and tenant configuration will be lost.
Workaround:
No workaround except recovery of the tenant. To recover the tenant we need manual intervention. We need to enter Maintenance mode, recover the LVMs, and reboot.
Booting into TMOS Maintenance:
Easiest way to do this is
in one window
while [ 1 ];do virtctl console cbip-tenant1-1 -n default;done
in another window
ps auxww|grep cbip-tenant1-1
kill that qemu pid
Then go back to the console window in the grub menu and select maintenance and execute vgcfgrestore
Please note this is not full proof.
1365977-4 : Container daemons running as PID 1 cannot be cored on-demand
Links to More Info: BT1365977
Component: F5OS-A
Symptoms:
- kill -QUIT (or any other core-producing signal) to a container process running as PID 1 does not cause a core file.
- Actual runtime errors do generate cores as expected.
Conditions:
Containers that run their services directly as PID 1.
Impact:
Not possible to force a core file for diagnostic purposes.
Workaround:
None
1359277-2 : ConfD CLI timed out and subsequently sees Error: application communication failure
Links to More Info: BT1359277
Component: F5OS-A
Symptoms:
CLI times out if the respective action is not completed within the specified time interval.
Conditions:
The action to perform takes more time than the specified timeout interval.
Impact:
Unable to perform ConfD action.
Workaround:
The respective container can be restarted or a system reboot can be performed.
1354341-3 : Changing a VLAN from trunked (tagged) to native (untagged) on a LAG in a single transaction can cause traffic outage
Links to More Info: BT1354341
Component: F5OS-A
Symptoms:
Traffic outage after changing a VLAN assigned to a LAG from Trunk to Native in a single commit.
Conditions:
Changing a VLAN assigned to a LAG from Trunk to Native in a single commit.
Impact:
Traffic outage.
Workaround:
First remove the Trunk VLAN from the LAG, then commit the change. Then add the Native VLAN to the LAG and commit the change.
1352353-4 : Remove integrity-check configurable option from CLI
Links to More Info: BT1352353
Component: F5OS-A
Symptoms:
In F5OS systems, root and admin users are allowed to toggle the integrity-check option from the CLI. When in FIPS mode, integrity-check should always execute on system startup and when demanded. Since the integrity-check option is configurable, users can disable it which puts the integrity of the system at risk.
Conditions:
The configurable integrity-check option is visible when the device is in FIPS mode.
Impact:
An admin or root user could access the CLI and disable integrity-check. This could replace files and packages which could impact the integrity of the system.
Workaround:
N/A
1346873-1 : Timezone configuration logs "Timezone is invalid" warning
Links to More Info: BT1346873
Component: F5OS-A
Symptoms:
The system log a warning 'Timezone is invalid' when the timezone is configured.
Ex:
2023-08-14T03:50:38.263725-04:00 appliance-1 platform-mgr[17]: priority="Warn" version=1.0 msgid=0x104000000000043 msg="Timezone is invalid" ZONE="America/Los_Angeles".
Conditions:
When the system timezone is changed.
Impact:
No known functional impact, timezone is updating on the system.
Workaround:
None
1345721-1 : The "show system state boot-time" command does not display any entry
Links to More Info: BT1345721
Component: F5OS-A
Symptoms:
The "show system state boot-time" command does not work properly.
r10900-2# show system state boot-time
% No entries found.
Conditions:
N/A
Impact:
r10900-2# show system state boot-time
% No entries found.
Workaround:
This command is disabled in F5OS-C 1.6.0; it must be disabled in F5OS-A as well.
1341701-2 : Unable to launch tenant, as VF interface is getting incorrect name while attaching to tenant.
Links to More Info: BT1341701
Component: F5OS-A
Symptoms:
On r2x00/r4x00 related systems, tenant launch fails with an error in ConfD tenant status leaf:
"[default/virt-launcher-bip1-1-9sblf:sriov-net3-bip1]: error adding container to network "sriov-net3-bip1": failed to set up pod interface "net7" from the device "x557_4": failed to set netlink MAC address to 00:94:a1:db:bd:0c: resource temporarily unavailable"
Linux network manager udev rules and sriov cni try to
access the VF and change the interface name of VF. During this process, VFs fail and unable to retrieve. Thus, resource temporarily unavailable error occurs.
Conditions:
On r4x00 or r2x00 based systems:
1. In kubectl get pods -A output, the tenant pod goes into Init:0/1 state.
default virt-launcher-bip1-1-t6rkh 0/1 Init:0/1 0 36s
2. And in kubectl events, "resource temporarily unavailable" occurs on one of the VFs.
3. In /sys/class/net folder unable to see the below VF interfaces. Instead, some interfaces point to ensp* names which are wrong.
Actual result should be as follows:
[root@appliance-1 ~]# ls /sys/class/net
apigw-dummy-1 lcd sfp_7 sfp_p6v0503 veth0c09f23b veth6cec172f vethea3619d5 x557_p1v1100 x557_p3v1902
br_appliancenet lcd-intf sfp_8 sfp_p7v0900 veth2765115 veth80370796 vetheccdd5fb x557_p1v1101 x557_p3v1903
cni0 lo sfp_p5v0100 sfp_p7v0901 veth3f32fd86 veth82a8440b vethf4081a48 x557_p1v1103 x557_p4v1d00
default-intf mgmt sfp_p5v0101 sfp_p7v0903 veth4ab82fc6 veth8cda0b4d x557_1 x557_p2v1500 x557_p4v1d01
docker0 mgmt0-system sfp_p5v0102 sfp_p8v0d01 veth50d18b0 veth9e8b2e8c x557_2 x557_p2v1502 x557_p4v1d02
dummy0 sfp_5 sfp_p6v0500 sfp_p8v0d02 veth5fe12ffd vethac6590f8 x557_3 x557_p2v1503
flannel.1 sfp_6 sfp_p6v0502 sfp_p8v0d03 veth64783052 vethb688f03e x557_4 x557_p3v1901
Impact:
Tenant launch is unsuccessful and unable to connect to the tenant console or tenants' management connection.
Workaround:
1. Move tenant to configured state
2. Need to remove ice driver using this command,
"rmmod /lib/modules/3.10.0-1160.71.1.F5.Sf602ce82.el7_8.x86_64/updates/drivers/net/ethernet/intel/ice/ice.ko"
3. Remove iavf drvier using
"/lib/modules/3.10.0-1160.71.1.F5.Sf602ce82.el7_8.x86_64/updates/drivers/net/ethernet/intel/iavf/iavf.ko"
4. Run config_ice_vfs.sh script present in /usr/omd/scripts/ folder using - "sh /usr/omd/scripts/config_ice_vfs.sh"
5. Move tenant to running state and check the running state of tenant, after some time.
1330797-3 : Interfaces removed from LACP trunk due to traffic congestion
Links to More Info: BT1330797
Component: F5OS-A
Symptoms:
Interfaces repeatedly removed and added to a LACP LAG due to dropped LACP PDUs.
Conditions:
High traffic volume resulting in weighted-random-early-drop (WRED) being invoked.
Impact:
LACP PDUs dropped resulting in loss of LACP state.
Workaround:
Reboot affected blade.
1330793-3 : Interfaces removed from LACP trunk due to traffic congestion
Links to More Info: BT1330793
Component: F5OS-A
Symptoms:
Interfaces repeatedly removed and added to a LACP LAG due to dropped LACP PDUs.
Conditions:
High traffic volume resulting in weighted-random-early-drop (WRED) being invoked.
Impact:
LACP PDUs dropped resulting in loss of LACP state.
Workaround:
Reboot affected blade.
1330273-2 : When MAC masquerade is enabled on r5k/r10k/r12k systems with a live upgrade, an FDB entry is seen on Active and Standby
Links to More Info: BT1330273
Component: F5OS-A
Symptoms:
When a MAC masquerade address is configured on BIG-IP in R5K/R10K/R12K based systems and a live upgrade of F5OS is done, an FDB entry can be seen in both Active F5OS appliance as well as Standby:
f5-appliance-active# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:cd:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
f5-appliance-standby# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:ee:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -
Conditions:
On r5k/r10K/r12K systems where BIG-IP is configured in HA mode and MAC masquerading is addressed and configured, and F5OS is upgraded.
Impact:
Active and Standby act as if they are the owners of Floating MAC and IP.
Workaround:
From Standby system remove fdb entry from confd.
f5-appliance-standby# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:cd:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
02:94:a1:ab:cd:ee 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2b - 4095 9 - - - - 1 - -
f5-appliance-standby(config)# no fdb mac-table entries entry 02:94:a1:ab:cd:ee 3920 tag_type_vid
f5-appliance-standby(config)# comm
Commit complete.
f5-appliance-standby# show fdb
NDI
MAC ADDRESS VLAN TAG TYPE VLAN TAG TYPE VID ENTRY TYPE OWNER AGE ID SVC VTC SEP DMS DID CMDS MIRRORING INTERFACE
-----------------------------------------------------------------------------------------------------------------------------------------------------
00:94:a1:ab:ee:ef 3920 tag_type_vid 3920 tag_type_vid 3920 L2-LISTENER vm2a - 4095 9 - - - - 1 - -
1325893-3 : A vqf-dm system software core file is occasionally observed on system reboot
Component: F5OS-A
Symptoms:
The line-dma-agent or vqf-dm occasionally hits a cosmetic failure state as the entire system is rebooting, leading to absolutely zero effect of the state of the system.
Conditions:
Traffic is being sent to a tenant while rebooting, and the tcp-dump-daemon system software does not get shut down first before the line-dma-agent
Impact:
A core file is observed on the system after the system finishes rebooting.
Workaround:
N/A
1322685-1 : Tcpdump sessions are terminated when interfaces are enabled or disabled.
Links to More Info: BT1322685
Component: F5OS-A
Symptoms:
All tcpdump sessions terminates abruptly when an administrator enables or disables an interface on the system, even if the interface is not participating in the tcpdump session.
Conditions:
When an administrator enables or disables an interface on the system.
Impact:
All the current running tcpdump sessions are terminated and have to be restarted.
Workaround:
Do not make modifications to interfaces when the tcpdump sessions are active.
1319573 : BIG-IP tenants created before F5OS-A 1.3.0 may be allocated a smaller disk than required
Component: F5OS-A
Symptoms:
If the BIG-IP tenant is created before F5OS-A 1.3.0 with default storage size, the displayed size values in "show tenants tenant" are not correct. They will be displayed as "0".
Conditions:
Happens when the BIG-IP tenant is created before F5OS-A 1.3.0 with default storage size and upgrades to F5OS-A 1.5.1 (or a later version).
Impact:
No effect on BIG-IP tenant's functionality.
Workaround:
From F5OS-A 1.4.0, the user does not need to adjust the size unless the user needs a bigger size.
The right/minimum size will be auto-allocated when the state is changed.
1315261 : QAT devices not populated in ConfD
Component: F5OS-A
Symptoms:
When the tenants are deployed before a live upgrade, sometimes the tenant's QAT devices are not updated in the ConfD table after the upgrade. Hence the show command to list QAT devices does not display the devices. All other functionality is intact.
Conditions:
Tenant is deployed before a live upgrade.
Impact:
The below ConfD show command does not display the QAT devices allocated to the tenant.
show cluster nodes node node-1 state cryptos tenants tenant
1314169-4 : Tenant service-id mismatch between fdb mac-table and service-instance entries
Links to More Info: BT1314169
Component: F5OS-A
Symptoms:
The tenant service-instances IDs are not matching with the fdb mac-table service-ids. This happens when the system attempted to read a field that does not exist in the /services table.
Conditions:
Configuring tenants on F5OS-A.
Impact:
Fails to add all the additional services of a tenant to the service instance.
Workaround:
No workaround exists for older F5OS releases. Need to upgrade to F5OS-A 1.6.0 or later.
1306197-2 : The "show system image" command is taking more time than expected to display the output
Links to More Info: BT1306197
Component: F5OS-A
Symptoms:
The "show system image" command is taking more time than expected to display the output.
Conditions:
Execute the "show system image" command. Check for the CLI output.
Impact:
Degraded user experience when executing the "show system image" command.
1293245 : During upgrade/downgrade, VM failed to come up and remained in pending state
Links to More Info: BT1293245
Component: F5OS-A
Symptoms:
The VM went to a pending state in a series of multiple F5OS live upgrades/downgrades.
Conditions:
Intermittently on multiple F5OS live upgrades/downgrades.
Impact:
VM status shows pending.
Workaround:
Move the VM to the configured state and re-deploy it.
1293013-1 : "show components component storage state disks disk state" is not auto populating
Links to More Info: BT1293013
Component: F5OS-A
Symptoms:
"show components component storage state disks disk state" command does not show data.
But State data is shown using cmd - “show components component storage state”.
Conditions:
N/A
Impact:
No functional impact.
Workaround:
“show components component storage state” can be used for displaying state data.
1292541 : Loading saved configuration on BIG-IP fails if host modifications are made after "tmsh save sys config" on R2800/R4800 platforms
Component: F5OS-A
Symptoms:
Loading saved configuration on BIG-IP tenant running on R2800/R4800 fails when host has a different configurations compared to what is being loaded on the tenant.
Fails with an error message similar to below:
01070257:3: Requested VLAN member (1.5) is currently a trunk member
Unexpected Error: Loading configuration process failed.
Conditions:
-- rSeries 4x00 or R2x00 platform
-- Configuration is backed up using tmsh
-- A change is made to one or more VLANs, interfaces, trunks, or type of VLANs on the host
-- The BIG-IP system loads the configuration
Impact:
Configuration load fails, which puts TMM into an inoperative state.
Workaround:
When tenant is in inoperative state because of this issue, the steps below help in recovering the system:
1. Revert the configuration on the platform related to VLANs attached to the tenant moved to INOPERATIVE state.
2. Check if reverted configuration is loaded in tenant.
3. Restart the mcpd service or reboot the tenant to bring back tenant to active state.
4. Once the tenant is back to active state, save the config using "save sys config".
5. Now subsequent reboots will not let tenant to go into INOPERATIVE state.
1291353-1 : LCD application does not update if appliance is power-cycled during firmware update
Links to More Info: BT1291353
Component: F5OS-A
Symptoms:
After an OS update, an automatic firmware update runs and attempts to update all necessary firmware images. If the appliance is power-cycled or rebooted while the LCD application is being updated, the LCD update can fail and the system will report the old firmware version.
Conditions:
The OS is updated and an LCD firmware update is required. During that update, the appliance is rebooted or power-cycled, causing the LCD application update not to complete.
Impact:
The LCD application has not been updated and needs to be updated to get the latest features and bug fixes.
Workaround:
After verifying that the automatic firmware update process is complete, wait at least 5 minutes, look at the file /var/F5/system/AFU_COMPLETE, look for "AFU_STATUS: FWU_DONE", restart the system allowing automatic firmware to restart, and reprogram the LCD.
1291305-1 : LACP Mode is passive for a static trunk in tenants running r2800/r4800 platforms
Links to More Info: BT1291305
Component: F5OS-A
Symptoms:
LACP Mode set to active or passive mode causes a LAG to participate in negotiation whereas a static LAG configuration does not participate in negotiation. Hence lacp-mode does not make sense for static LAG interfaces.
Conditions:
When a static LAG is created on a platform, and a tenant is launched with a VLAN to which the static LAG interface is associated.
Impact:
An LACPd daemon is running on R2800/R4800 platforms which is responsible for running LACP protocol; the tenant is not dependent on LACP mode configurations and hence there will not be any impact. This is more of a display issue where one might confuse displaying LACP mode as passive for a static LAG interface.
Workaround:
There is no workaround for this behavior.
1289929-1 : Tenants fail to come up due to abrupt power cycle
Links to More Info: BT1289929
Component: F5OS-A
Symptoms:
The helper task terminates instantly due to glibc rpm corruption. The abrupt reboot has caused corruption in the container DB.
Conditions:
Abrupt power cycle during AFU Update.
Impact:
Tenant.
Workaround:
Uninstall and reinstall the K3S cluster.
1288965-1 : Downgrade/upgrade issues are seen because ISO has special characters in the file name★
Component: F5OS-A
Symptoms:
If an F5OS-A ISO with a filename containing 'special characters' ('+ , * , ? , ^ , $ , ( , ) , [ , ] , { , } , | , \') is imported, and the system is downgraded/upgraded to that version, it can result in the upgrade failing and the ISO being automatically removed.
Conditions:
1. Download and import an ISO with a 'special character' in its name, ex. 'F5OS-A-1.5.0-*.iso'.
2. Attempt an upgrade to the imported ISO version.
3. Upgrade will fail.
Impact:
An upgrade to a version of software marked as successfully imported can fail unexpectedly, requiring manual intervention to recover the system.
Workaround:
1. Before performing a platform software upgrade, compare versions referenced by the "show system image" ConfD CLI command with the names of files present in the "/var/import/staging” directory.
If the iso is not present in /var/import/staging but it is shown in "show system image" command output, then import again to "/var/import/staging”.
2. If there is any iso file with a name containing a special character present in "/var/import/staging” remove that version of platform software and re-import it by re-downloading the file with a name that does not include special characters. You may then attempt upgrade.
3.In-order to remove that iso file with a name containing a special characters use below command.
appliance-1(config)# system image remove iso <iso version>
4.In scenarios where above command fails or not possible to use above command
please follow below procedure to delete the image.
* login to the device using root.
* chattr -i "/var/import/staging/<iso with special characters>”
* rm -rf "/var/import/staging/<iso with special characters>”
Incase downgrade or upgrade failure is already happened, because this issue,
follow these steps to recover the system:
1.Download another copy of the ISO with a proper name to /var/import/staging.
2.Wait for five minutes for it to import. if confd is unavailable, you can check the logs in /var/log/sw-mgmt.debug for import status.
3.Once the import is complete, reboot the system. This should recover the system.
1288897-1 : Allowed IP rule name, which contains all underscores, will be deleted while upgrading to F5OS-A 1.7.0 and later versions
Links to More Info: BT1288897
Component: F5OS-A
Symptoms:
Customer are able to create an allowed-ip rule with a name containing all underscores, hyphens or dots, which is not readable.
Conditions:
Creating an allowed-ip rule with a name which contain only allowed special characters.
Impact:
Created allowed-ip rule, with a name containing only underscores, hyphens or dots, will be deleted during upgrade.
Workaround:
Customer must rename the allowed-ip rule name that contain all special characters with a name containing at least one alpha-numeric character before upgrading to F5OS-A 1.7.0 or later Versions.
1287993-1 : Incorrect PSU mismatch indication for two Murata M1845 PSUs operating at different AC input voltages
Links to More Info: BT1287993
Component: F5OS-A
Symptoms:
If two Murata M1845 AC PSUs are installed in the system and one is operating with an AC input at or above 100V and the second is operating with an AC input below 100V, then an incorrect PSU mismatch condition may occur.
Use the F5OS command "show components" to view voltage details for the PSUs.
Conditions:
Two Murata M1845 AC PSUs, one with an AC input at or above 100V and the other with an AC input below 100V.
Impact:
An incorrect "PSU mismatch" condition may occur.
Workaround:
Ensure both Murata M1845 AC PSUs have input voltage at or above 100V or below 100V.
1285997-1 : LLDP is allowed to configure on interfaces when virtual wire is enabled
Component: F5OS-A
Symptoms:
LLDP is allowed to configure on interfaces although virtual wire is enabled.
Conditions:
1) Enable virtual wire on interface.
2) Attach interfaces to a lag.
3) Enabled LLDP on the interfaces.
Impact:
When virtual wire is enabled, BIG-IP will function in transparent mode and is not expected to see interfaces on either side.
With this issue, F5 interfaces will be visible when LLDP is enabled.
Workaround:
Do not configure LLDP on the interfaces when virtual wire is enabled.
1284681 : IPv6 connections made through port 80 fail
Links to More Info: BT1284681
Component: F5OS-A
Symptoms:
IPv6 connections made through port 80 are failing as there are no NAT rules present for port 80.
Conditions:
Issue is observed in all conditions.
Impact:
IPv6 connections through port 80 will fail.
Workaround:
N/A
1282493-1 : Crypto devices are not released after tenants are deleted
Component: F5OS-A
Symptoms:
Deleting the tenants does not release the crypto devices that were allocated to those tenants while creating them.
Conditions:
When a software upgrade was initiated incorrectly such as:
1. Upgrading only OS version
2. Upgrading only Service version
Impact:
Crypto devices behavior will be unexpected.
Workaround:
Always upgrade the software with ISO that contains the correct OS and services combination.
1280833 : The error message is not correct when enabling client-cert (Client Certificate Authentication) before setting verify-client (Client Certificate Verification) to true
Links to More Info: BT1280833
Component: F5OS-A
Symptoms:
An error on the ConfD CLI occurs when the user tries to enable Client Certificate Authentication before setting Client Certificate Verification to true. The error message given by this condition is not correct.
Conditions:
- User trying to enable Client Certificate Authentication when Client Certificate Verification is set to false.
Impact:
Due to the incorrect error message, the user is not able to enable Client Certificate Authentication.
Workaround:
N/A
1280441-1 : When no parameter is given for 'system aaa tls create-self-signed-cert', encrypted key-type does not ask for passphrase
Links to More Info: BT1280441
Component: F5OS-A
Symptoms:
When requesting a self-signed-cert, if the key-type is encrypted, then a passphrase is required. However, if no parameters are supplied, the key-type is then requested as a mandatory parameter, but won't ask for passphrase if encrypted type is selected.
Conditions:
No parameters passed to the config: system aaa tls create-self-signed-cert.
Impact:
An error indicates that the passphrase wasn't supplied, but it never was asked for in these conditions.
Workaround:
Specify key-type as a parameter and then if encrypted, the passphrase will be requested.
1273221-2 : On rSeries FIPS system, operations which involve reboot, might result in FIPS device failure state
Links to More Info: BT1273221
Component: F5OS-A
Symptoms:
After reboot of the F5OS-A rSeries system in any operations (for example, live upgrade, reboot), FIPS HSM card might not become operational, and tenants that were running earlier might not come into a running state. This is due to the handshake failure between the liquid security driver and the HSM card. The driver gets stuck in SAFE_STATE instead of coming into SECURE_OPERATIONAL_STATE.
The driver state can be checked with the below command on the host system.
[root@appliance-1 ~]# cat /proc/cavium_n3fips/driver_state
HSM 0:SECURE_OPERATIONAL_STATE
[root@appliance-1 ~]#
Conditions:
The issue might occur in a live software upgrade or any situation that involves a reboot of the rSeries FIPS system with F5OS-A.
The below logs will be observed in dmesg repeatedly for every retry of the hand shake between driver and HSM card.
[ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: We might have a link issue... resetting
[ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: RESETTING FIRMWARE... CAUTION
Impact:
FIPS HSM is not operational in the system, which results in FIPS tenants deployed on the F5OS rSeries host do not work as expected. They do not change to a RUNNING state.
Workaround:
As the driver is stuck in "HSM 0:SAFE_STATE", a power reboot will resolve the issue.
Below are the steps to follow:
1. Power off
2. Wait for 5 minutes
3. Power on
1273013-2 : Five percent (5%) deviation can be observed in TPS performance on R10920 and R5920 tenant
Component: F5OS-A
Symptoms:
On R10920 and R5920 tenants, the TPS performance degradation may be observed up to 5%.
Conditions:
When the R10920 and R5920 tenant is deployed.
Impact:
TPS performance may be degraded by 5%.
Workaround:
N/A
1253717-3 : iavf driver crashes intermittently on r2000 or r4000 systems during system reboot
Links to More Info: BT1253717
Component: F5OS-A
Symptoms:
When the r2000/r4000 system goes down during reboot, a crash of iavf driver is seen on the system console intermittently. This crash occurs due to multiple calls to the same function that releases the network devices inside iavf driver code.
Conditions:
Occurs intermittently on r2000/r4000 systems that use iavf drivers to manage datapath network devices/ports when the system is rebooting.
Impact:
No functional impact.
Workaround:
N/A
1249873-2 : sPVA hardware offload not working correctly on r10k
Links to More Info: BT1249873
Component: F5OS-A
Symptoms:
The DOS attack traffic is distributed unevenly on different TMMs, and some DOS attack traffic is not handed off to hardware due to a misconfigured DOS group.
Conditions:
Any DOS vector traffic going through the r10k device
Impact:
Reduced performance for DOS attack and hardware offload is not active.
Workaround:
No workaround exists for older F5OS releases. Need to upgrade to any latest F5OS version from F5OS-A 1.6.0 or later.
1231889-2 : Deleting default VLANs and creating them in a partition other than common partition is not supported on BIG-IP tenants running on R2800/R4800 platforms
Links to More Info: BT1231889
Component: F5OS-A
Symptoms:
VLANs created upon BIG-IP tenant bring-up are considered to be default VLANs and they are not supposed to be deleted and created in a different partition other than the common partition. When a VLAN that is in the common partition is deleted and created in a different partition, the subsequent default VLANs will not have a default VLAN-member associated to it.
Conditions:
When VLANs created upon tenant bring-up are deleted and created in different partitions other than the common partition.
Impact:
Partitions other than the common partition cannot have default VLANs. VLANs created in other partitions will not be operational in the data path.
Workaround:
Workaround is to create the VLAN-member for the default VLANs pushed from platform post moving a VLAN from common to another partition.
1231609-2 : exclude-cores "true" option still includes the core files in webUI/CLI
Links to More Info: BT1231609
Component: F5OS-A
Symptoms:
Collecting a QKView with "exclude-cores true" results in a QKView that still has core files in it.
Conditions:
If QKView is collected with "exclude core true" option.
Impact:
Core files are not excluded part of QKView file.
Workaround:
There is no workaround as cores files always included with any option.
1213185-3 : ISO file not copied during clean install from USB DVD/CD-ROM device★
Links to More Info: BT1213185
Component: F5OS-A
Symptoms:
ISO file is not copied over to /var/import/staging during a clean install with DVD devices.
Conditions:
Clean install with DVD devices.
Impact:
ISO file not copied to /var/import/staging and importing any other image will cause problems with further upgrades or downgrades.
Workaround:
Explicitly copy the ISO file which ever used for clean installation to the device to the location /var/import/staging.
1211853-3 : Hardware offload features may affect packets destined for unrelated tenants
Links to More Info: BT1211853
Component: F5OS-A
Symptoms:
When a tenant requests that hardware assist be enabled for an L4 connection, syn cookie protection, DDoS protection, or allowlist/denylist, it is possible that packets destined for other tenants on the same VLAN will be affected by the hardware assist entry.
Conditions:
Hardware assist must have been activated for a specific flow or DDoS profile, and packets must be present for unrelated tenants that are on the same VLAN and contain the same IP destination and/or IP source address as the hardware assist activation.
Impact:
Packets destined for unrelated tenants may receive unexpected handling as a result of hardware assist matching those packets. For example, packets for an unrelated tenant on the same VLAN might be unexpectedly dropped if they have the same IP destination address as the activated DDoS hardware assist.
Workaround:
Ensure that tenants all use unique VLANs or that tenants that share a VLAN use unique IP source/destination addresses for their traffic.
1211233 : F5OS dashboard in webUI displays the system root file system usage, not the entire disk
Links to More Info: BT1211233
Component: F5OS-A
Symptoms:
The Dashboard page displays disk usage information that can be misleading.
For example, on an r5900 the following information may be shown:
Storage Capacity: 109.4GB
System Storage Free: 89.1GB
System Storage Used: 15%
However, the storage capacity is a value taken from the root (/) filesystem. It does not represent the entire 800GB disk, and does not show information about the file systems where tenant images reside.
Conditions:
View Dashboard page in webUI.
Impact:
This is a cosmetic issue.
Workaround:
Linux commands such as "df -hl -t ext4" will provide detailed information about disk usage.
Another breakdown of the disk partition use can also be seen using "lsblk /dev/nvme0n1". Note that nvme0n1 is the physical disk of interest.
Example from rSeries appliance:
# lsblk /dev/nvme0n1
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259:0 0 683.5G 0 disk
|-nvme0n1p1 259:1 0 1G 0 part /boot/efi
|-nvme0n1p2 259:2 0 1G 0 part /boot
|-nvme0n1p3 259:3 0 455.3G 0 part
| `-partition_tenant-root 253:2 0 455.3G 0 lvm /var/F5/system/cbip-disks
|-nvme0n1p4 259:4 0 113.9G 0 part
| `-vdo_vol 253:3 0 227.7G 0 vdo
| `-partition_image-export_chassis 253:4 0 227.7G 0 lvm /var/export/chassis
1210577-2 : Supportability: the confd_cmd utility is now included in the system controller container
Links to More Info: BT1210577
Component: F5OS-A
Symptoms:
Occasionally F5 Support might ask for confd_cmd commands to be run. This fix makes the confd_cmd utility easier to access.
Conditions:
Running F5OS. A request from F5 Support to run confd_cmd.
Impact:
It is difficult to run confd_cmd commands for troubleshooting purposes.
1209077-2 : Unable to remove unused ISOs or services if used by openshift
Links to More Info: BT1209077
Component: F5OS-A
Symptoms:
Even if an imported version of a controller service says it is not in use in ConfD, it is possible under certain conditions for Openshift to still depend on that version of services. In such cases, it will not be possible to remove that version of services until Openshift is re-installed.
Conditions:
Openshift was rebuilt on a version of the controller OS earlier than 1.5.0, and user attempts to remove services that openshift relies on after rebuild.
Impact:
Unable to remove some ISOs and services that indicate they are unused.
Workaround:
Rebuild openshift cluster.
1196005-2 : K3S pods version is shown incorrect★
Links to More Info: BT1196005
Component: F5OS-A
Symptoms:
In rSeries r4000 and r2000 devices with v1.1.1, all K3S services have an incorrect tag (string 'message') instead of the actual number, due to an unknown issue with the docker registry at that time.
Conditions:
Live upgrade.
Impact:
Tenant deployment fails.
Workaround:
Live upgrade to the release after 1.2.0.
1188105-1 : K3SClusterUpgrade status shown as Done before cluster pods running up on appliance
Links to More Info: BT1188105
Component: F5OS-A
Symptoms:
When an appliance upgrades the k3s (Lite Weight Kubernetes) to newer version, the K3S Cluster Upgrade status goes to Done state before bringing cluster pods up and running.
Conditions:
When Upgrade of K3S cluster gets triggered, the cluster upgrade status gets updated in ConfD before bringing cluster pods up.
Impact:
No functional impact. But the information published can be misleading.
Workaround:
With K3sClusterupdate status also checks for the cluster pods status to see if the cluster came up properly.
1186597-1 : K3S install status in f5OS ConfD is improved
Links to More Info: BT1186597
Component: F5OS-A
Symptoms:
K3S install status is not showing the actual cluster install status.
Conditions:
The issue is seen during Cluster deployment.
Impact:
Actual K3S install status is not reflected in "show cluster install-status" CLI.
Workaround:
"kubectl get pods -A" can be used to check the pod status.
1184513-1 : F5OS audit log reports duration values in microseconds, using "ms" abbreviation
Links to More Info: BT1184513
Component: F5OS-A
Symptoms:
The F5OS audit log reports the duration of some calls that occur through RESTCONF. These duration values use an "ms" unit, which in this case stands for microseconds, not milliseconds.
For example:
<INFO> 23-Aug-2022::18:28:00.602 appliance-1 confd[106]: audit user: netsupport/7502531 RESTCONF: response with http: HTTP/1.1 /restconf/data//openconfig-system:system/f5-system-image:image/remove 400 duration 122160290 ms
This operation took ~122 seconds, not ~1.4 days.
Conditions:
Using the F5OS audit log.
Impact:
Difficult to interpret audit log.
Workaround:
Interpret the duration values as being in microseconds, not milliseconds.
1184441-2 : VXLAN-GPE and GENEVE tunnel support
Links to More Info: BT1184441
Component: F5OS-A
Symptoms:
VXLAN-GPE and GENEVE tunnel support can cause host-generated UDP frames with destination ports matching system configured destination ports for VXLAN-GPE or GENEVE to be treated as VXLAN-GPE or GENEVE traffic even if the underlying frame is not VXLAN-GPE or GENEVE. Frames fitting this characteristic may have a bad UDP checksum forced onto the frame if frame fails basic VXLAN-GPE or GENEVE protocol checks.
Conditions:
Administrator configures VXLAN-GPE and/or GENEVE tunnel support.
Impact:
Minimal.
Workaround:
Tunnels are disable by default. This issue is only observed if tunnels are enabled.
1182605-2 : Boot marker logs do not provide enough information
Links to More Info: BT1182605
Component: F5OS-A
Symptoms:
Boot marker logs should provide version and product information in the log.
Conditions:
After a reboot.
Impact:
It can be difficult to determine which version of VELOS a system was booting into.
1169617-3 : BIG-IP tenant intermittently showing wrong status
Links to More Info: BT1169617
Component: F5OS-A
Symptoms:
Due to the order and data with events received from Kubernetes, TPOB is failing to determine the latest status of the BIG-IP tenant status and temporarily displaying a wrong status.
The wrong status will be auto-corrected.
Conditions:
A tenant recovered from a error state randomly displays wrong status temporarily and then auto-corrects.
Impact:
Intermittent wrong status displayed with BIG-IP tenants.
Workaround:
N/A
1156005-2 : system-host-config fails to handle order of DNS search path in /etc/resolv.conf
Links to More Info: BT1156005
Component: F5OS-A
Symptoms:
Ordering of DNS search path is not preserved in /etc/resolv.conf.
>Add DNS search path in order A B.
Check /etc/resolve.conf => B A
>Now add DNS search path in order B A.
Check /etc/resolve.conf => B A
Conditions:
On rSeries platforms, user wants to configure DNS search path in alphabetical order.
Impact:
DNS search path is not added in the same order in /etc/resolv.conf.
Workaround:
N/A
1154733-1 : LLDP error on management interface
Links to More Info: BT1154733
Component: F5OS-A
Symptoms:
LLDP on mgmt interface is not supported. When enabled, show lldp command in ConfD CLI will not show any info related to mgmt interface.
Also, when enabled, below log will be displayed:
lldpd[8]: priority="Err" version=1.0 msgid=0x7302000000000021 msg="Failed to get did from interface name." ifname="mgmt"
Conditions:
When LLDP is enabled using ConfD CLI.
Impact:
The system logs an error message every 30 seconds:
lldpd[8]: priority="Err" version=1.0 msgid=0x7302000000000021 msg="Failed to get did from interface name." ifname="mgmt"
Workaround:
None
1144005-2 : TPS drop of ~14% from F5OS-A 1.1.0 and later on r10000 series platforms
Links to More Info: BT1144005
Component: F5OS-A
Symptoms:
A TPS drop of approximately 12-14% was observed when running 512KB L7 HTTP tests on r10000 series platforms.
Increased CPU usage, and larger tcp_lro receive packet sizes and some packet drops were observed when it is running with full capacity.
Conditions:
Upgrading F5OS-A software version from 1.0.0 to a later software version.
Impact:
If F5OS software is upgraded from F5OS-A 1.0.0 to any later version, including F5OS-A 1.1.0, there will a maximum drop of 14% in TPS from device actually supported in F5OS-A 1.0.0.
Workaround:
No mitigation currently available.
1132605-3 : Copied ISO file does not have the immutable bit set after F5OS USB install
Links to More Info: BT1132605
Component: F5OS-A
Symptoms:
When performing a USB install, F5OS creates the ISO file used for installation under /var/import/staging. Under certain conditions, this newly created ISO file is missing the immutable bit, allowing the file to be potentially modified or deleted while it is in use.
Conditions:
Perform a USB install of F5OS.
Impact:
New ISO file is missing the immutable bit (should show up as an 'i' in the chattr output).
[root@appliance-1 ~]# lsattr /var/import/staging/
-------------e-- /var/import/staging/F5OS-A-1.1.0-7645.R5R10.iso
This results in risk of the ISO file being deleted or modified while in use.
Workaround:
If the imported ISO file is still present in /var/import/staging, set the immutable bit on it, for example:
chattr +i /var/import/staging/R5R10.1.1.1-9159.iso
If the imported ISO file is missing, that is, because it was deleted or renamed:
1. Put a copy of the ISO file on the rSeries appliance named precisely the same as the original file was, for example:
Copy the ISO file to the rSeries appliance, but name it "R5R10.1.1.1-9159.iso" and put it in /var/import/staging/
2. Set the immutable bit on the file:
chattr +i /var/import/staging/R5R10.1.1.1-9159.iso
3. Reboot the device.
1127393-3 : Error message is not displayed when user configures more than 3 DNS servers in ConfD CLI or webUI
Component: F5OS-A
Symptoms:
When user tries to configure more than 3 DNS server entries in F5OS-A using command "system dns servers server" or from webUI, no error message is displayed. System allows only 3 DNS servers, but user will be allowed to configure more than 3.
Conditions:
Configure DNS server in F5OS-A using ConfD CLI or webUI.
Impact:
No impact. Even though user configures more than 3, system will take only 3 entries.
Workaround:
NA
1126865-3 : F5OS HAL lock up if the LCD module is not responding.
Links to More Info: BT1126865
Component: F5OS-A
Symptoms:
There are rare cases where the LCD module is present, enabled, and its network link is up; however, it does not respond to requests made by the HAL. Ultimately this causes a the HAL services to become unresponsive.
Conditions:
There are rare cases where the LCD does not respond to requests from the HAL services. When this happens, the HAL service can get locked up.
Impact:
When this rare event occurs, the HAL becomes unresponsive for other devices in the system, like the AOM for example.
Workaround:
If this occurs, a restart of the HAL services or a reset of the system is required to clear the condition.
1126677-2 : Inconsistencies with time zones displayed in controller and log files
Links to More Info: BT1126677
Component: F5OS-A
Symptoms:
System logs on F5OS systems are logged in a mix of the user's configured time zone (when available: controller/appliance) and UTC, depending on which log file you look at.
Conditions:
If user has a time zone configured that is different from UTC, the logs may show different times for log messages.
Impact:
Troubleshooting and tracing issues can be difficult, as the time zones used in different logs do not match.
Workaround:
N/A
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support website: http://www.f5.com/support/
- The MyF5 website: https://my.f5.com/manage/s/
- The F5 DevCentral website: http://devcentral.f5.com/