1496977-1 : Remote GID mappings to F5OS roles are disconnected for TACACS+/RADIUS authentication methods.

Component: F5OS-A

Symptoms:
Remote GID mappings (on a TACACS+ or RADIUS server) to F5OS GIDs/roles are not working correctly. When attempting to configure a remote mapping, it results in the access rejection with a message similar to below:

[root@system ~]# ssh radius_or_tacacs_user@<F5OS system mgmt IP>
Password:
Last login: <date> from <source IP>
No valid role group found in user groups: '9000'
Connection to <mgmt IP> closed.

Conditions:
A remote GID mapping is configured for a role in F5OS and the authentication method used for remote users is RADIUS or TACACS+.

Impact:
Remote users cannot log in to the system.

Workaround:
Configure remote user's GIDs in a way that they correspond to the GIDs in F5OS for the desired role(s). Then, remove any remote GID mappings in the F5OS configuration.

Fix:
Fixed remote GID mapping to F5OS roles for TACACS+/RADIUS authentication methods.

1496837 : User-manager's ConfD socket getting closed.

Links to More Info: BT1496837

Component: F5OS-A

Symptoms:
After repeating the change of network type and device reboot, the device goes into a state where the user-manager is not interacting with ConfD.

Conditions:
- Change remote GID role and check '/etc/gid-map.txt' file if the value is reflected.
- Switch network type and reboot the device.

Repeat the above process until '/etc/gid-map.txt' file is not been updated correctly.

Impact:
Any ConfD configuration change that goes though user-manager fails. This includes any of the user password changes, or remote GID changes.

Workaround:
Rebooting the system will get the correct GID value from the ConfD and update the '/etc/gid-max.txt' file.

Fix:
The user-manager has no reason to use NSS to lookup any PW/group info, as it deals exclusively with the local user database.

Additionally, there is a ZMQ service that belongs in authentication-mgr (which understands remote authentication) that is in the user-manager container. It forces user-manager to use an ‘/etc/resolv.conf’ that can reference remote sources.

If the user-manager trips over a lookup that goes to LDAP (usually a local-db miss), it can be very slow and time out. The ConfD->user-manager channel is sensitive of slow responses, and shuts down subscriber/callpoint handler/daemon that takes over 15 to 30 seconds to respond. When this happens, the user-manager is going to see an EOF on its ConfD sockets.

This fix forces the user-manager to only lookup on local database.

1492621 : Config-restore fails when backup file has expiry-status field for admin or root user

Component: F5OS-A

Symptoms:
For a root or admin user, if the value for Expiry-status in the backup file is not set to enabled, then config-restore fails.

Conditions:
During backup, if the "Expiry-status" value for admin or root user is not set to enabled, then restore fails with the backup.

Impact:
Database config-restore fails.

Workaround:
For admin and root user, comment Expiry-status in the backup file and try to restore.

Fix:
Added NACM rules in ConfD for successful config-restore.

1486697-1 : Configuring Expiry-status of root and admin user should not be allowed.

Links to More Info: BT1486697

Component: F5OS-A

Symptoms:
Expiry-status of root and admin users are allowed to be configured and there is a chance of locking out these users.

Conditions:
This is for root and admin user. If Expiry-status of any user is marked as Locked, that user cannot login to the system.

Impact:
Possibility of default users like root and admin getting locked out.

Workaround:
None

Fix:
Disabled Expiry-status on GUI for admin and root users thus it cannot be configured. The Expiry-status field for these two user will now always display the default value "Enabled".

1469925-1 : Timezone changes are not reflected in the log messages until the hardware is rebooted

Component: F5OS-A

Symptoms:
After configuring timezone, /var/log/messages are logged with old timezone till the hardware is rebooted.

Conditions:
Configure timezone from ConfD and verify /var/log/message.

Impact:
The log messages are logged with old timezone.

Workaround:
After configuring timezone, rebooting the hardware resolves the issue.

Fix:
Added code changes to reflect the new timezone changes in /var/log/messages without rebooting the hardware.

1469385-1 : GUI freezes during LDAP user authentication if no remote GID mapped locally.

Links to More Info: BT1469385

Component: F5OS-A

Symptoms:
The LDAP remote user authentication freezes for a long time (more than a minute).

Conditions:
When trying to authenticate a remote LDAP user through the GUI without mapping any of the remote user GIDs to the F5OS local roles.

Impact:
Authentication freezes for a long period before rejecting the user.

Workaround:
One of the remote GIDs should be mapped to the local F5OS roles.

Fix:
Map the remote GID(s) to the F5OS role(s) to authenticate remote LDAP users successfully.

1466397-2 : LDAP authentication is consuming several minutes to authenticate via GUI and SSH.

Links to More Info: BT1466397

Component: F5OS-A

Symptoms:
LDAP authentication is working fine. However, authentication takes several minutes, which lacks a user-friendly experience.

Conditions:
- Configure LDAP server-group.
- Configure LDAP_ALL as an authentication-method.
- Log in using LDAP user via GUI or SSH.

Impact:
The user is forced to wait for several minutes to get the result of LDAP authentication.

Workaround:
None

Fix:
Removed unnecessary GID lookup to speed up LDAP authentication.

1441505 : iHealth upload client may fail if ConfD database is offline.

Links to More Info: BT1441505

Component: F5OS-A

Symptoms:
If the ConfD service goes offline when migrating primary key, executing the iHealth upload commands (for example, show system diagnostics ihealth), and in the event of performing any other activity, then the iHealth service may generate a core file.

Conditions:
If the ConfD service goes offline when migrating primary key, executing the iHealth upload commands (for example, show system diagnostics ihealth), and in the event of performing any other activity, then the iHealth service may generate a core file.

Impact:
A core file may be generated.

Workaround:
The iHealth client will restart if it cores. Repeat the iHealth commands after the ConfD database is up and running.

Fix:
Hardening is added in the iHealth client to avoid generating a core file in certain events.

1441425-1 : The rSeries appliance log shows "PSU voltage out value < lower limit, value=0".

Component: F5OS-A

Symptoms:
The following message appears in the logs:
66305 psu-1 psu-fault EVENT Network Access "PSU voltage out value < lower limit, value=0" "2023-12-08 09:00:00.900082135 UTC".

Conditions:
The conditions that trigger this issue are unknown at this time.

Impact:
Users see several "PSU voltage out value < lower limit, value=0" logged messages, which could be falsely reported.

Workaround:
None

Fix:
None

1437765 : Restoration of system configuration database may fail if admin user was previously modified

Links to More Info: BT1437765

Component: F5OS-A

Symptoms:
The restoration of the System Configuration Database fails with this error:
appliance-1(config)# system database config-restore name config_database1 proceed yes
Error: access denied
Database config-restore failed.

Conditions:
In F5OS-A 1.5.1, the expiry status of the ‘admin’ user has been modified even before the System Configuration Database is saved and restored on the device that is currently installed after RMA/factory or F5OS clean install.

Impact:
Unable to restore the System Configuration Database.

Workaround:
1. In F5OS-A 1.5.1, it is recommended not to lock or modify the expiry status of the ‘admin’ user on the RMA/factory or clean installed appliance. If modified, enable the user before taking the backup.
2. Edit the System Configuration Database backup file. For the admin and root user, remove the next line which is highlighted by the arrow, then restore the configuration using the modified file:
           <username>admin</username>
           <config>
             <username>admin</username>
             <password><REMOVED></password>
             <last-change>0</last-change>
             <expiry-date>-1</expiry-date>
             <role>admin</role>
             <expiry-status>enabled</expiry-status> <---

1436373 : iHealth upload not supported on F5OS-A

Component: F5OS-A

Symptoms:
The iHealth upload service has changed its authentication schema to OKTA, and requires a Client ID and Client Secret rather than a User ID and Password. Version 1.5.1 (and previous versions) of F5OS-A do not support this authentication schema.

Conditions:
Always

Impact:
Users will not be able to directly upload QKView files to iHealth from the appliance because of change in the authentication schema.

Workaround:
1. Use the file export feature to download the QKView from the appliance to a local PC.
2. Sign on to ihealth.f5.com.
3. Use the upload feature to upload the QKView to the iHealth service.

Fix:
Added Client ID and Client Secret in the iHealth page on webUI. User can upload QKView files to iHealth.

1436153-1 : F5OS upgrades fail when SNMP configuration contains special characters.

Component: F5OS-A

Symptoms:
As part of some security fixes, added a special character restriction in SNMP configuration in F5OS-A 1.5.1. This resulted in an upgrade failure to 1.5.1. If an upgrade to 1.5.1 is successful, the SNMP configuration will get deleted implicitly.

Conditions:
Upgrade to 1.5.1 fails when the SNMP configuration contains any special characters. The restricted special characters are: /*!<>^,/

Impact:
If the user encounters this issue, the system will go to an inaccessible state and require a forced downgrade.

Workaround:
Delete the SNMP configuration (community, target, or user) containing special characters before performing an upgrade to 1.5.1.

Fix:
The special characters in the SNMP configuration do not inject any security issues and can have special characters. Hence, the special characters restriction is removed in F5OS-A 1.5.2 and F5OS-A 1.8.0.

1429721-1 : SCP as non-root user does not report errors correctly for bad/non-existent files.

Component: F5OS-A

Symptoms:
Using SCP to retrieve files from F5OS as "admin" or other non-root users should report a proper error when attempting to access an invalid directory or non-existent file.

Instead, the SCP command does nothing, reports no error, and exits with an on-zero exit status.

Conditions:
Attempt to read a non-existent/inaccessible file via SCP.

Impact:
The user is not informed about the failed SCP operation and the reason for the failure.

Fix:
SCP server software now reports errors the invalid/inaccessible filenames.

1397145-2 : Unable to add blade to Openshift cluster, if VELOS partition root password is expired or locked

Links to More Info: BT1397145

Component: F5OS-A

Symptoms:
If a VELOS partition root password is expired or locked, the system may be unable to add the blade to the Openshift cluster (or manage the cluster).

The "show cluster" command output will report that a blade is reachable ("able to ping"), but will not be able to connect to it ("able to SSH"):

                                                          ABLE ABLE
                                        IN READY TO TO PARTITION
INDEX NAME INSERTED CLUSTER CLUSTER PING SSH STATE LABEL
--------------------------------------------------------------------------------------------------
1 blade-1.chassis.local true false false true false Not In Cluster
2 blade-2.chassis.local true false false true false Not In Cluster
3 blade-3.chassis.local true false false true false Not In Cluster

Conditions:
-- VELOS partition
-- root account in partition is expired or locked

Impact:
- Blade will not join Openshift cluster.
- Unable to deploy Tenants to blade.

Workaround:
Re-enable the root user account for the partition:

system aaa authentication users user root config expiry-status enabled

1393269-1 : Error log: "PINGLOOP Failed to ssh to 127.0.0.1"

Links to More Info: BT1393269

Component: F5OS-A

Symptoms:
"PINGLOOP Failed to ssh to 127.0.0.1" logged in platform.log by Appliance Orchestration Manager.

Conditions:
1. root user locked with expiry status set to "locked".
2. Appliance rebooted after locking root user.

Impact:
Internal processes relying on root user may malfunction.

Workaround:
Avoid locking the root user account by not setting the expiry status to "locked".
Use appliance mode for root user lockdown.

1388945-1 : Fan speed randomly shows as '0'.

Component: F5OS-A

Symptoms:
The fan speed is randomly and incorrectly reported as '0'.

Conditions:
Checking the sensors using GET:bmc/sensors.

Impact:
The fan speed is reported as '0'.

Workaround:
None

Fix:
This issue has been fixed, and the fan speed no longer randomly reports as '0'.

1388745-1 : Large numbers of platform-hal errors logged in platform.log: "Requested Sensor, data, or record not present."

Links to More Info: BT1388745

Component: F5OS-A

Symptoms:
The platform-hal service is intermittently logging a large number of messages similar to the following in platform.log:

appliance-1 platform-hal[8]: priority="Err" msg="Action Error" index=0 message="Requested Sensor, data, or record not present." interface="job-665402" actionKey="GET:lop/pel" jobId=665402

There may be tens of thousands of log messages in some cases.

Conditions:
The conditions that trigger this issue are unknown at this time.

Impact:
The platform.log file becomes filled up with many of these log messages, and they must be filtered out to review the logs effectively.

Workaround:
None

Fix:
None

1388477-2 : Default GID group mapping authorized even when GID mapped to different group ID

Component: F5OS-A

Symptoms:
When a role (group) is mapped to a custom remote group ID (GID), the default GID (e.g. 9000 for admin) is also authorized for the same group.

Conditions:
The admin role (GID 9000), operator role (GID 9001), user role (GID 9002), or the resource-admin role (GID 9003) are assigned non-default GID.

Impact:
Remote users with GIDs 9000, 9001, 9002, or 9003 maintain the default access for their user role.

Workaround:
Do not assign the F5's default admin, operator, and resource admin role IDs (GID) to the remote user groups. These GIDs are 9000, 9001, and 9003 respectively.

For a customer who uses the versions with the issue, if higher privilege user group IDs are anything different from 9000, 9001, and 9003, do not assign 9000, 9001, and 9003 GIDs to any other group in the external directory, and do not assign default F5 role GIDs to any user. The default GIDs 9000, 9001, and 9003 should be entirely unassigned in the directory, or assigned to placeholder groups that are prohibited from user assignment.

See the role GIDs in ConfD CLI with the following command:

show system aaa authentication roles role

See the 'GID' column in the command output and don't assign those GIDs to users.

Fix:
If a remote-GID is configured for a role, the default GID will no longer authenticate for that role.

1379845-1 : CVE-2023-3341:bind: stack exhaustion in control channel code may lead to DoS

Links to More Info: K000137582

1379625-4 : Changing the max-age attribute in password policy is not reflecting immediately

Links to More Info: BT1379625

Component: F5OS-A

Symptoms:
Even after setting max-age value (maximum age, in days, after which password will be expired) less than 7 days, the warning for password expiration is not displaying at the time of next login.

Conditions:
Set max-age attribute to less than 7 (days) and check if password expiration warning is prompted at the time of next login.

Impact:
Password expiration feature is not working as expected.

Workaround:
N/A

Fix:
Fix is provided to sync the max-age value, updated from ConfD CLI, with the user's password expiration attribute in the /etc/shadow on the system.

1378805-4 : Error occurs when changing LAG type for an existing LAG interface on webUI

Links to More Info: BT1378805

Component: F5OS-A

Symptoms:
On the webUI, if a LAG type changes from LACP, an error displays when that LAG type changes back to LACP.

Conditions:
The error occurs when attempting to change the LAG type on an existing LAG interface to a previously used type.

(i.e. Creating a LAG interface with type LACP, changing that type to Static, and then changing it back to LACP)

Impact:
This issue does not affect functionality; however, an unnecessary "Object Already Exist" error pop-up appears.

Workaround:
To avoid the pop-up, change the LAG type to LACP using the CLI in this scenario.

Fix:
Changing the LAG type on an existing LAG interface to a previously used type no longer triggers an error pop-up on the webUI.

1378313-3 : CVE-2020-22218: libssh2: use-of-uninitialized-value in _libssh2_transport_read

Links to More Info: K000138219

1366337-2 : Adding a system raid drive fails after successful removal

Links to More Info: BT1366337

Component: F5OS-A

Symptoms:
If the system is set up using bare-metal installation of 1.5.1 and later versions, the user will not be able to add a SSD after removing an existing SSD from RAID.

Conditions:
The system must have been bare-metal installed using 1.5.1 and later versions.

Impact:
User is unable to remove/add SSD into RAID.

Workaround:
N/A

Fix:
After upgrading to 1.7.0 and later versions, SSD can be added and removed from RAID.

1365985-2 : GID role mapping may not work with secondary GID

Links to More Info: BT1365985

Component: F5OS-A

Symptoms:
When a user in an external authentication system (LDAP, Radius, TACACS) is given a GID for an F5 role, and that GID is a secondary GID, the role assignment may not be discovered. This would result in the inability to access the system or be able to configure the system for that user.

Conditions:
- User in an external authentication system (LDAP, Radius, TACACS)
- GID corresponding to F5 role is a secondary GID (for example, it is not the user's default GID, rather a GID from a group to which the user belongs)

Impact:
Inability to log into the system, or inability to configure the system for the user in question.

Workaround:
The GID for the desired role should be the GID directly mapped to the user in the external authentication system (for example, in LDAP, the gidNumber on the user object should be the F5 role GID), rather than a secondary GID (for example, in LDAP, the gidNumber on a group of which the user is a member).

Fix:
All GID role mappings are properly considered when discovering role assignments for users in external authentication systems.

1365821-2 : Traffic loss of 5-10 seconds after disable/enable of LACP Lag member on r5000/r10000

Links to More Info: BT1365821

Component: F5OS-A

Symptoms:
Disabling and then re-enabling a LACP Lag member can result in traffic loss of up to 10 seconds on r5000/r10000 platforms.

Conditions:
Disable then re-enable LACP Lag member on r5000/r10000 platforms.

Impact:
Traffic loss lasting up to 10 seconds.

Workaround:
N/A

Fix:
Don't hold a mutex while processing the set of links to initialize. Make a copy of the links and release the mutex instead.

1360905-3 : Unexpected log messages in /var/log/boot.log post-integrity recovery

Links to More Info: BT1360905

Component: F5OS-A

Symptoms:
Users may observe the following inappropriate log message in /var/log/boot.log after recovering from integrity failure:

Sep 28 08:45:08 appliance-1 journal: FIPS Integrity Check: This system has been placed in an error state. Try to recover the system using /usr/libexec/ostree_recover utility or reinstall the system. On many devices pressing the escape key followed by '(' key will bring up a menu that allows the system to be restarted.

Conditions:
The integrity failure occurs when the device is in FIPS mode, and a user alters or removes a file, subsequently executing an on-demand integrity test or a boot-up integrity test.

Impact:
There are no noticeable performance issues or anomalies associated with these log messages, and the issue does not affect the overall system performance or user experience. There are no potential risks or security concerns related to the inappropriate log messages.

Workaround:
N/A

Fix:
The code has been modified to provide more user-friendly log messages.

1359897-2 : rSeries link down events can be missed

Links to More Info: BT1359897

Component: F5OS-A

Symptoms:
The rSeries platform can occasionally fail to detect a link going down due to the removal of the cable.

Conditions:
Remove fiber optic cable.

Impact:
Links that are DOWN stay operationally UP. This can lead to erroneous LACP and/or LAG state.

1355277-4 : Incorrect Vlan Listeners when a Static FDB is configured

Links to More Info: BT1355277

Component: F5OS-A

Symptoms:
When a Static FDB is configured on an interface, Vlan Listeners associated with that interface will have an extra Service ID configured for Service ID 1.

Conditions:
A Static FDB is configured on an interface.

Impact:
Extra broadcast traffic will be generated on the system, which could affect performance.

Workaround:
N/A

Fix:
N/A

1352449-7 : iHealth upload is failing with error "certificate signed by unknown authority"

Links to More Info: BT1352449

Component: F5OS-A

Symptoms:
When attempting to use the QKView upload feature, the upload may fail with the message "certificate signed by unknown authority". This is due to a recent change in certificate authority that is inconsistent between F5OS and iHealth.

Conditions:
Always, after mid-September 2023.

Impact:
Unable to upload QKView files to iHealth with a single click.

Workaround:
Users may use the File Export feature to download QKView files to their PCs, and then upload those files to iHealth.

You can find the qkview files in the GUI at System Settings :: File Utilities, then choose "diags/shared" as the base directory, then select "qkview".

Fix:
Certificate authorities used by the iHealth upload feature in F5OS will be updated.

1352421-2 : L2 services (LACP/LLDP) are down on r2000 and r4000 series appliances

Links to More Info: BT1352421

Component: F5OS-A

Symptoms:
LLDP and LACP will appear to be non-functional on the F5OS system.

LLDP/LACP PDUs reach the F5OS system, which can be verified with tcpdump.

Conditions:
-- r2000 and r4000 series appliances.
-- LLDP or LACP is configured.
-- Links are up.

Impact:
L2 protocols fail to negotiate or register inbound data.

Workaround:
Reboot.

1351529-2 : Fixing the log issue stating "UNSUPPORTED STP state" when STP global is configured

Links to More Info: BT1351529

Component: F5OS-A

Symptoms:
A log message appears, stating "UNSUPPORTED STP state" when STP global is configured to RSTP.

Conditions:
Removing the global config (initially set to STP) and setting it to RSTP.

Impact:
Reliable and correct log messages.

Workaround:
NA

1349465-4 : Partition s/w upgrade compatibility check doesn't use correct target version

Links to More Info: BT1349465

Component: F5OS-A

Symptoms:
When performing the partition database compatibility upgrade check (check-version/set-version), the check logic does not always use the correct target version. This potentially can cause the compatibility check to pass, but the actual database upgrade can fail and automatically roll back.

Conditions:
When the target partition version is a patch release (such as 1.5.1, 1.6.1), the compatibility check will use the wrong (base release) version.

Impact:
The check-version/set-version database compatibility check might pass even though the actual upgrade would fail.

Workaround:
Upgrade the controller s/w to version F5OS-C 1.6.1 or later prior to attempting upgrade to a partition patch release.

Fix:
The controller OS services uses the correct partition patch version for the compatibility check.

1338521-2 : Unable to login when accessing F5OS GUI through a network proxy on a port other than 443.

Links to More Info: BT1338521

Component: F5OS-A

Symptoms:
Users are not able to log in to the UI when trying to access F5OS GUI through a network proxy running on a port other than 443.

Conditions:
GUI should be accessed via a network proxy running on a port other than 443.

Impact:
Users are not able to log in to the GUI.

Workaround:
None

Fix:
After the fix, GUI now reads the port along with the hostname from the URL and can use the port in making API calls (including login API calls).

1332997-2 : Device stuck at "unmounting containers" after performing reboot

Component: F5OS-A

Symptoms:
When we open the console session of any tenant on F5OS-A using virtctl console <tenant_name>.

when you reboot the system, during reboot sometimes the system might end up in "unmounting containers"

Conditions:
Open the console session to any of the tenants using virtctl utility and reboot the system.

Impact:
After rebooting, system takes time to fully start up.

Workaround:
Power off and on the system whenever the issue is hit.

Fix:
Fixed the issue related to device stuck at unmounting containers after the reboot.

1332781-4 : A remote user with the same username as the local F5OS user will be granted the local user's roles

Links to More Info: BT1332781

Component: F5OS-A

Symptoms:
If you create a remote user on the RADIUS, TACACS+, or LDAP servers with the same username as a local F5OS user, the remote user will be granted the local user's roles upon authentication.

Conditions:
A remote user is created with the same username as a local user and remote authentication is enabled.

Impact:
Remote user will take the local user's privileges.

Workaround:
Do not create a remote user with the same username as the local user. If you have created already, change the username for either the local user or the remote user.

Fix:
If a remote user is created with the same username as a local user, the remote user's authentication will be rejected. Only the local user will have access to the F5OS system.

1330717-2 : LLDP neighbors are not getting discovered

Links to More Info: BT1330717

Component: F5OS-A

Symptoms:
When a user configures LLDP at one time, the LLDP details will not show up.

Conditions:
Configure LLDP interfaces at one time.

Impact:
The "show lldp" command will not show neighbor details even if the interfaces/ports are connected to a peer switch.

Workaround:
The issue arises when all LLDP interfaces are configured at one time. However, if the LLDP interfaces are disabled and then enabled one by one, the issue is generally not observed.

Fix:
The issue arises when all LLDP interfaces are configured at one time. However, if the LLDP interfaces are disabled and then enabled one by one, the issue is generally not observed.

1329161-3 : In non-FIPS mode, added support for the SSH-RSA host key algorithm

Links to More Info: BT1329161

Component: F5OS-A

Symptoms:
Not able to establish an SSH connection using the SSH-RSA host key algorithm in non-FIPS mode.

Conditions:
Connect to the device from the SSH client using the SSH-RSA host key algorithm in non-FIPS mode.

Impact:
The SSH connection to the device could not be established.

Workaround:
None

Fix:
Added SSH-RSA host key algorithm support in non-FIPS mode.

1328977-1 : Appliance Orchestration Manager fails due to memory corruption

Links to More Info: BT1328977

Component: F5OS-A

Symptoms:
Appliance Orchestration Manager fails, leading to a restart of the docker container. We can observe a core as well.

Conditions:
There are no preconditions. It is happening to memory corruption in the systems. The issue is not consistent.

Impact:
OMD restarts; this will not generally disturb the tenant's functionality.

Workaround:
N/A

Fix:
Fixed the issues related to memory corruptions in the appliance Orchestration Manager.

1328729 : Slow memory leak when processing tenant telemetry

Links to More Info: BT1328729

Component: F5OS-A

Symptoms:
The system will eventually run out of memory. Up until the point of service restart, the memory utilization will negatively impact running tenants, causing potential memory allocation errors.

Conditions:
When a BIG-IP tenant version </= 15.1.7 is running.

Impact:
Excessive memory utilization will impact operational performance of the F5OS and tenants.

Workaround:
The mitigation is to update a BIG-IP tenant version to 15.1.8 or newer, or to update to F5OS 1.5.1.

1328405-2 : F5OS system stopped generating tmstat snapshots

Links to More Info: BT1328405

Component: F5OS-A

Symptoms:
The F5OS system is not generating the tmstat snapshots, which helps us in diagnosing issues.

Conditions:
System is running an affected version of F5OS software (F5OS-A 1.2.0 and above, or F5OS-C 1.6.0 and above).

Impact:
Impacts the supportability of the device; the support teams usually rely on the snapshots while working on field issues.

1327701-4 : Space in SNMP community/user/target name causing snmpd container restart

Links to More Info: BT1327701

Component: F5OS-A

Symptoms:
When there is a space in any SNMP community/user/target name configuration, this will cause an F5OS snmpd service restart.

Conditions:
When there is a space in an SNMP community/user/target name configuration.

Impact:
F5OS snmpd restarts.

Workaround:
Reconfigure the SNMP community/user/target without a space in the name.

Fix:
Added a space restriction in SNMP community/user/target name configuration so the user can no longer configure with a space.

1326837 : Using UI, unable to configure the account expiry date for the user as the request is not delivered to the backend.

Links to More Info: BT1326837

Component: F5OS-A

Symptoms:
Even if the user account is locked using GUI, the authentication is successful for the current user account.

Conditions:
Unable to configure the locking of a user account in the backend.

Impact:
The user account is not locked thus enabling successful authentication.

Workaround:
Added expiry-status to ConfD and UI to define an expiry date for a specific user account with "enabled", "locked", or <string>[YYYY-MM-DD] value.

Or Add expiry-status in ConfD instead of UI to configure expiry of any user account except Admin or Root user account.

Fix:
Added expiry-status to configure expiry of any user account.

1326725-4 : Unable to generate SNMP Trap for IPV6

Links to More Info: BT1326725

Component: F5OS-A

Symptoms:
Generating SNMP traps for IPv6 is not working.

Conditions:
1. Configure SNMP traps for an IPv6 address:

appliance-1# show system snmp
system snmp engine-id state engine-id 80:00:2f:f4:03:00:94:a1:38:33:02
system snmp engine-id state type mac
system snmp state port 5000
system snmp targets target v1_target
 state name v1_target
 state community c1
 state security-model v1
 state ipv6 address 2620:128:e8:49:f816:3eff:fe9:248e
 state ipv6 port 5011
            SECURITY
NAME NAME MODEL
----------------------
c1 c1 [ v1 ]


2. Try to collect SNMP traps on targeted system:

[root@testvm ~]# snmptrapd -Lof 2620:128:e008:4009:f816:3eff:fe09:248e:5011
NET-SNMP version 5.7.2

Impact:
SNMP traps for IPv6 addresses won't work.

Workaround:
N/A

Fix:
We corrected the code for generating SNMP traps for IPv6 addresses.

1326541-2 : In r2000 and r4000 systems, alarm LED is not set when there are alerts raised in the system

Links to More Info: BT1326541

Component: F5OS-A

Symptoms:
When system has any alarm, alarm LED will not be set, and diag-agent is not clearing all the alarms during the boot up.

Conditions:
Applicable for r2000 and r4000 systems.

Impact:
Alarm LED will not be set when system generates any alarm, and diag-agent will not clear all the alarms during the boot up.

Workaround:
When system generates alarms, they can be seen using ConfD.

Fix:
When system generates any alarm, alarm LED will be set and diag-agent will clear all the alarms while during the system boot up.

1326157-2 : Observed multiple containers restarting and cores generating after PXE installation

Links to More Info: BT1326157

Component: F5OS-A

Symptoms:
As a result of "permission denied" errors, some containers begin crashing after a PXE installation. Core files are also generated.

Conditions:
Seen due to a timing issue after PXE installation. Some containers come up before they can be supported.

Impact:
Containers crash or functionality is impacted. Core files are generated.

Workaround:
Modify the /var/docker/config/platform.yml with information below:

+ selinux_labeler:
+ container_name: selinux_labeler
 + image: +${platform_services_registry}/system_network:1.4.14
+ volumes:
+ - /var/F5/system:/var/F5/partition:z
+ labels:
+ f5.service.type: "system"

 identifier:
    container_name: system_latest_vers
    image: ${platform_services_registry}/system_network:1.4.14
+ depends_on:
+ - selinux_labeler

Then, restart the platform-services-deployment.service.

Fix:
Containers should not be crashing after a PXE installation now. No core files should be generated.

1324737-1 : The output of the command "ethtool --show-priv-flags" on all interfaces needs to be collected in QKView

Links to More Info: BT1324737

Component: F5OS-A

Symptoms:
Before, output from the command "ethtool --show-priv-flags" was not being collected in QKView for any of the interfaces.

Conditions:
The user generates a QKView file. The output of the command "ethtool --show-priv-flags" is missing in the 'Commands' section of the QKView.

Impact:
Having access to this command's output will help to identify if the 'vf-true-promisc-support' flag is SET/UNSET. This additional information can help the support team debug issues.

Workaround:
N/A

Fix:
Output for the command "ethtool --show-priv-flags" is now collected for each interface in the 'Commands' section of QKView.

1322817-4 : BIND vulnerability CVE-2023-2828

Links to More Info: K000135312

1317793-1 : F5OS qat-support-pod service crashed with SIGBUS error

Links to More Info: BT1317793

Component: F5OS-A

Symptoms:
Sometimes, a script inside qat-support-pod cannot handle when it gets a SIGBUS signal.

Conditions:
Intermittently seen without any specific conditions.

Impact:
No functional impact, only a core file gets generated.

Workaround:
N/A

Fix:
We haven't seen this issue since the fix went in. However, since there isn't a specific use case to repro, the exact scenario can't be tested.

1316097-3 : LAGs not programmed when adding VLAN to LAG

Links to More Info: BT1316097

Component: F5OS-A

Symptoms:
Traffic from a LAG is not reaching the tenant.

Conditions:
1) Add a VLAN to a LAG and add that VLAN to a tenant in the same commit.

2) Configuration read following blade reboot.

Impact:
LAGs are not programmed; traffic doesn't reach tenant.

Workaround:
Workaround for condition (1): Add the VLAN to the LAG, commit; then add the VLAN to the tenant.

Fix:
Fix usage of mutexes to prevent deadlock with LAG programming is happening in parallel with VLAN programming.

1315149-4 : Users authenticated via TACACS+ cannot log in via serial console

Links to More Info: BT1315149

Component: F5OS-A

Symptoms:
If remote authentication is configured to use TACACS+, users authenticated via TACACS+ cannot log in via the system serial console.

SELinux errors in /var/log/audit/audit.log similar to the following:

type=AVC msg=audit(1691528610.427:121): avc: denied { name_connect } for pid=13249 comm="login" dest=49 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0

Conditions:
-- TACACS+ remote authentication.
-- Attempting to log in to system via serial console.

Impact:
Only locally-defined users can log in to the system via serial console.

Workaround:
Configure the SELinux policy to allow this traffic. On a VELOS chassis, these instructions must be run on each system controller separately.

1. Connect to the F5OS system via SSH as root.

2. Examine the SELinux audit denials and confirm all of them are associated with traffic that should be allowed:

grep 'denied.*name_connect.*comm="login"' /var/log/audit/audit.log > /root/login-audit-denials.log
cat /root/login-audit-denials.log

Remove entries from the file /root/login-audit-denials.log that you do not want to allow.

3. After confirming the contents of the file /root/login-audit-denials.log, run the following commands to create and install an SELinux policy to allow that traffic:

audit2allow -M login.allowtacacs < /root/login-audit-denials.log
semodule -i login.allowtacacs.pp

Fix:
A missing SELinux exception has been added. Users authenticated via TACACS+ are now able to log in via serial console without having to manually add the exception or turning off SELinux.

1315121-1 : Key migration failure and potential corruption updating to 1.5.0 or later with deployed tenants

Links to More Info: BT1315121

Component: F5OS-A

Symptoms:
When setting a new primary key after upgrading from an older release (such as 1.1.1 or older), where tenants are deployed, to 1.5.0 or newer, the key migration may fail.

The migration failure may cause configuration database corruption for the entire system.

Conditions:
Tenants are deployed on release 1.1.1 or older. Upgrade to 1.5.0 or newer (including through intermediate upgrades, such as 1.1.1 -> 1.3.2 -> 1.5.1). Set new primary key.

Impact:
Setting a new primary key may fail. When this failure occurs, system configuration corruption may occur.

Workaround:
Mitigation to prevent failure:
- Change all tenants to the configured state
- Set a new primary key
- Wait for key migration to complete
- Return tenants to deployed state.

Recovery for corruption:
- Reset device to default configuration
- Set the primary key to the known primary key for a known-good backup
- Restore with known-good backup

Fix:
Fix known causes of database corruption on primary key migration failure. While the primary key configuration may still fail if tenants are in deployed state, it should no longer cause system corruption.

1315065-4 : RSA-1024 SSH public keys should not be allowed in FIPS mode

Links to More Info: BT1315065

Component: F5OS-A

Symptoms:
When logging into an F5OS or BIG-IP system that is in FIPS mode, RSA-1024 SSH public keys should not be allowed to make the connection. Users should instead be prompted for a password.

Conditions:
User creates a RSA-1024 SSH public key and uses it to connect to the system, while the system is in FIPS mode.

Impact:
The user is allowed to authenticate with the key, which should not be allowed.

Workaround:
N/A

Fix:
Users cannot authenticate with a RSA-1024 SSH public key while the system is in FIPS mode.

1314917-2 : Command "show system health components component psu-2" results in errors

Links to More Info: BT1314917

Component: F5OS-A

Symptoms:
When a second PSU is added to an R2/R4 device, the system health does not show psu-2 as a known component.

Conditions:
After inserting a second PSU, if a power cycle or system reboot happens, sometimes diag-agent as diag-agent is not completely up; it is missing the bmc-events generated for PSU presence and updating as not present.

Impact:
This will cause diag-agent to update the PSU as not present, and it will not be shown in "show system health".

Workaround:
Provided below platform-hal psf action as work around, which will generate bmc-events for psu-presence again.

docker exec -ti platform-hal psf run POST:bmc/rearm-sensor-events sensorNumber=1
docker exec -ti platform-hal psf run POST:bmc/rearm-sensor-events sensorNumber=2

Fix:
Updated diag-agent to initiate bmc re-arm sensors only once diag-agent is up properly, so that it does not miss any bmc-events.

1314453-1 : Datapath is broken when LAG type is changed from LACP to Static on r2000/r4000 platforms

Links to More Info: BT1314453

Component: F5OS-A

Symptoms:
On r2000 and r4000 platforms, we can create a LAG as type LACP with a BIG-IP tenant. Later, when the datapath is up and running, if we change the LAG type to Static, the datapath on the tenant is broken. The platform sends the state of the members of the LAG as DOWN and hence LAG is DOWN on the BIG-IP tenant.

Conditions:
When LAG type is changed from LACP to Static.

Impact:
Datapath is completely broken while using the LAG configured.

Workaround:
Bringing the DOWN members of the LAG back to UP by below configurations
1. interfaces interface <ifc name> config admin disable

This will make interface to DOWN state and then move back to enabled state.

2. interfaces interface <ifc name> config admin enable

Fix:
Datapath no longer breaks when changing the LAG type from LACP.

1313329-2 : Downloaded F5OS ISO file missing after reboot

Links to More Info: BT1313329

Component: F5OS-A

Symptoms:
The system deletes the ISOs which are not verified. If a user reboots the system while an ISO import in progress, the ISO "fails" the verification and is deleted.

Conditions:
Seen if a user reboots the system while an ISO import is in progress (e.g. verifying state).

Impact:
ISO file will be deleted.

Workaround:
Download the ISO again and wait until it has been verified to reboot.

Fix:
There is no longer an issue with rebooting the system while an ISO import is in progress.

1312169-2 : User expiration is not configurable nor viewable on the webUI

Links to More Info: BT1312169

Component: F5OS-A

Symptoms:
User expiration is not configurable nor viewable on the webUI.

Conditions:
Trying to configure/view user expiration on webUI.

Impact:
The user cannot view or modify the expiry information for a system user account.

Workaround:
The expiry information for a user account can be viewed or configured at CLI.

Fix:
On the webUI the "Account Locked" widget will be replaced by the "Expiry Status" configuration which will allow locking the user in a similar fashion as the CLI.

1311953-1 : Platform-services-deployment service does not come up when system reboots early after PXE install

Links to More Info: BT1311953

Component: F5OS-A

Symptoms:
Observed that platform-services-deployment service fails to come up if the system reboots while image import is in-progress after a system PXE install.

Conditions:
Issue only happens after PXE install if the system reboot is triggered while image import is in-progress. The platform-services-deployment startup script was not waiting long enough to setup the env_var file by sw-mgmt.

Impact:
Platform-services-deployment does not come up for the system.

Workaround:
N/A

Fix:
Implemented retry mechanism in platform-services-deployment startup script which will wait for the env_var file setup by sw-mgmt service.

1311049-1 : For a system that has interfaces with 1GB speed, the network tab on the webUI dashboard is not showing all information

Links to More Info: BT1311049

Component: F5OS-A

Symptoms:
If a system has an interface with a speed of 1GB, when the user opens the Network tab on the webUI dashboard, the data that is supposed to be shown on the system graphic (such as interface speed and operational status) are not shown.

Conditions:
A system that has an interface with 1GB speed.

Impact:
The system graphic on the Network tab of the webUI dashboard is not showing interface information.

Workaround:
N/A

Fix:
Now the code is made to handle any port speed coming from the back-end response.

1306649-1 : Rapid removal and re-insertion of 10G optics may result in link failure

Links to More Info: BT1306649

Component: F5OS-A

Symptoms:
An interface link remains down.

Conditions:
Removing and re-insertion of the SFP module within a few seconds.

Impact:
Interface link remains down.

Workaround:
There are two workarounds:
1. After removing the SFP module, wait for 2 to 3 minutes before re-inserting the SFP module. This may not work 100% of the time.
2. Reboot the appliance.

1305909 : iHealth upload not supported on F5OS-A

Links to More Info: BT1305909

Component: F5OS-A

Symptoms:
The iHealth upload service has changed its authentication schema to OKTA, and requires a Client ID and Client Secret rather than a User ID and Password. Version 1.5.1 (and previous versions) of F5OS-A do not support this authentication schema.

Conditions:
Always

Impact:
Users will not be able to directly upload QKView files to iHealth from the appliance because of change in the authentication schema.

Workaround:
1. Use the file export feature to download the QKView from the appliance to a local PC.
2. Sign on to ihealth.f5.com.
3. Use the upload feature to upload the QKView to the iHealth service.

Fix:
Added Client ID and Client Secret fields in the iHealth page on webUI. User can upload QKView files to iHealth.

1305005-3 : Error handling in F5OS file-download API

Links to More Info: BT1305005

Component: F5OS-A

Symptoms:
Upon file download failure, API is returning an Apache error page that isn't an F5OS-specific error and isn't aligned with other F5OS API errors. This is a negative user experience.

Conditions:
Due to unhandled errors, when data not in the FormData format are passed through a Curl request, an Apache error page is thrown, misaligning from other F5OS APIs errors.

Impact:
There is no functional impact. It is a negative user experience.

Workaround:
N/A

Fix:
All errors are handled in the file-download API and aligned with other F5OS APIs errors with no more Apache error pages in error cases.

1304765-2 : A remote LDAP user with an admin role is unable to make config changes through the F5 webUI

Links to More Info: BT1304765

Component: F5OS-A

Symptoms:
When a remote user's GID is mapped to the F5OS system's local GID, the GID mapping is not parsed correctly by the system. If the remote GID is known to the F5 system, there is no issue. For example, a mapping of the form 9000:9000 works fine. However, mapping of the form 5555:9000, 6666:9000 etc. will not work.

Conditions:
Local GID is being mapped to a remote GID.

Impact:
The admin user mapped to a remote GID cannot access the ConfD config mode.

Fix:
Update the system to the version with the fix.

1304657-1 : Tcam-manager does not support all the possible system network subnets

Links to More Info: BT1304657

Component: F5OS-A

Symptoms:
The connection from the tenant (TMM) to the tcam-manager is continuously restarts.

tcam-mgr logs show the wrong tenant-id and hence rejected connection from the tenant:

msg="INFO" MSG="Connection from client address:10.245.3.1".
msg="ERROR" MSG=" Confd access error obtaining tenant info for tenant:12291 slot:1".
msg="INFO" MSG="neuron_handle_responses: dropping resp to non-existent client".

TMM periodically logs neuron client errors, such as:

notice hudproxy_neuron_client_closed_cb: Neuron client connection terminated
notice pva_sc_frs_neuron_stopped_cb/2373: FRS SC: Neuron client stopped.

Conditions:
The 'system network' configuration is changed from its default setting in F5OS.

Impact:
TCAM based features don't work.

Workaround:
Select either the default RFC6598 subnet or any of the unaffected RFC1918 subnets.

Fix:
Tcam-manager now correctly calculates the tenant-id for all possible system network subnets.

1301837-3 : A remote admin user is not able to enter the ConfD config mode when logged in from SSH

Links to More Info: BT1301837

Component: F5OS-A

Symptoms:
When a remote user's GID is mapped to the F5OS system's local GID, the GID mapping is not parsed correctly by the system. If the remote GID is known to the F5 system, there is no issue. For example, a mapping of the form 9000:9000 works fine. However, mapping of the form 5555:9000, 6666:9000 etc. will not work.

Conditions:
Local GID is being mapped to a remote GID.

Impact:
The admin user mapped to a remote GID cannot access the ConfD config mode.

Workaround:
No workaround.

Fix:
Update the system to the version with the fix.

1301169-1 : K3S goes down when OMD is restarted

Links to More Info: BT1301169

Component: F5OS-A

Symptoms:
K3S went down and failed to come up when OMD restarted due to memory corruption.

Conditions:
This is caused by not having essential flags in the system.
The appliance OMD is dependent on the flags inside /var/omd directory.

Impact:
When K3S goes down, the cluster is down, which results in service down.

Workaround:
When the cluster goes down due to missing flags, it can be brought back up by clearing the stale flags and tokens. Please contact F5 Support.

Follow instructions in https://my.f5.com/manage/s/article/K08061420

Fix:
1. Logs are in place if the /var/omd/ flags gets deleted or added.

2. Cluster will come up even if it is going to a bad state.

1300805-1 : Allowing the tenant configuration with more memory than max memory in the appliance

Links to More Info: BT1300805

Component: F5OS-A

Symptoms:
This will not have any functional impact.
Tenant configuration will be accepted but the tenant won't be up. And we see a failure message in "show tenants" with resource allocation failed.

Conditions:
Configuring the tenant with the memory that is beyond the max limit.

Impact:
It is the faulty config for the tenant. No impact on the existing/running tenants.

Workaround:
Delete the config and re-configure with valid memory.

1300749-2 : Syslog target files do not use the hostname configured via system user interface.

Links to More Info: BT1300749

Component: F5OS-A

Symptoms:
Syslog target files, for example: /var/F5/system/log/platform.log, use a hardcoded nodename for every device as a hostname.

Conditions:
No special conditions.

Impact:
In a remote log collector, source IPs are the only way to differentiate among devices.

Workaround:
It is possible to do an irule workaround that replaces custom strings in syslog traffic depending on the client's IP address. This iRule is applied to the virtual server on another LTM that consumes the syslog traffic and load balances.


when CLIENT_DATA {
   switch [IP::client_addr] {
       "10.10.10.10" { UDP::payload replace 38 11 "ABCDC01F5OS01" }
       "10.10.10.20" { UDP::payload replace 38 11 "ABCDC01F5OS02" }
       }
}

Below is the example message after irule workaround.

Jul 31 03:33:50 10.10.10.10 2023-07-31T07:33:50.181136+00:00 appliance-1 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 0 (1:Enabled 2:Disabled ... )".

to this

Jul 31 06:00:01 10.10.10.10 2023-07-31T10:00:01.356324+00:00 ABCDC01F5OS01 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 1 (1:Enabled 2:Disabled ... )".
Jul 31 06:00:04 10.10.10.20 2023-07-31T10:00:04.983677+00:00 ABCDC01F5OS02 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 0 (1:Enabled 2:Disabled ... )".

Fix:
Infrastructure to use the system hostname user configuration in the syslog target logs has been added with a knob and it is enabled by default. It can be turned off if old behavior is preferred.

1298329-2 : Tcpdump capture fails

Links to More Info: BT1298329

Component: F5OS-A

Symptoms:
SELinux shared label set by identifier container for the common path shared across all the containers. This issue started when node-agent container was introduced without dependency.

The system repeatedly logs this message to the platform log:

tcpdumpd-manager[8]: priority="Crit" version=1.0 msgid=0x5406000000000018 msg="[] global_dmaa_comm init_comm failed ret:" this=0x17c6b50 ret=3.

Conditions:
This issue seems to occur when downgrading a system to an affected version.

Impact:
Tcpdump capture fails.

Workaround:
This issue can be resolved by doing the following:

1. Log into the system as root
2. Edit /var/docker/config/platform.yml
3. Locate the configuration for 'tcpdumpd-manager', and replace the volume that reads:
      - /var/F5/system:/var/tcpdump:z
with:
      - /var/F5/system:/var/tcpdump
4. Save the file
5. Reboot the appliance

Fix:
Root cause of this issue was fixed as part of ID1326157.

1297665-1 : Occasionally diagnostic agent reports as unhealthy for unpopulated PSU_Slot in health summary and ihealth reports

Links to More Info: BT1297665

Component: F5OS-A

Symptoms:
Diagnostic agent reports as unhealthy for unpopulated PSU_Slot in ihealth reports and "show system health summary" output.

Conditions:
Occurs only when any empty PSU slots are in the system and diagnostic agent receives PSU Input State events in different order.

Impact:
It causes diagnostic agent to report as unhealthy for PSU on the unpopulated slot in health summary.

Workaround:
N/A

1296997-2 : Large core files can cause system instability

Links to More Info: BT1296997

Component: F5OS-A

Symptoms:
When a system generates and stores large core files, it can cause the system unstable.

Conditions:
F5OS generates a large core file.

Impact:
F5OS core-writing script does not check filesystem availability before writing a core file and can fill up the filesystem, causing catastrophic system instability until disk-space is reclaimed.

Workaround:
None

Fix:
F5OS now takes into account the available filesystem space before writing a core file. If the core file is too large then it will be truncated and deleted to maintain system stability. The system log message will indicate if the core file was too large to safely write.

1296525-2 : qkview may capture log files truncated in a reverse way

Links to More Info: BT1296525

Component: F5OS-A

Symptoms:
qkview captures log files, but may truncate them if too large (greater than 100 MB). A regression was introduced such that the most recent log entries would be truncated rather than the oldest.

Conditions:
Collection of qkview.

Impact:
Log entries may be missing in qkview capture.

Workaround:
When running a qkview capture, specify the maxfilesize argument to 1000 (1 GB).

system diagnostics qkview capture maxfilesize 1000

Fix:
QKview now collects the tail end of log files.

1295657-1 : ARP probes to rSeries management IP are answered by both mgmt and mgmt0-system

Links to More Info: BT1295657

Component: F5OS-A

Symptoms:
Intermittent management connectivity issues.

Conditions:
ARP probers to rSeries mgmt-ip.

Impact:
Intermittent management connectivity issues.

Workaround:
A temporary workaround is to update the arp-related kernel paraments on the mgmt interface.

sysctl -w net.ipv4.conf.mgmt.arp_ignore=2
sysctl -w net.ipv4.conf.mgmt.arp_announce=1
sysctl -w net.ipv4.conf.mgmt.rp_filter=1

1294581-2 : webUI header shows FQDN for IP address field instead of management IP

Links to More Info: BT1294581

Component: F5OS-A

Symptoms:
When user accesses F5OS webUI using FQDN, the header shows the FQDN for the IP address instead of showing the actual management IP address.

Conditions:
When user accesses F5OS webUI using FQDN.

Impact:
There is no impact on functionality. The IP address label on the login screen is renamed to Address. The header displays the management IP instead of the FQDN.

Workaround:
To view the management IP address, navigate to the Management IP screen.

Fix:
Login using FQDN shows the IP address on the header instead of the FQDN. Additionally, the IP address label on the login screen is renamed to Address.

1294341-1 : The system freezes if abruptly rebooted during software upgrade process.

Component: F5OS-A

Symptoms:
The system software upgrade process freezes infinitely if the system rebooted abruptly.

Conditions:
This issue occurs if the system is rebooted abruptly when the software upgrade is triggered.

Impact:
Not able to perform upgrade/downgrade to other build as the process is frozen in upgrade state.

Workaround:
None

Fix:
It is possible to upgrade/downgrade to a new build even after the system is frozen due to an abrupt reboot.

1293305-2 : LAG interface status is not updated on the BIG-IP tenant

Links to More Info: BT1293305

Component: F5OS-A

Symptoms:
Symptom 1: Trunk is down in tenant but the LAG is up in F5OS-A.
Symptom 2: LAG is down in F5OS-A but the trunk is up in tenant.

Conditions:
For symptom 1:
1. Set up new rSeries device.
2. Config static LAG and VLAN.
3. Deploy new tenant.
4. In tenant, LAG will be shown as down but interfaces shown as up.
5. This happens only at initial tenant deployment.

For symptom 2:
1. LAG is shown as down in F5OS-A.
2. Trunk is shown as up in tenant.

Impact:
Symptom 1:
On r2x00/r4x00 platforms, as LAG will be in DOWN state, datapath will not be working.

Symptom 2:
On r2x00/r4x00 platforms, LAG status is shown as UP but it's actually DOWN on the platform. Datapath will not be UP, but as LAG is UP in tenant we expect Datapath to be UP.

Symptom 3:
If trunks are used for HA Group the scores associated to the trunks are not deducted from the overall health scores regardless of whether the interfaces in the trunks are up or not.

Workaround:
For symptom 1:
Restarting "system_api_svc_gateway" service on host.
#docker restart system_api_svc_gateway

For symptom 2:
Restarting "system_api_svc_gateway" service on host.
#docker restart system_api_svc_gateway

1292405-1 : CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64

Links to More Info: K000137702, BT1292405

1291461-3 : LCD shutdown does not work on r2800 and r4800 platforms

Links to More Info: BT1291461

Component: F5OS-A

Symptoms:
In F5OS-A versions 1.4.0 and later, the button on the LCD menu that is used to shut down the system, when pressed, does not shutdown the system.

Conditions:
With F5OS-A 1.4.0 or later installed, from the LCD touchscreen, click the System button. Select Shutdown from the menu. Click the Shutdown button at the 'Shutdown the system?' prompt.

Impact:
The LCD touchscreen is lacking functionality the user is expecting it to have.

Workaround:
In an external terminal, connect to the unit's AOM. Select P for "Power on/off host subsystem", and then 0 for "Turn host subsystem off". Or, if the system is off, 1 for "Turn host subsystem on"

Fix:
Going into the AOM menu and powering off or powering on the system works as expected and achieves the same thing as using the LCD Shutdown button.

1290949-1 : Invalid memory read in appliance orchestration manager

Links to More Info: BT1290949

Component: F5OS-A

Symptoms:
"Invalid read" identified in OMD.
During "show cluster events" we are hitting the code flow, where the ConfD API is reading the freed memory. It is leading to an invalid read.

Conditions:
Executing "show cluster events".

Impact:
Using a freed memory may cause unexpected behavior in the system.

Workaround:
N/A

Fix:
Code changes to address memory violations in the code.

1290941-1 : LLDP/STPD/LACPD in rSeries is flooding SEP_POLLERR when dma-agent restarts

Links to More Info: BT1290941

Component: F5OS-A

Symptoms:
Below log is flooded in platform.log when dma-agent restarts
"SEP library in ERR state, sep_client_poll() returns SEP_POLLERR".

Conditions:
dma-agent restart.

Impact:
l2 functions such as LLDP/STPD/LACPD will be affected.

Workaround:
Reboot the device.

Fix:
Fixed code from flooding logs.

1290617-2 : Display option "universal-time" is not supported

Links to More Info: BT1290617

Component: F5OS-A

Symptoms:
The display option "universal-time" is a built-in third-party command that F5OS does not support.

Conditions:
User attempts to access the built-in third-party command "universal-time."

Impact:
The correct output for "universal-time" is not displayed. Proper documentation for this third-party command also cannot be found.

Workaround:
N/A

Fix:
F5OS has suppressed this display option.

1290053-1 : VELOS Software version may not be collected consistently across platform by QKView

Component: F5OS-A

Symptoms:
The QKView version format is different as collected by F5OS-A and F5OS-C, and this is reflected when the QKView is displayed by the iHealth service.

Conditions:
This always occurred when capturing a QKView.

Impact:
Occasional parsing difficulties on the iHealth service.

Workaround:
Examine the /etc/PRODUCT file contained in file collection for the host subpackage.

Fix:
Version information format as reported in the manifest.json file within a QKView is now consistent between F5OS-A and F5OS-C.

1289633-2 : FIPS devices show incorrect vCPUs

Links to More Info: BT1289633

Component: F5OS-A

Symptoms:
1. The Dashboard System Summary shows 36 vCPUs rather than the actual number of vCPUs available for Tenant Deployment.
2. The Add/Edit Tenant deployments screen allows selecting up to 36 vCPUs instead of the maximum vCPUs that the platform supports.

Conditions:
FIPS device.

Impact:
No functional impact.

Workaround:
Users can view the correct value for total vCPUs for tenant deployment on the device from the CLI using the following command:

"show cluster nodes node node-1 state node-info"

Fix:
vCPUs information will show appropriately on the dashboard based on the platform support, and Add/Edit Tenant deployment screen will have vCPU options up to the maximum that the platform supports and not beyond that.

1289029-3 : Toggling lag-type can sometimes cause an F5OS LACP aggregation to pass traffic while the peer does not have LACP configured.

Links to More Info: BT1289029

Component: F5OS-A

Symptoms:
An F5OS LACP aggregation can sometimes allow traffic to pass when it should not.

Conditions:
1) With peer devices that cause link status to flap on aggregation configurations: Toggle F5OS aggregation lag-type from LACP, to STATIC. Toggle peer aggregation from LACP to STATIC. Toggle F5OS aggregation lag-type from STATIC to LACP.

2) Create an aggregation interface with STATIC lag-type, change the lag-type to LACP, then create a lacp interface. Configure the peer aggregation as a STATIC aggregation.

Impact:
Traffic will pass on an aggregation when LACP has not negotiated for affected interfaces.

Workaround:
Disable, then enable affected interfaces.

Fix:
Under no scenario will traffic pass on an interface in a LACP aggregation that has not negotiated LACP with its peer.

1288937-2 : Interface persists with removed VLAN

Links to More Info: BT1288937

Component: F5OS-A

Symptoms:
When a VLAN is deleted while being referenced by an interface or LAG, it cannot be de-referenced from the interface/LAG.

Conditions:
Delete the VLAN before removing the VLAN from the interface.

Impact:
Cannot add the interface to a LAG after deleting VLAN(s) that used the interface.

Workaround:
Recreate the removed VLAN, then edit the interface which shows defined VLAN, remove the defined VLAN, then remove the recreated VLAN.

Fix:
With the fix, the user will be able to view and remove the VLAN in the Add/Edit Interface/LAG screen even if the VLAN was deleted, and thus will be able to detach it from the interface/LAG.

1286285-3 : ISO with special characters in name will not import

Links to More Info: BT1286285

Component: F5OS-A

Symptoms:
An ISO named with special characters like "()" will not be imported and gets deleted from the import directory silently.

Conditions:
Only when the ISO name contains special characters.

Impact:
User will not have any status on the imported image with a name that contains special characters.

Workaround:
No workaround.

Fix:
The "show system image" API will display the status as "Import error. File name is incorrect."

1286165-1 : Ping failing after removing aggregate ID from interface and adding trunk VLANs in the same commit

Links to More Info: BT1286165

Component: F5OS-A

Symptoms:
Ping to self IP of tenant failing.

Conditions:
This issue will be observed only when tried from F5OS ConfD CLI.

Removing aggregate ID and assigning trunk VLANs to an interface in the same commit from ConfD CLI.

Impact:
Ping to self IP of tenant will fail.

Workaround:
From F5OS CLI
1)Remove aggregate ID from interface.
2)commit the changes.
3)Add trunk VLANs to interface and commit the changes.

For example:
1)no interfaces interface 3.0 ethernet config aggregate-id
2)commit; top
3)interfaces interface 3.0 ethernet switched-vlan config trunk-vlans [ 3700 3800 3900 ]
4)commit

Fix:
NA

1285969 : Some aggregation interface names can cause ethernet interfaces in LACP aggregations to be erroneously down

Links to More Info: BT1285969

Component: F5OS-A

Symptoms:
One or more interfaces in LACP aggregations may be considered down when they should not be.

Conditions:
Internally, LACPD hashes interfaces to an integer, and some aggregation interface names hash will collide with ethernet interface name hash. Changes to the these aggregation interfaces can impact the ethernet interface.

Impact:
Traffic through the affected ethernet interface in LACP aggregations may be disrupted. This can cause either degraded performance or traffic failure for LACP aggregations that the interface is a member of.

Workaround:
Only use aggregation interface names that don't hash to the same port numbers as ethernet interfaces.

In order to determine if an existing aggregation interfaces port number conflicts with an ethernet interface, review the lacpd_interface_stat table.

For a VELOS partition, use the lacpd container on any blade in the partition to run tmctl.
For an appliance, use system_lacpd container to run tmctl.

The following example from a rSeries appliance shows the aggregation interface "vlag" with the same port number as interface 1.0

[root@appliance-1 ~]# docker exec -it system_lacpd bash

[root@appliance-1 partition]# tmctl lacpd_interface_stat -s name,port_num
name port_num
---- --------
1.0 1024
10.0 10240
2.0 2048
3.0 3072
4.0 4096
5.0 5120
6.0 6144
7.0 7168
8.0 8192
9.0 9216
mgmt 43008
vlag 1024

If an aggregation interface hashes to the same port number an Ethernet interface:

1. Delete the conflicting aggregation interface

2a. You can either restart the lacpd containers

    or

2b. Reboot the appliance, or for VELOS reboot each blade in the partition.

Fix:
Aggregation interface names will never impact ethernet interfaces in a LACP aggregation.

1285149-3 : Patch releases report the wrong version in various log files.

Links to More Info: BT1285149

Component: F5OS-A

Symptoms:
F5OS-A patch files are not correctly set for patch versions.

Conditions:
Patch version release.

Impact:
Patch releases falsely report it as a non-patched release in log files.

Workaround:
None

Fix:
None

1284269-1 : Config restore fails if it contains an SNMP user

Links to More Info: BT1284269

Component: F5OS-A

Symptoms:
Error when restoring the config

appliance-1(config)# system database config-restore name with.mgmt.snmpuser.xml
A clean configuration is required before restoring to a previous configuration.
Please perform a reset-to-default operation if you have not done so already.
Proceed? [yes/no]: yes
Error: access denied
Database config-restore failed.

Conditions:
Backup contains an SNMP user.

Impact:
Cannot restore configuration.

Workaround:
There are two possible workarounds.

Workaround 1:
- Edit the configuration backup and remove the SNMP user related configuration.
- Restore the backup

Workaround 2:
- Create a SNMP user in device before restoring backup.
- Restore the backup

Fix:
Issue is fixed. Now the user can take a configuration backup and restore it, even with an SNMP user configured.

1284193-1 : GRUB2 vulnerability CVE-2022-28733, Samba vulnerability CVE-2021-20277, DHCP vulnerability CVE-2021-25217

Links to More Info: K000132893, BT1284193

1283641-1 : Docker network is not updating as part of internal IP ranges configurations

Links to More Info: BT1283641

Component: F5OS-A

Symptoms:
Docker network needs to be updated as per network-range-type.

Conditions:
Configuring the network-range type is not affective on docker network.

Impact:
This bug causes docker network to not update as per network-range-type.

Workaround:
Edit the/etc/sysconfig/docker file manually and restart the docker.

Fix:
The root cause was '/etc/sysconfig/docker' getting overridden while running pre-deployment-setup. This task fixes the above issue.

1282757 : On upgrade, systems might overwrite key due to automatic firmware updating

Links to More Info: K000133379, BT1282757

Component: F5OS-A

Symptoms:
When upgrading to a new version (such as 1.4.0), automatic firmware updates occur, and these interfere with the encryption key retrieval, causing a new key to be generated, which blocks api-service-gateway.

Conditions:
Upgrading to a new version where automatic firmware updates get started at boot-up.

Impact:
The api-service-gateway container does not come up and there is no communication with the tenant.

Workaround:
docker exec -it system_manager bash
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-key"
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-cert"

Fix:
The encryption key will not generate a new key unless the TPM module has none. The code will continue to retry until it succeeds or ConfD timeout occurs (300 seconds).

1281861 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0

Links to More Info: BT1281861

Component: F5OS-A

Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".

Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.

Impact:
Tenants will not start and are unusable.

Workaround:
To work around this issue, perform one of these actions:

1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".

Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.

1281857-1 : Repeated disabling and enabling of link partner interface might result in datapath corruption

Links to More Info: BT1281857

Component: F5OS-A

Symptoms:
Packets received on an interface are corrupted or lost after a link partner interface is repeatedly disabled and then enabled within relatively short windows of time.

Conditions:
A link partner interface is repeatedly disabled and then enabled within relatively short windows of time.

Impact:
Dataplane services on the given interface will be inoperable.

Workaround:
The product must be rebooted to recover.

Fix:
An FPGA firmware fix was implemented to add an additional clock to an internal component that served to isolate noise between the MAC and itself.

1281749-1 : Hashed/encrypted passwords are getting logged

Links to More Info: K000134922, BT1281749

1281165-1 : CVE-2023-0767 in nss-tools-3.67.0-4.el7_9

Component: F5OS-A

Symptoms:
An attacker may create a PKCS 12 certificate bundle to exploit mishandling of PKCS 12 Safe Bag attributes, leading to arbitrary memory writes.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Upgraded to a non-vulnerable version of nss-tools.

1281157-1 : CVE-2023-0767 in nss-sysinit-3.67.0-4.el7_9

Component: F5OS-A

Symptoms:
An attacker may create a PKCS 12 certificate bundle to exploit mishandling of PKCS 12 Safe Bag attributes, leading to arbitrary memory writes.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Updated to a non-vulnerable version of nss-sysinit.

1281149-1 : CVE-2023-0767 in nss-3.67.0-4.el7_9

Component: F5OS-A

Symptoms:
An attacker may create a PKCS 12 certificate bundle to exploit mishandling of PKCS 12 Safe Bag attributes, leading to arbitrary memory writes.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Upgraded to a non-vulnerable NSS version.

1281141-1 : CVE-2022-37434 in zlib-1.2.7-20.el7_9

Links to More Info: K67213091, BT1281141

1280749-2 : OCSP server state data and actual configured data is different in ConfD CLI

Links to More Info: BT1280749

Component: F5OS-A

Symptoms:
The OCSP server data shown from non-config mode in the ConfD CLI is different from actual configured data.

Conditions:
- Showing state data related to OCSP server from ConfD CLI.

Impact:
Inability to check the actual OCSP server value from non-config mode.

Workaround:
Workaround is to run 'show running-config' from non-config mode.

Fix:
When the user sets new values for the OCSP server configuration, the state data is updated as well so that the user can see the actual values from non-config mode.

1280365-3 : WebUI and shell admin access unavailable after upgrade to when one of the previously installed images is no longer present★

Links to More Info: K000133253, BT1280365

Component: F5OS-A

Symptoms:
1. WebUI or CLI inaccessible via admin account (that is, ConfD is not up):
[root@appliance-1(XXXXXXXXX) log]# su admin
Failed to connect to server

2. sw-mgmt.debug file will have a line similar to this one (with image version changing depending on which image is missing):
DEBUG: Source file /var/export/chassis/import/.mounts/iso/R2R4/1.1.1-9159/m3/*-services/F5OS*.img does not exist, removing from all_sw.

3. Containers stuck in ImagePullBackOff. For example, system_network container cannot be pulled, and the following error is observed in messages log:

appliance-1 dockerd-current: time="2023-03-24T15:09:26.631359235Z" level=error msg="Not continuing with pull after error: Error: image system_network:1.4.5-f5os-a-1-4-0-candidate.2023-02-14-15-09-15.S9b340f7e not found"

Conditions:
Both of the below conditions:

1. Certain ISO image has been ungracefully removed from the /var/import/staging folder. Examples of ungraceful removals:
-- Deleted via bash (after running chattr -i <image name>)
-- Image name had parentheses in it and as per ID1273021 it is wiped out upon reboot.

2. /var/import/import.json file includes reference to removed image that is listed BEFORE the reference to currently used image.

Impact:
Device webUI is inaccessible. Cannot access ConfD. Root access is working.

Workaround:
Two workarounds:
1. Re-import the deleted image and reboot the box.
2. Remove the whole section that references the deleted image from import.json file and reboot the box.

Fix:
N/A

1280237-1 : Notification streams are sometimes empty using 'restconf/streams/platform-stats/json' API endpoint

Links to More Info: BT1280237

Component: F5OS-A

Symptoms:
When using the 'restconf/streams/platform-stats/json' API endpoint, the JSON object could be empty instead of being populated with platform stats.

Conditions:
The initial discovery of platform-stat had a logic flaw which prevented drive information from being correctly discovered. This caused the rest of the JSON object from being populated.

Impact:
The platform-stats notification stream endpoint would return an empty object instead of platform-stat data.

Workaround:
N/A

Fix:
The logic flaw has been resolved and the platform-stat notification stream is fully populated with stat information.

1273845-1 : Removing or manually adding TLS Certificate & Key on webUI removes whole TLS configuration

Links to More Info: BT1273845

Component: F5OS-A

Symptoms:
Manually adding TLS Certificate & Key on webUI instead of storing through Self-Signed Certificate or removing Certificate & Key removes TLS configuration, which includes verify-client and verify-client-depth.

Conditions:
- When there is an existing Verify Client and Client Depth configuration, and user tries to remove TLS Certificate & Key on Certificate Management screen on webUI.

- When user fills the TLS Certificate & Key on Certificate Management screen on webUI.

Impact:
Verify Client and Client Depth configuration of Certificate Authentication will be changed to default values which disables verification of httpd client certificates.

Workaround:
- Remove or Add TLS Certificate & Key through CLI.
- While creating Self-Signed Certificate, set "Store TLS" field as true
- Re-add Verify Client and Client Depth after removing or manually adding TLS Certificate & Key.

1273581-1 : CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy

Links to More Info: K000133098, BT1273581

1273445 : Downgrade/upgrade issues are seen because ISO has special characters in the file name★

Links to More Info: BT1273445

Component: F5OS-A

Symptoms:
If a F5OS-A ISO with a filename containing 'special characters' ('+ , * , ? , ^ , $ , ( , ) , [ , ] , { , } , | , ＼') is imported onto the device, and the system is downgraded/upgraded with this ISO, it can result in the upgrade/downgrade failing.

Conditions:
1. Download and import an ISO with a 'special character' in its name (for example,F5OS-A-1.5.0-*.iso.
2. Attempt an upgrade /downgrade.
3. Upgrade/downgrade will fail.

Impact:
Upgrade/downgrade will fail, requiring manual intervention to recover the system.

Workaround:
1. Before performing a platform software upgrade, compare versions referenced by the "show system image" ConfD CLI command with the names of files present in the "/var/import/staging” directory.

If the ISO is not present in /var/import/staging but it is shown in "show system image" command output, then import again to "/var/import/staging”.

2. If there is any ISO file with a name containing a special character present in "/var/import/staging”, remove that version of platform software and re-import it by re-downloading the file with a name that does not include special characters. You may then attempt upgrade.

3. In order to remove that ISO file with a name containing a special characters use the below command.

appliance-1(config)# system image remove iso <iso version>

4. In scenarios where the above command fails or where it is not possible to use above command, please follow the below procedure to delete the image.
  * login to the device using root
  * chattr -i "/var/import/staging/<iso with special characters>”
  * rm -rf "/var/import/staging/<iso with special characters>”

In case downgrade or upgrade failure has already occurred due to this issue, follow these steps to recover the system:

1. Download another copy of the ISO with a proper name to /var/import/staging.

2. Wait for five minutes for it to import. If ConfD is unavailable, you can check the logs in /var/log/sw-mgmt.debug for import status.

3. Once the import is complete, reboot the system. This should recover the system.

Fix:
The fix is to delete the ISO with the special characters when it is being imported.

1273025-1 : Once TACACS server-group is configured on a non-default port, on downgrade virt-handler pod gets into a crash loopbackoff state because of SELinux corruption

Links to More Info: BT1273025

Component: F5OS-A

Symptoms:
Virt-handler pod is crashing upon downgrading from F5OS-A 1.4.0 to F5OS-A 1.3.2, and a tenant is stuck in pending state.

Conditions:
Configure TACACS server-group on a non-default port (that is, other than port 49) and downgrade from F5OS-A 1.4.0 to F5OS-A 1.3.2.

Impact:
Tenant becomes stuck in pending state.

Workaround:
Two workarounds:

1. Configure standard port (49) for the TACACS server instead of a non-standard port. Using the standard port should not trigger these issues. Releases older than F5OS-A 1.4.0 do not correctly support any port other than 49 for the TACACS server.

2. Fix SELinux policy on the appliance:

a. cp selinux module from /usr

cp /usr/etc/selinux/targeted/active/modules/400/f5_appliance to /etc/selinux/targeted/active/modules/400/f5_appliance

b. Reboot the device

reboot

Fix:
Enforce closure of non-standard port every time configuration is updated or system is shut down. This avoids leaving ports open for which SELinux may not have exceptions.

Note this does not address the non-standard port in older releases when downgrading. Non-standard ports for TACACS are still not properly supported in the older release.

1273021-1 : ISOs imported with regex special characters in their names are getting deleted★

Links to More Info: BT1273021

Component: F5OS-A

Symptoms:
Downgrade/upgrade issues are seen when upgraded ISO has special characters in the file name

If an F5OS-A ISO with a filename containing 'special characters' ('+ , * , ? , ^ , $ , ( , ) , [ , ] , { , } , | , ＼') is imported, and the system is downgraded/upgraded to that version, it can result in the upgrade failing and the ISO being automatically removed.

Conditions:
1. Download and import an ISO with a 'special character' in its name, example 'F5OS-A-1.5.0-*.iso'.
2. Attempt an upgrade to the imported ISO version.
3. Upgrade will fail.

Impact:
An upgrade to a version of software marked as successfully imported can fail unexpectedly, requiring manual intervention to recover the system.

Docker container services will not come up.

Workaround:
1. Before performing a platform software upgrade, compare versions referenced by the "show system image" ConfD CLI command with the names of files present in the "/var/import/staging” directory.
If the iso is not present in /var/import/staging but it is shown in "show system image" command output, then import again to "/var/import/staging”.

2. If there is any iso file with a name containing a special character present in "/var/import/staging” remove that version of platform software and re-import it by re-downloading the file with a name that does not include special characters. You may then attempt upgrade.
3.In-order to remove that iso file with a name containing a special characters use below command.
appliance-1(config)# system image remove iso <iso version>
4.In scenarios where above command fails or not possible to use above command
please follow below procedure to delete the image.
  * login to the device using root.
  * chattr -i "/var/import/staging/<iso with special characters>”
  * rm -rf "/var/import/staging/<iso with special characters>”

Incase downgrade or upgrade failure is already happened, because this issue,
follow these steps to recover the system:
1.Download another copy of the ISO with a proper name to /var/import/staging.
2.Wait for five minutes for it to import. if confd is unavailable, you can check the logs in /var/log/sw-mgmt.debug for import status.
3.Once the import is complete, reboot the system. This should recover the system.

Fix:
Import of ISO with special characters is blocked.

1273017-1 : LACPD restarts when changing aggregation lag-type through configuration utility webUI

Links to More Info: BT1273017

Component: F5OS-A

Symptoms:
The Link Aggregation Control Protocol Daemon (LACPD) will restart. An LACP aggregation's interface can be permanently down, restricting traffic from passing on that interface.

Conditions:
-An aggregation interface's lag-type is set to static through configuration utility.

Impact:
One or more physical interfaces associated with an LACP aggregation can be erroneously marked down indefinitely, causing either degraded performance, or complete traffic failure.

Performance degradation may not occur, but the LACPD process will always restart.

Workaround:
- Toggle any affected interface to disable and then back to enable.
- Toggle any affected aggregation interface to static and then back to LACP.
- Reboot the system.

Fix:
LACPD will not restart when an aggregation is configured to static through the configuration utility. Few warnings can be logged when this operation occurs. These warnings can be ignored if seen while changing an aggregation's lag-type through configuration utility.

1271973-2 : Disabling 1G/10G BaseT interface in F5OS does not make the link down on the peer port

Links to More Info: BT1271973

Component: F5OS-A

Symptoms:
An external switch connected to one of the 1G/10G BaseT interfaces will show link-up even when the interface is disabled in F5OS.

Conditions:
When a 1G/10G BaseT interface is connected to an external switch and is disabled in F5OS.

Impact:
The external switch link-up is misleading since the interface is actually disabled on the F5 system.

Fix:
Disabling 1G/10G BaseT interfaces in F5OS now brings the link down.

1270837-2 : The Account Locked field on the Edit User page does not lock out users nor display correct locked status

Links to More Info: BT1270837

Component: F5OS-A

Symptoms:
Changing the Account Locked field on the Edit User page does not lockout a user, nor does the field correctly represent the locked status of a user.

Conditions:
Using the Account Locked field in the webUI.

Impact:
Users are allowed to log in even if the Account Locked status is changed to True and the account is truly locked.

Users are unable to log in even if the Account Locked status is changed to False, and the account is truly unlocked.

Workaround:
To lock or unlock a user, use the CLI to set the user's expiry date to 1 for locked and -1 for unlocked.

Following is an example:

Locked

(config)# system aaa authentication users user <username> config expiry-date 1
(config)# commit

Un-locked

(config)# system aaa authentication users user <username> config expiry-date -1
(config)# commit

Fix:
On the webUI the "Account Locked" widget will be replaced by the "Expiry Status" configuration which will allow locking the user in a similar fashion as the CLI.

1270473-3 : On firmware upgrade from CLI, wrong console message displayed

Links to More Info: BT1270473

Component: F5OS-A

Symptoms:
When the firmware upgrade command from ConfD CLI is executed, on success it displays the below message:

Result FIPS firmware has been set successfully. Please reset HSM to reflect the update!

The HSM reset does a factory reset and wipes the HSM.

Conditions:
On firmware upgrade from ConfD CLI, the wrong console message is displayed to the user.

Impact:
If HSM resets, it factory resets the HSM and wipes it.

Workaround:
Do not reset HSM; instead reboot the system to get the new firmware reflected.

Fix:
N/A

1270309-1 : Audit.log may log incorrect username initially for users logging into the CLI, remotely-authenticated users may see hostname in prompt reported as "appliance-1", and remotely-authenticated LDAP users may experience lengthy delays when authenticating

Links to More Info: BT1270309

Component: F5OS-A

Symptoms:
The audit log may initially show the incorrect username when users log in to the CLI:

For example:

msg="audit" user="[one username]/[number]" cmd="created new session via cli from 192.0.2.1:56166 with ssh".
msg="audit" user="[one username]/[number]" cmd="CLI 'show system state hostname'".
msg="audit" user="[one username]/[number]" cmd="CLI done".
msg="audit" user="[one username]/[number]" cmd="terminated session (reason: normal)".
msg="audit" user="[actual username]/[another number]" cmd="created new session via cli from 192.0.2.1:56166 with ssh".
msg="audit" user="[actual username]/[another number]" cmd="CLI 'exit'".
msg="audit" user="[actual username]/[another number]" cmd="terminated session (reason: normal)".


Or:

confd[121]: audit user: [tenant name]/[number] assigned to groups: admin
confd[121]: audit user: [tenant name]/[number] CLI done
confd[121]: audit user: [tenant name]/[number] terminated session (reason: normal)
confd[121]: audit user: test_user/[number] assigned to groups: admin


If role GID mapping is configured, remotely-authenticated users may see the hostname reported in the prompt as "appliance-1", rather than the correct hostname. For instance:

User f5osadmin last logged in 2023-10-01T01:02:03.123456+00:00, to appliance-1 from 192.0.2.1 using cli-ssh
f5osadmin connected from 192.0.2.1 using ssh on appliance-1.chassis.local
appliance-1#


Remotely-authenticated LDAP users may experience lengthy delays when authenticating via SSH, particularly if one or more of the following are true:
- the LDAP server has a large number of groups
- the LDAP server has many users in groups
- there is noticeable latency between the F5OS system and the LDAP server

Conditions:
When trying to use remote authentication, multiple user accounts have the same UID (user identifier). The user IDs may overlap between multiple remote users, or between remote users and local users.

Impact:
The audit.log will show an incorrect username for the first few entries.

The CLI prompt may display the generic hostname "appliance-1".

Workaround:
To avoid the audit.log reporting an incorrect username, ensure all user accounts have unique user IDs.

If that is not practical, or to work around the other symptoms of this issue, the following procedure will work around the issue; this procedure will be reverted by any software version changes.

1. Log into the rSeries appliance as root

2. Put the script below into /etc/cron.hourly, as a file named "ID1270309-workaround", and then mark it executable ("chmod 755 /etc/cron.hourly/ID1270309-workaround").

===
#!/bin/bash

set -Eeuo pipefail

# f5_confd_cli from different versions of F5OS-A
# 1.5.0 / 1.5.1
# 1.5.1 with the fix for ID1301837
MATCHING_CHECKSUM=( "5496b29958666ab7eeb44e1dbc78afb4c99a08d5" "a5d4a6928fb77fd089ed8289f1162220d30e2c8c" )
# The same file, with the patch below applied to it.
MODIFIED_CHECKSUM=( "37ab85644d33f1fdd1724e284aa694c897a4e898" "8d552eb9f79853dacf762d9ee21c06cc950383f3" )

FILE=/var/lib/controller/f5_confd_cli

CHECKSUM=$(sha1sum "$FILE" | awk '{print $1}')

if [[ "${MATCHING_CHECKSUM[@]}" = *"$CHECKSUM"* ]]; then
    :
elif [[ "${MODIFIED_CHECKSUM[@]}" = *"$CHECKSUM"* ]]; then
    # Already modified. Nothing to do
    exit 0
else
    echo >&2 "f5_confd_cli is in unknown state, not modifying."
    exit 0
fi

patch -p1 "$FILE" << 'EOF'
--- /var/lib/controller/f5_confd_cli.ID1270309.orig 2023-09-05 15:35:44.651749231 -0700
+++ /var/lib/controller/f5_confd_cli 2023-09-05 15:37:08.894286756 -0700
@@ -180,16 +180,11 @@
     echo "System Time: $date"
 fi
 
-# Read the hostname from /system/state/ if it exists,
-# otherwise default to the hostname
-hostname_cli_out=$(echo "show system state hostname" | /var/lib/controller/confd_cli -N)
-
-hname=${HOSTNAME}
-if [[ ! -z "${hostname_cli_out}" ]]; then
- if [[ "$hostname_cli_out" == *"system state hostname"* ]]; then
- hname=$(echo ${hostname_cli_out} | awk '{print $(NF)}')
- fi
+if [ -r /etc/f5_sys_hostname/env ]; then
+ . /etc/f5_sys_hostname/env
 fi
+hname=${SYS_CONFIG_HOSTNAME:-$HOSTNAME}
+
 if [[ -z "${supplementary_gids}" ]]
 then
     exec /var/lib/controller/confd_cli -C -H ${hname} -u ${USER} --gid "${primary_gid}"
EOF
===

This script will check and potentially update the login script once an hour to apply the workaround. After a system reboot or the system_manager docker container restarts, there is a potential period of up to an hour before the workaround is reapplied.

This workaround will also only function for specific versions of F5OS software; currently, only for F5OS-A 1.5.0 and F5OS-A 1.5.1.

1269989-2 : tcam-manager may get stuck using 100% CPU

Links to More Info: BT1269989

Component: F5OS-A

Symptoms:
After running a QKView or tcam-dump by itself, tcam-manager does not clean up the diagnostic socket, which results in a tight loop and pegging the CPU at 100% utilization. This in turn starves other platform processes (such as dma-agent), which causes performance degradation.

Conditions:
A QKView or tcam-dump, which is included in QKView, is run.

Impact:
Performance degradation.

Workaround:
The issue can be avoided by not running QKView.

Fix:
After tcam-dump completes, the corresponding socket is properly removed.

1267253-2 : LDAP shadowExpire attribute not honored

Links to More Info: BT1267253

Component: F5OS-A

Symptoms:
When using LDAP authentication, usage of the shadowExpire and related attributes will not enforce expiration on the F5 device.

Conditions:
LDAP authentication is configured. LDAP shadowExpire, shadowMax, and related attributes are set such that the user should be expired.

Impact:
User with expired attributes can log into F5 device.

Workaround:
Either remove the user from groups with roles that allow access to the F5 device (for example, F5OS admin role gidNumber) or delete the user.

1267205-1 : Status field in "show system image" reports error when upgrading to 1.5.0★

Links to More Info: BT1267205

Component: F5OS-A

Symptoms:
Although patch ISOs are removed from the system, services filed still show entry for base service with status as error.

Ex:
VERSION IN
SERVICE STATUS DATE SIZE USE TYPE
------------------------------------------------------
1.3.0-8327 error 1 1 false
1.1.0-7645 error 1 1 false

Conditions:
This occurs after upgrading from a patched version.

Impact:
There is no impact to the system.

Workaround:
Workaround #1: This is for the issue when you have removed older images from prior to the upgrade to F5OS-A-1.5.0.

1. Remove all service entries which status shows as "Error" in show command from the /var/import/import.json file and save and close it.
ex:
{
   "date": "2022-11-06",
   "platform": "R5R10",
   "status": "100",
   "source": "/var/export/chassis/import/preserved_sources/F5OS-A-1.3.1-8863.R5R10.CANDIDATE.img",
   "version": "1.3.0-8327",
   "component": "services",
   "port": "2006",
   "size": 2519765504,
   "error": "",
   "subcomponents": []
  },

2. Do any of the steps
- systemctl restart sw-mgmt.service
- docker restart system_image_agent

or
reboot the system

3.
Now the system will remove the error flag from "show system image" output and we can delete these services from CLI/webUI.

Workaround #2:
To avoid such error in "show system image" output, first upgrade to 1.5.0 and then remove the older ISO (1.3.2,1.3.1,1.1.1 etc).

1266197-2 : CVE-2022-4254 sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters

Links to More Info: K000136157, BT1266197

1263941-2 : CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user

Links to More Info: K000132667, BT1263941

1256897-4 : Deleting an ECDSA curve using the CLI takes a while to restart the http-server with the default RSA certificate.

Links to More Info: BT1256897

Component: F5OS-A

Symptoms:
After setting a valid ECDSA curve type:
  prime256v1   X9.62/SECG curve over a 256 bit prime field
  secp384r1    NIST/SECG curve over a 384 bit prime field

and storing into tls the self-signed certificate the GUI will show the certificate info for this URL.

Going into the CLI and deleting the key and certificate:

su admin
config
no system aaa tls config certificate
no system aaa tls config key
commit

removes the ecdsa certificate and key and http-server is restarted with the default created rsa key and certificate.

However, the GUI still has the deleted certificate and continues to use it despite doing a refresh or attempting to log in from another browser window.

Looking at what happens under the covers, it shows that the ecdsa key and certfiicate are deleted and that httpd was restarted (all have new PID's).

The problem seems to happen with ecdsa curves only and might be explained by either of the following:

On linux operating systems, a file isn't completely deleted until the last referring program releases it.
The browser caches the certificate if it's type ecdsa and does not release that cache right away.

We notice that using the default rsa key and certificate seems to fail when the ecdsa is deleted, but after a 60 second timeout, the http-server recovers and everything seems back to normal. I could take a couple timeouts, meaning that two minutes must go by.

Conditions:
After selecting an ECDSA key type (for curve type prime256v1 or secp384r1) and connecting successfully, the key and certificate are deleted from ConfD, resulting in having the http-server use a default created RSA key and certificate.

Impact:
This can be a bit concerning, in that one expects the certificate to be replaced immediately once the key and certificate are removed. From an operational perspective, the flow does not seem to be affected as the webUI continues to work. Eventually the certificate type will no longer be the ECDSA type, but this can take a few minutes, perhaps longer.

Workaround:
To hasten the fix, one can do: docker restart http-server, which usually fixes the issue right away, or a reboot will also accomplish this.

1256437-1 : Interface with a default route with gateway is NOT available

Links to More Info: BT1256437

Component: F5OS-A

Symptoms:
Without default interface, k3s will fail to come up.

Symptoms: Interface with a default route with gateway is NOT available.

Conditions:
Without default interface, k3s will fail to come up.

Impact:
K3s will be down.

Workaround:
rm -f /etc/NetworkManager/system-connections/default-intf
and reboot

Fix:
Delete the file - /etc/NetworkManager/system-connections/default-intf
and reboot.

1253713-3 : CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png

Links to More Info: K000133070, BT1253713

1252445-2 : QKView is collecting iptable dump only for filter table but not for raw, mangle, and nat

Links to More Info: BT1252445

Component: F5OS-A

Symptoms:
When QKView is collected on F5OS, it is displaying data for only filter table but not for nat/mangle/raw in container network.

Conditions:
Collect QKView on F5OS using system diagnostics QKView capture.

Impact:
No impact; iptable dump for filter table is already present.

Workaround:
N/A

Fix:
Updated QKView file to include required iptable commands.

1252377-4 : VXLAN-GPE and GENEVE are disabled by default when software is upgraded from F5OS-A 1.3.0 build to F5OS-A 1.4.0★

Links to More Info: BT1252377

Component: F5OS-A

Symptoms:
When r10000 or r5000 Series hardware is running with F5OS-A 1.3.0, the default settings for VXLAN-GPE and GENEVE are enabled, and hardware disaggregation support for these tunnel protocols is enabled without any explicit configuration.

If the software is upgraded from F5OS-A 1.3.0 to F5OS-A 1.4.0, these protocols will be disabled, and hardware disaggregation is disabled. It is required to enable these two protocols explicitly in the configuration to enabled them in the hardware.

Conditions:
If VXLAN-GPE and GENEVE tunnels are used in the deployment with F5OS-A 1.3.0 software version without any explicit enabled configuration for these two tunnels, and software upgraded to F5OS-A 1.4.0 or later.

Impact:
Hardware disaggregation support for VXLAN-GPE and GENEVE will be disabled if software is upgraded from F5OS-A 1.3.0 to F5OS-A 1.4.0 or later when these two tunnels are using default configuration to enable them.

Workaround:
Use explicit tunnel settings to enable VXLAN-GPE and GENEVE in F5OS-A 1.3.0, or enable these two protocols explicitly after software upgrade from F5OS-A 1.3.0.

Fix:
VXLAN-GPE and GENEVE are disabled in default global configuration and advised to use explicit tunnel configuration settings to enable hardware disaggregation support.

1251981 : Speed on webUI Interfaces screen is empty for 1GB

Links to More Info: BT1251981

Component: F5OS-A

Symptoms:
When interface speed is 1GB, the speed column on this screen is blank. The Edit Interfaces screen has the same issue.

Conditions:
Interface speed is set to 1GB.

Impact:
Speed column will be blank, so user will not see the actual speed.

Workaround:
Use the F5OS CLI to view the interface speed when it is set to 1GB.

Fix:
Speed column is now populated correctly on the Interfaces screen.

1250901-2 : On rSeries FIPS system live upgrade, cavium_n3fips (liquidsec_pf_vf driver) may fail to come into operational state

Links to More Info: BT1250901

Component: F5OS-A

Symptoms:
After a reboot of the system in live upgrade, tenants that were running earlier might not change to a running state. This is due to the HSM board driver stuck in SAFE_STATE instead of OPERATIONAL_STATE.

In some cases, the driver changes to an operational state after some amount of time (approximately 10 minutes). But this time might vary upon detection of reset/link failure in the hardware. In some other systems, the driver becomes stuck in SAFE_STATE indefinitely.

Conditions:
Live upgrade/reboot of the rSeries FIPS system with F5OS-A.

You may observe the below logs in dmesg-
[ 964.105021] liquidsec_pf_vf_driver 0000:ca:00.0: We might have a link issue... resetting
[ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: RESETTING FIRMWARE... CAUTION

Impact:
Running tenants goes to pending state when this issue occurs in a live upgrade.

Workaround:
Check contents of cavium_n3fips file as shown below.
[appliance]# cat /proc/cavium_n3fips/driver_state
HSM 0:OPERATIONAL_STATE

If the driver changes to an operational state, perform
"docker restart fips-support-pod" to help in recovering.

But if the driver state is still "HSM 0:SAFE_STATE", you may need to perform a power cycle reboot (but this will not guarantee recovery).

Fix:
N/A

1249773-2 : QKView may fail to collect all files for platform-monitor container

Links to More Info: BT1249773

Component: F5OS-A

Symptoms:
Very occasionally, QKView view will have a conflict collecting round-robin database (RRD) files in the platform monitor container. The qkview-collect routine may terminate unexpectedly as a result.

Conditions:
QKView capture request happens coincidentally to round-robin database update.

Impact:
RRD files may not be collected.

Workaround:
Rerun QKView.

Fix:
This will be fixed in a future release.

1240749-1 : F5OS systems send incomplete DDoS stats response to the tenants

Links to More Info: BT1240749

Component: F5OS-A

Symptoms:
BIG-IP tenants on F5OS systems receive incomplete/corrupted DDOS stats response, which leads to TMM crash.

Conditions:
Undetermined circumstances on a BIG-IP tenant with AFM provisioning.

Impact:
TMM crashes on the tenant, which affects application traffic. Traffic disrupted while TMM restarts.

Workaround:
None

Fix:
TMM no longer crashes.

1240565-2 : Not allowing special characters "/*!<>^,/" in SNMP community/user/target name

Links to More Info: BT1240565

Component: F5OS-A

Symptoms:
Currently, we are allowing all characters to configure SNMP community/target/user. Because of that someone can use this configuration to inject script and system can be compromised.

Conditions:
Try to configure SNMP community/target/user with below command:

r10900-1(config)# system snmp communities community <script>alert(1)</script config security-model v2c
r10900-1(config-community-<script>alert(1)</script)# commit
Commit complete.
r10900-1(config-community-<script>alert(1)</script)#
r10900-1# show running-config system snmp
system snmp engine-id config value mac
system snmp communities community <script>alert(1)</script
config security-model [ v2c ]

Impact:
We are allowing all characters to configure SNMP community/target/user. Because of that someone can use this configuration to inject script and system can be compromised.

Workaround:
N/A

Fix:
We are restricting special characters /*!<>^,/ (identified as invalid input) as SNMP community/target/user name configuration.

Note: Upgrade will fail if user already has SNMP configuration with restricting special characters /*!<>^,/

1239325 : Issue when Management IP address is configured to have public internet access on F5OS

Links to More Info: BT1239325

Component: F5OS-A

Symptoms:
The F5OS webUI allows web crawlers access to all content when the Management IP address is configured to have public internet access.

Conditions:
If the Management IP address is configured to have public internet access.

Impact:
This impedes the ability to satisfy internal security compliance mandates.

Workaround:
To mitigate the issue, you can manipulate the contents of the robots.txt file inside the webUI container as demonstrated below:

$ ssh root@10.238.160.60
root@10.238.160.60's password:
[root@appliance-1 ~]# docker exec -it vanquish-gui bash
[root@d6303361e100 /]# cd /app/build
[root@d6303361e100 build]# echo "User-agent: *" > robots.txt
[root@d6303361e100 build]# echo "Disallow: /" >> robots.txt
[root@d6303361e100 build]# cat robots.txt
User-agent: *
Disallow: /
[root@d6303361e100 build]# exit
exit
[root@appliance-1 ~]# exit
logout
Connection to 10.238.160.60 closed.

Fix:
Robots.txt now disallows web crawlers access to any content.

1236857-1 : F5OS OID SNMPv2-MIB::sysDescr provides meaningless information for system controller

Links to More Info: BT1236857

Component: F5OS-A

Symptoms:
After setting up snmpwalk on older version and live upgrading to another version, the snmpwalk is still showing older service version.

Conditions:
1. configure SNMP
2. upgrade system with live upgrade
3. check system version using SNMPv2-MIB::sysDescr (it will be pointing to older version)

example:
SNMPv2-MIB::sysDescr.0 = STRING: Linux 3.10.0-1160.62.1.F5.1.el7_8.x86_64 : Appliance services version <older_version>

Impact:
sysDescr will be displaying older version.

Workaround:
N/A

Fix:
This issue is fixed in latest release.

1234049 : The Add/Edit tenant deployment screen on the r4600 webUI does not have the option for 12 vCPUs in the vCPUs dropdown

Links to More Info: BT1234049

Component: F5OS-A

Symptoms:
The vCPUs dropdown does not have 12 as an option in the Add/Edit tenant deployment screen on the r4600 webUI.

Conditions:
While adding or editing a tenant on the r4600 system via webUI.

Impact:
The user cannot add or edit a tenant with 12 vCPU cores on the webUI.

Workaround:
Users can add/edit a tenant with 12 vCPU cores from the CLI.

Fix:
The webUI will have an additional option for '12' in the vCPUs dropdown thus allowing the user to deploy a tenant with 12 vCPU cores.

1232369 : Intel Microcode update

Links to More Info: BT1232369

Component: F5OS-A

Symptoms:
Intel Microcode update was found to fix an internal regulator power issue. No workaround; requires BIOS update.

Conditions:
Intel Microcode earlier than 0d000389 in the BIOS.

Impact:
Unknown

Workaround:
Upgrade BIOS that includes the new microcode 0d000389 from Intel.

Fix:
BIOS version 2.01.134.1 has been updated from vendor with the updated microcode from Intel.

1232309 : CVE-2020-10754: nmcli did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings

Links to More Info: K000132761, BT1232309

1231357 : Unexpected reboot might occur on r5000/r10000 Series

Links to More Info: BT1231357

Component: F5OS-A

Symptoms:
An unexpected operating system reboot might occur on r5000/r10000 Series.

After the system reboots, in the /var/crash/ directory there will be a new directory created that is named with a timestamp corresponding to the reboot. In that new directory, a file vmcore-dmesg.txt is available with the following error message:

CPU 0: Machine Check Exception: 5 Bank 4: ba00000056000402

Conditions:
Unexpected system reboot.

Impact:
When the reboot occurs, the entire system will reboot and all tenants will stop processing traffic until the reboot is complete. The system will operate normally after the reboot.

Workaround:
None

Fix:
This issue has been corrected.

1230609 : Neighbor interface description is not updated in LLDP neighbor details

Links to More Info: BT1230609

Component: F5OS-A

Symptoms:
Port Description TLV is not displayed under LLDP interface neighbors.

Conditions:
1) enable LLDP on device and on switch
2) enable port description TLV
3) set port description on interface in switch side

Impact:
No impact.

Workaround:
N/A

Fix:
Fixed code to display port description.

1229465-3 : QKView is not collecting core files in /var/crash

Component: F5OS-A

Symptoms:
QKView was designed to collect core files in /var/core only. The operating system kernel can create core files in /var/crash. SEs need to know about these files.

Conditions:
OS kernel creates a core file.

Impact:
Core file not collected by QKView.

Workaround:
Core file can be manually copied from /var/crash.

Fix:
QKView takes a directory listing from /var/crash and collects core files in that directory.

1229449-1 : Username is not logged on rSeries appliance when webUI authentication fails

Links to More Info: BT1229449

Component: F5OS-A

Symptoms:
When a user tries to log in via webUI and provides the wrong credentials, the username is not getting logged.

Conditions:
When a user tries to log in via webUI and provides the wrong credentials.

Impact:
Unable to see the user name for whom authentication has failed.

Fix:
N/A

1226505-2 : Average transactions per second impacted in certain cases

Links to More Info: BT1226505

Component: F5OS-A

Symptoms:
There is a reduction in http/https average transactions per second for some file sizes when ASM is configured on BIG-IP tenant on R2000 series.

Conditions:
BIG-IP config: virtual server with asm_rw policy attached to it; virtual server with profiles http, tcp, and websecurity attached to it (visual snippet is at the end of high level details).

CPU: 95-97%

simulated users: 1536

The traffic involved in testing ASM is close to real world traffic conditions.

Impact:
Reduction in average transactions per second when traffic is run for a specified duration with 1536 simulated users.

Impact is seen for http traffic specific to 32kb and 5kb file sizes.

Workaround:
N/A

Fix:
N/A

1226429 : "DEBUG cannot reply twice on the same call" log reporting repeatedly

Links to More Info: BT1226429

Component: F5OS-A

Symptoms:
When the snmpget operation is performed on IF-MIB, the message "DEBUG cannot reply twice on the same call" appears in /var/log/message. The issue is that the DEBUG is enabled in one of the services container so this DEBUG message is logging in /var/log/message.

Conditions:
One of the reproduction steps is to perform the snmpget operation on IF-MIB.

Impact:
No known impact on the functionality. They are DEBUG messages only.

Workaround:
No workaround. The debug messages stops when the snmpget operation is completed.

Fix:
Removed unwanted debug enable from the service container.

1225989-2 : TACACS users only able to access CLI, not webUI

Links to More Info: BT1225989

Component: F5OS-A

Symptoms:
A TACACS user with either admin or operator privilege is unable to log onto the webUI, but can get access through the CLI. This was found to be due to an internal file linking error.

Conditions:
Have a correctly configured TACACS authenticated user access the webUI.

Impact:
The login will not be successful, and an "Authentication failed" message will be displayed. The webUI will be inaccessible.

Workaround:
N/A

Fix:
The file link issue has been resolved, and the problem no longer exists.

1225981-1 : Files greater then 1000 MiB are truncated in QKView

Links to More Info: BT1225981

Component: F5OS-A

Symptoms:
QKView is unable to collect an untrunucated platform.log file that has been rotated.

Conditions:
Rotated copy of the platform.log file is greater than 1000 MiB.

Impact:
Logs are not complete in QKView making it difficult to troubleshoot issues.

Workaround:
Collect the log files manually.

1225701-1 : Filenames with special characters in /var/import/staging cause upgrade to fail

Links to More Info: BT1225701

Component: F5OS-A

Symptoms:
Coping images with special characters in the filename to /var/import/staging causes the sw-mgmt service to exit. The system is unable to change versions.

Conditions:
Copy or import an image with special characters in the filename to /var/import/staging. Then, try to upgrade.

Impact:
sw-mgmt service is exiting, and the system will not upgrade.

Workaround:
Remove the image the special characters using the commands below in a bash prompt:
chattr -i /var/import/staging/<iso with special characters>
rm -rf /var/import/staging/<iso with special characters>

Then, restart sw-mgmt.service:
systemctl restart sw-mgmt.service

Fix:
We have modified sw-mgmt to remove any images containing special characters.

1217169-2 : Disk full: Latest ISO is not getting imported★

Links to More Info: BT1217169

Component: F5OS-A

Symptoms:
Not able to import images because /var/export/chassis LVM goes to read-only mode when the memory usage of this LVM is reached by more than 50%.

This LVM is created as VDO (virtual data optimizer) volume, twice the size of the physical partition size, so 50% of the LVM size is equal to 100% of the size of the underlying physical device (partition), on which this LVM is being created.

When the LVM usage reaches more than 50% of LVM size, the LVM metadata is corrupted, causing this issue.

Conditions:
The issue is seen when usage of the LVM /var/export/chassis reaches around 50% by importing more than 12 F5OS-A images on an rSeries low device.

Impact:
Not able to import images once the LVM /var/export/chassis goes to read-only mode.

Workaround:
The workaround is to deport older images from /var/export/chassis/import/iso/ using command below before importing/copying new images.

appliance-1(config)# system image remove iso <old/unused iso version>

or

If it is not possible to delete the images using above command
please follow below steps.

chattr -i /var/import/stagging/<old/unused iso>
rm -rf /var/import/stagging/<old/unused iso>

In case the issue is seen (/var/import/stagging/ becomes read only) the only way to recover the system is perform either pxeboot or usb install on the system.

1215917 : webUI failed to load when downgrading from 1.5.0 to 1.3.1 with self-signed certificate with encrypted RSA key type

Component: F5OS-A

Symptoms:
webUI fails to load.

Conditions:
If the self-signed certificate is enabled with encrypted-RSA/ECDSA, and the system is downgraded to lower versions than 1.5.0

Impact:
webUI fails to load.

Workaround:
Remove the self-signed encrypted certificate before downgrading to lower versions.

Fix:
Added code changes to restrict the downgrade to lower versions if encrypted RSA/ECDSA certificate is available.

1211861 : Configured input values of IP address fields reset to default upon switching the protocol

Links to More Info: BT1211861

Component: F5OS-A

Symptoms:
IP address fields are reset to default values.

Conditions:
When the user changes the protocol and switches back to the previously selected protocol via the "Address" field on the webUI.

Impact:
Values of IP address fields are lost as they are reset to default values.

Workaround:
Users can cancel or navigate away from the screen. When they visit the management interface screen again, the configured values will appear.

Fix:
The "Address" field in the Management Interface section has been removed, and all the IPv4 and IPv6 address fields are always displayed, thereby eliminating the need to switch protocols.

We have added 'X' buttons adjacent to the address fields that can be leveraged to put in default values in case the user does not want to configure the fields for a particular protocol.

1211777 : Configured input values of IP address fields reset to default upon switching the protocol

Links to More Info: BT1211777

Component: F5OS-A

Symptoms:
IP address fields are reset to default values.

Conditions:
When the user changes the protocol and switches back to the previously selected protocol via the "Address" field on the webUI.

Impact:
Values of IP address fields are lost as they are reset to default values.

Workaround:
Users can cancel or navigate away from the screen. When they visit the management interface screen again, the configured values will appear.

Fix:
The "Address" field in the Management Interface section has been removed, and all the IPv4 and IPv6 address fields are always displayed, thereby eliminating the need to switch protocols.

We have added 'X' buttons adjacent to the address fields that can be leveraged to put in default values in case the user does not want to configure the fields for a particular protocol.

1211673-2 : Default tenant disk size is based on tenant image type

Links to More Info: BT1211673

Component: F5OS-A

Symptoms:
There is no impact on functionality.
Previously, default tenant disk size was 77GB regardless of image type.

After the fix:

T1 type image - 22GB
T2 type - 45GB
T4 - 142GB
ALL - 82GB

Based on image type, default storage size will be used.

Conditions:
Tenants are created with default disk size of 77Gb although their image size is different.

Fix: create tenant disk based on image type.

Impact:
No functionality impact

Workaround:
No Functionality impact.

Fix:
No Functionality impact.

1211025 : Firmware update interrupted during OS install★

Links to More Info: BT1211025

Component: F5OS-A

Symptoms:
Firmware update can be interrupted by docker container issues.

Conditions:
Random container issue restarts all containers.

Impact:
If firmware is being updated in that moment, the firmware update will fail and it could cause problems to normal system operation.

Workaround:
Ask the support team to update the LOP firmware.

Fix:
Docker container failure handles routine checks if firmware is being updated and waits until the update is done before handling the failure.

1207485-1 : LACP daemon restarts when changing lag-type of the aggregation

Links to More Info: BT1207485

Component: F5OS-A

Symptoms:
LACP daemon restarts. The system will be unable to process LACPDUs until LACP daemon starts up again.

Conditions:
The issue occurs from changing the lag-type of an aggregation interface that does not have an associated LACP interface.

Impact:
All LACP link aggregations may go down and be unable to process traffic for a short time. The down time, if it occurs, should be less than a few seconds.

Workaround:
Only change an aggregation's lag-type while an associated LACP interface exists.

Fix:
LACP daemon will not restart when changing an aggregation's lag-type while an associated LACP interface does not exist.

1207189-3 : CVE-2022-38178 in bind-license-32:9.11.4-26.P2.el7_9.7

Links to More Info: K000137229, BT1207189

1207185-2 : CVE-2022-38178 in bind-export-libs-32:9.11.4-26.P2.el7_9.7

Links to More Info: K000137229, BT1207185

1207181-2 : CVE-2022-38177 in bind-license-32:9.11.4-26.P2.el7_9.7

Links to More Info: K27155546, BT1207181

1205409-2 : Cannot export or download files from diags/shared/tcpdump path

Links to More Info: BT1205409

Component: F5OS-A

Symptoms:
The diags/shared/tcpdump path gives access to the tcpdump files captured for system diagnostics. However, these files could not be downloaded from the webUI to the local system.

Conditions:
- User generates a tcpdump file for system diagnostics
- User navigates to the diags/shared/tcpdump path in the webUI and tries to download file, resulting in an error

Impact:
Unable to download tcpdump files from diags/shared/tcpdump path in the webUI. Hence, a user cannot access these files from the webUI.

Workaround:
Create /var/docker/config/platform.override.yml with these contents:

version: '2.1'
services:
  http-server:
    volumes:
      - /var/F5/system/shared/tcpdump:/var/shared/tcpdump

Then, restart platform-services.

Fix:
User is now able to download and export files from diags/shared/tcpdump path to any required destination without any errors.

1205345-5 : RADIUS remote authentication uses internal system IP address as system identifier in requests

Links to More Info: BT1205345

Component: F5OS-A

Symptoms:
When configured for RADIUS remote authentication, the F5OS systems send internal system IP address as Network Access Server (NAS) system identifier (NAS-IP-Address or NAS-IPv6-Address), rather than a system management IP.

On VELOS systems, the NAS-IPv6-Address will be a link-local IPv6 address in fe80::/64.

On rSeries appliances, the NAS-IP-Address will be an address in the internal address range (RFC6598 by default), e.g. 100.65.60.2.

Conditions:
RADIUS remote authentication for system users.

Impact:
RADIUS authentication servers may ignore or reject authentication requests due to an unknown system identifier in the requests.

Workaround:
None.

1204985-2 : The root-causs of F5OS-A upgrade compatibility check failures are hidden in /var/log/sw-util.log.

Links to More Info: BT1204985

Component: F5OS-A

Symptoms:
When performing a live upgrade, if the upgrade compatibility check fails, users can only see "System database upgrade compatibility check failed" error message. The applicable information about what failed is neither displayed nor shown in platform.log/velos.log.

Conditions:
1. Perforrm a live-upgrade.
2. If the upgrade compatibility check fails, users can only see "System database upgrade compatibility check failed" error message. The applicable information about what failed is neither displayed nor shown in platform.log/velos.log.

Impact:
Upgrade failure logs are not logged in platform.log/velos.log.

Workaround:
None

Fix:
This issue is fixed and displays the error scenarios in platform.log/velos.log.

1204481 : System may flap external links multiple times during startup or links may fail to come up at all

Links to More Info: K000132166, BT1204481

Component: F5OS-A

Symptoms:
When the system boots up, the interfaces may flap (go up and down) several times in quick succession before coming up and stabilizing.

In some cases, the interfaces fail to come up at all.

If a peer switch is configured to detect excessive link flaps, it may put the port in an err-disable state and prevent the link from coming up.

Conditions:
-- r5000 or r10000 Series appliance

Impact:
If the peer switch triggers a link-flap detection feature, the ports may remain offline until an administrator manually recovers the port on that switch.

Workaround:
There is no workaround for this issue on the rSeries appliance.

An administrator can mitigate this issue by doing one of the following:

- configuring the peer switch to automatically try to recover ports that are disabled for excessive link flapping
- increasing the number of link flaps required in a certain interval before the port is put in a disabled state

Fix:
Disable sending of remote-fault signaling to peer device while the system is booting up.

1204433-2 : "Appliance-mode" flag in license should not be used to enable appliance-mode

Links to More Info: BT1204433

Component: F5OS-A

Symptoms:
Appliance-mode enabled using license will not get reflected in "show tenants" CLI.

Conditions:
The issue is seen when "appliance-mode" is enabled through license.

Impact:
Appliance-mode enabled using license will not get reflected in "show tenants" CLI.

Workaround:
Appliance-mode can be configured from CLI.

Fix:
Appliance-mode can be configured from CLI.

1194881-5 : Bind vulnerabilities: CVE-2021-25220 and CVE-2022-2795

Links to More Info: K78285929

1190369 : Terminal window not reflecting configured hostname

Component: F5OS-A

Symptoms:
The title of the terminal window does not have the configured hostname.
Currently, all open windows with root login either from PuTTY or any application display as appliance-1.

Conditions:
Connecting to the device using ssh clients like PuTTY.

Impact:
This causes difficulty for a user trying to juggle multiple open SSH sessions during a maintenance window.

1188921-1 : tcpdump not working after upgrade

Links to More Info: BT1188921

Component: F5OS-A

Symptoms:
tcpdump fails with CLI error:
errbuf ERROR:DMAA error, packets cannot be captured
tcpdump: pcap_loop: DMAA error, packets cannot be captured

Error logged:
appliance-1 tcpdumpd-manager[8]: priority="Crit" version=1.0 msgid=0x5406000000000029 msg="DMAA socket failed:" comp="connect" errno=2.

Conditions:
System upgrade has failed to properly update the configuration file, which is responsible for starting tcpdumpd_manager.

Impact:
tcpdumpd_manager will not be able to start and packets cannot be captured. tcpdumpd_manager will continue log this failure to the system log.

Workaround:
None

Fix:
Improved tcpdumpd_manager start-up routine to check for line-dma-agent socket availability.

1188053 : SSH idle-timeout support

Component: F5OS-A

Symptoms:
There was no idle-timeout implemented for SSH session. The SSH session was not getting terminated even if it was idle for a long time.

Conditions:
There was no idle timeout for SSH session.

Impact:
SSH session will not get terminated even if it is idle for long time.

Workaround:
User must close the SSH session.

Fix:
Implemented SSH idle-timeout which is configurable from CLI/RESTCONF. The SSH session will now get terminated if it is idle for the configured idle-timeout. The default value is 0, which means no idle-timeout.

1185701-2 : 'system aaa' command in ConfD to fail with "Error: application communication failure"

Links to More Info: BT1185701

Component: F5OS-A

Symptoms:
System fails to change password and renders system in a degraded state where user management no longer works.
System fails to provide proper user feedback to the user about failed password changes.

Conditions:
This policy option is causing the problem:
system aaa password-policy config retries 5

Impact:
F5OS user password cannot be changed.

Workaround:
Do not change the configuration from default.
system aaa password-policy config retries 5

Fix:
N/A

1185497-3 : Tenant health in the partition shows additional entries that are not part of the tenant configuration

Links to More Info: BT1185497

Component: F5OS-A

Symptoms:
When the admin upgrades the system software from 1.3.x to 1.5.0, the platform updates the tenant's table with additional entries that are not running as part of the tenant's original configuration.

Conditions:
Power cycle or system software upgrades from 1.3.x to 1.5.0.

Impact:
There will not be any impact on the critical functionality of the tenant, and traffic continues to work. However, it does show some unwanted information in the health which could be confusing.

Workaround:
Toggling the affected tenant's running state from "Deployed" to "Provisioned" and back to "Deployed" will fix the state of the tenant in the table.

Fix:
During the power cycle/system upgrade, the platform re-populates the tenant oper status from Openshift and publishes it to Partition. If the REST response of the tenants from Openshift is incomplete, the platform is populating entries under the wrong key/value. As a result, the partition tenant's table ends up with some unwanted entries.
It is a cosmetic issue and will not impact any tenants.

1184821 : Obscure crash in external authenticator

Links to More Info: BT1184821

Component: F5OS-A

Symptoms:
An unexpected sequence of characters in the username or password of an external login could cause a crash in the external authenticator.

Conditions:
Certain malformed usernames or passwords being used for external authentication.

Impact:
The crash in these circumstances would prevent successful login. After analysis, it was deemed there was no security risk or exposure.

Workaround:
Use usernames and passwords for authentication via SSH or webUI that conform to the device username/password requirements.

Fix:
The bug was fixed and a crash no longer occurs.

1184429-1 : Specifying "operation not supported" as an iHealth QKView description or SR number will disable iHealth uploading

Links to More Info: BT1184429

Component: F5OS-A

Symptoms:
The phrase "operation not supported" was scanned for communication with iHealth to indicate an error. By using this as a description or as an SR case, this will trigger an error, preventing the ability to upload to iHealth.

Conditions:
The phrase "operation not supported" is used as an iHealth QKView description or SR number.

Impact:
Unable to upload iHealth through the iHealth upload service on the device.

Workaround:
Do not use the phrase "operation not supported" as a description or an SR case number when uploading to iHealth.

Fix:
Fix to check for errors will scan for http error code instead of scanning the text of the http body.

1183909-2 : Python urllib3 vulnerabilities CVE-2018-20060, CVE-2019-11236, CVE-2019-11324, CVE-2018-18074

Links to More Info: K000133448, BT1183909

1181929-3 : F5OS install may partially fail, leaving system with mismatched OS and services★

Links to More Info: BT1181929

Component: F5OS-A

Symptoms:
After an attempted upgrade, administrators are unable to access the system via management UI, or log into the system as any user other than "root".

A message such as the following in the platform log:
priority=Fatal msgid=0x3501000000000021 msg=OStree rebase to version 1.2.0-10139 failed.

Conditions:
The first part of an F5OS software upgrade fails, but the system continues on and performs subsequent steps of the upgrade.

Impact:
The system may be completely inoperative, or the system may be running with different OS and services versions, which could lead to unknown problems.

Workaround:
If this issue occurs, contact F5 Support for assistance.

1181721 : Add additional commands and files to QKView collection

Component: F5OS-A

Symptoms:
There is no change in functionality. The fix adds new commands and files to QKView collection.

Conditions:
Additional commands and files are added to the QKView collection and they will be collected whenever QKView is requested.

Impact:
Additional commands and files are added to the QKView collection.

Workaround:
Only new commands and files will not be collected as part of QKView collection. Old commands and files will get collected in QKView.

Fix:
Additional commands and files are added to the QKView collection.

1167761-2 : Directory indexing enabled for management webUI

Links to More Info: BT1167761

Component: F5OS-A

Symptoms:
Directory indexing is enabled for management webUI.

Conditions:
When the management IP is followed by the name of any directory that is contained in the webUI, the build directories and file contents are visible on the browser.

Impact:
The webUI build directories and file contents are visible on the browser.

Workaround:
None

Fix:
Disabled directory indexing.

1166149-1 : CVE-2021-27803 wpa_supplicant: Use-after-free in P2P provision discovery

Links to More Info: K000135433, BT1166149

1165973-2 : Application error while using the CLI command "show components"

Links to More Info: BT1165973

Component: F5OS-A

Symptoms:
The user receives an error message using the CLI (show components -> Error: application error) when there is a faulty sensor in the hardware.

Conditions:
When the system has the faulty sensor.

Impact:
Application error seen in the ConfD CLI while trying to execute "show components". The webUI is affected as well.

Workaround:
N/A

Fix:
We have added a check at diag-agent to not throw the application error; it will show data for the healthy components.

1137121-3 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0

Links to More Info: BT1137121

Component: F5OS-A

Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".

Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.

Impact:
Tenants will not start and are unusable.

Workaround:
To work around this issue, perform one of these actions:

1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".

Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.

1136725-2 : An iptables CLI error

Links to More Info: BT1136725

Component: F5OS-A

Symptoms:
An iptables command error:
[root@appliance(appliance.chassis.local) ~]# iptables -L
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

Conditions:
When a parallel iptables query is happening, this error displays.

Impact:
The iptables can get disturbed.
User may not be able to view the iptables.

Workaround:
During iptables listing, it uses DNS and reverse DNS lookup if "-n" option is not used, which will make iptables hold the lock for longer durations.

Fix:
Added "-n" option in all places where iptables listing is happening.

1136597-3 : LDAP user with admin and operator role gets only operator permissions

Links to More Info: BT1136597

Component: F5OS-A

Symptoms:
An LDAP user configured with groups for both admin and operator roles only receives operator permissions.

Conditions:
LDAP user configured with gidNumber assignments for both admin and operator roles.

Impact:
A user with this config would be assigned only operator permissions.

Workaround:
Only configure the gidNumber for the desired role in LDAP for the user. Do not configure multiple roles for the same user.

Fix:
There was an error in the NACM rules for ConfD config. The role logic has been fixed.

1132569-1 : "cdb_exists failed" error logged in platform.log during boot up

Links to More Info: BT1132569

Component: F5OS-A

Symptoms:
This occurs unconditionally upon every reboot. It doesn't have any functional impact.

Conditions:
Upon every reboot.

Impact:
No impact.

Workaround:
N/A

Fix:
Boot or reboot the device and check platform.log. The issue should no longer occur.

1128877-2 : Mount command added to QKView collection

Links to More Info: BT1128877

Component: F5OS-A

Symptoms:
Mount command was not provided in QKView diagnostics file.

Conditions:
Always.

Impact:
Mount data is currently collected, but may be missing data provided by the mount command.

Workaround:
Run mount command on system and copy results from device.

Fix:
Mount command will be executed in QKView.

1118109-2 : CVE-2019-15605: HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

Component: F5OS-A

Symptoms:
A flaw was found in the Node.js code where a specially crafted HTTP(s) request sent to a Node.js server failed to properly process the HTTP(s) headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is deployed behind a proxy server that reuses connections.

Conditions:
An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is deployed behind a proxy server that reuses connections.

Impact:
An unauthorized user can gain access to the system.

Workaround:
N/A

Fix:
http-parser has been updated to http-parser-2.7.1-8.el7_7.2

1099069-2 : Issues with pulling files from F5OS device using SCP

Links to More Info: BT1099069

Component: F5OS-A

Symptoms:
Unable to pull packet capture files off of the F5OS device using SCP from admin.

Conditions:
Download packet capture files using SCP from the admin account.

Impact:
Unable to download packet capture files through SCP from admin.

Workaround:
N/A

Fix:
Added support to download files from more directories.

1091853-5 : CVE-2022-23308: libxml2 vulnerability

Links to More Info: K32760744, BT1091853

1069365-3 : Error shown when configuring known-host for file transfer when FIPS mode is enabled`

Links to More Info: BT1069365

Component: F5OS-A

Symptoms:
"Host unreachable" error is sometimes displayed when FIPS mode is enabled, if a user tries to configure known-host. The ssh-keyscan fails, as ssh-keyscan is not using FIPS approved ciphers.

Conditions:
- FIPS mode is enabled
- User configures known-host for file transfer

Impact:
"Host unreachable" error is thrown.

Workaround:
N/A

Fix:
Updated ssh-keyscan to use FIPS approved ciphers when FIPS mode is enabled.

1047689-4 : Sw_rbcast core file found on system

Links to More Info: BT1047689

Component: F5OS-A

Symptoms:
Partition_sw_rbcast producing core.

Conditions:
Starting a tenant which requires the sw_rbcast container running in the following platforms:
- r5x00
- r10x00
- VELOS

Impact:
The sw_rbcast process crashes and produces a core file.

Workaround:
None

Fix:
A new version of sw_rbcast correctly handles tenant broadcast packets.

1008701-2 : Using curl to access 'scp:' URIs on the partition management IP does not work

Links to More Info: BT1008701

Component: F5OS-A

Symptoms:
Attempting to upload a tenant image via

"curl filename scp:IMAGES"

would fail, even though

"scp filename admin@mgmt-ip:IMAGES"

works.

Conditions:
Accessing ssh/scp via curl rather that the scp application.

Impact:
Cannot use curl to copy files.

Workaround:
Use scp directly rather than curl.

Fix:
The ssh/scp server has been fixed to correctly interpret the file/directory names supplied by the 'curl' command.