Supplemental Document : F5OS-A 1.8.0 Fixes and Known Issues Release Notes

Applies To:

Show Versions Show Versions

F5OS-A

  • 1.8.0
Original Publication Date: 10/16/2024
Updated Date: 10/16/2024

F5OS-A Release Information

Version: 1.8.0
Build: 16036

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Known Issues in F5OS-A v1.8.x

Vulnerability Fixes

ID Number CVE Links to More Info Description
1620513 CVE-2024-38477 K000140784 CVE-2024-38477 httpd: NULL pointer dereference in mod_proxy
1614821-5 CVE-2014-8500 K000141008 CVE-2024-3596 - Blast-RADIUS
1577049 CVE-2024-1086 K000139430 CVE-2024-1086 - Linux kernel vulnerability
1379845 CVE-2023-3341 K000137582, BT1379845 CVE-2023-3341:bind: stack exhaustion in control channel code may lead to DoS
1322817 CVE-2023-2828 K000135312, BT1322817 BIND vulnerability CVE-2023-2828
1292405-6 CVE-2022-25147 K000137702, BT1292405 CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64
1378313 CVE-2020-22218 K000138219, BT1378313 CVE-2020-22218: libssh2: use-of-uninitialized-value in _libssh2_transport_read
1124953-2 CVE-2022-21123
CVE-2022-21125
CVE-2022-21127
CVE-2022-21166
K04808933 Intel microcode updates: CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21166


Functional Change Fixes

ID Number Severity Links to More Info Description
1353161 3-Major   Snmpd daemon stuck in loop deleting and recreating 'system snmp communities community' entry after recreating and deleting SNMP config a few times


F5OS-A Fixes

ID Number Severity Links to More Info Description
1615969-1 1-Blocking   Tenant operational data is not getting updated properly after upgrade
1614429 1-Blocking K000140362, BT1614429 iHealth upload is failing with error "certificate signed by unknown authority"
1582817-1 1-Blocking   Unable to add rSeries device IP to 'known-hosts' file
1572493 1-Blocking BT1572493 LAG Trunk Configuration is Missing Inside of Tenant
1572137-2 1-Blocking BT1572137 Upload/Download API should work with '/api' and '/restconf'
1496837-1 1-Blocking BT1496837 User-manager's ConfD socket getting closed.
1360905 1-Blocking BT1360905 Unexpected log messages in /var/log/boot.log post-integrity recovery
1359277 1-Blocking BT1359277 ConfD CLI timed out and subsequently sees Error: application communication failure
1351981 1-Blocking   QAT count is not dynamically updated for active tenants after license upgrade
1338601-1 1-Blocking   On multi tenants cases on system reboots tenant goes to INOPERATIVE state
1332781 1-Blocking BT1332781 A remote user with the same username as the local F5OS user will be granted the local user's roles
1233865-5 1-Blocking   Memory capacity and utilization details are confusing / misleading
1208573-2 1-Blocking BT1208573 Disabling Basic Authentication does not block the RESTCONF GET requests
1637529 2-Critical   RSeries ATSE v72.41.5.00 firmware
1637525 2-Critical   RSeries ATSE v72.5.5.00 firmware
1617125 2-Critical BT1617125 Production license manual activation failed on F5OS-A 1.7.0
1612405-1 2-Critical BT1612405 LACP status shows UP in BIG-IP tenant even if its down on F5OS.
1596625-2 2-Critical BT1596625 BE2 GCI interface training failures during runtime results in failure to process networking traffic
1596149 2-Critical   Monitor rSeries ATSE to BE2 links and Raise Alarms in the Event of Failures
1591645-1 2-Critical BT1591645 EPVA related dma-agent crash
1587925 2-Critical   Modifying a RADIUS server from the web UI requires the Secret to be configured or re-entered
1585001-1 2-Critical BT1585001 Radius authentication does not work when the shared secret key in the radius configuration is more than or equal to 32 characters
1580489 2-Critical BT1580489 BE2 GCI interface training issue results in failure to process networking traffic
1575925-1 2-Critical   Running 'show system aaa primary-key state status' while a key migration is in progress can cause key migration errors
1575417 2-Critical   Platform-diag-agent memory leak
1566569-1 2-Critical BT1566569 Unable to access rSeries system from 172.17.0.0/16 IP subnet
1536413 2-Critical   Allowed-ips allowed-ip <name> is not accepting the '-' in the names
1505589-1 2-Critical K000139300 Subject-Alternative-Name (SAN) feature now supports client-side SSL Validation
1498009-1 2-Critical   Learned L2 entries in data-plane L2 forwarding table may disrupt some traffic flows between tenants
1497657 2-Critical   First SSH login after editing remote RADIUS or TACACS+ user privileges will still apply old privileges
1496977 2-Critical BT1496977 Remote GID mappings to F5OS roles are disconnected for TACACS+/RADIUS authentication methods.
1494945 2-Critical   ConfD Application Error when tenant interface stats are not available
1494809 2-Critical   Allowing user to configure HostKeyAlgorithms parameters
1469401 2-Critical   ARP request for mgmt interface IP resolving to mgmt0-system inferface's mac
1441333 2-Critical BT1441333 Rasdaemon memory leak
1436153 2-Critical BT1436153 F5OS upgrades fail when SNMP configuration contains special characters.
1429741 2-Critical BT1429741 Appliance management plane egress traffic from F5OS-A host going via BIG-IP Next tenant management interface instead of host management when both are in same subnet
1411137 2-Critical BT1411137 Audit log entries are missing when creating or deleting objects via UI or API
1401841 2-Critical   Out of memory issues are seen when multiple telemetry exporters are configured
1400221 2-Critical   OpenTelemetry exporters may not produce data upon first tenant being added to system
1398889 2-Critical   rSeries r5000: assertion in qat-device-plugin FilteringResourceEventHandler.OnDelete causing k8s panic
1398341 2-Critical   The affinity script crash seen in /var/log/cron logs
1398145 2-Critical BT1398145 The 'file list' command takes a long time and the webUI is stuck in loading
1394905 2-Critical   Unable to create AOM user
1394857 2-Critical   Cannot retrieve AOM username after creating it
1390425-1 2-Critical   Libvirt core is generated on downgrade from 1.7.0 -A to 1.6.0 -A
1378805 2-Critical BT1378805 Error occurs when changing LAG type for an existing LAG interface on webUI
1365985 2-Critical BT1365985 GID role mapping may not work with secondary GID
1365821 2-Critical BT1365821 Traffic loss of 5-10 seconds after disable/enable of LACP Lag member on r5000/r10000
1361117 2-Critical   ha-1-deployment pod may get restarted when tenant HA is configured
1355277-2 2-Critical BT1355277 Incorrect Vlan Listeners when a Static FDB is configured
1354373-1 2-Critical BT1354373 WebUI malfunctions when navigating to HSM Details with inactive FIPS drivers
1352045 2-Critical BT1352045 Not able to connect to tenant console via virtctl after upgrade
1348145 2-Critical BT1348145 Observing 'Failed to send restarting msg to VF' during reboot with tenants deployed causing reboot time to increase
1341869-1 2-Critical   Failed to delete tenant pods
1332997 2-Critical BT1332997 Device stuck at "unmounting containers" after performing reboot
1328405 2-Critical BT1328405 F5OS system stopped generating tmstat snapshots
1327137 2-Critical K000138753 Interfaces take longer than expected to come up
1325893 2-Critical   A vqf-dm system software core file is occasionally observed on system reboot
1304921 2-Critical   F5OS file download API does not work with basic authentication
1304765-3 2-Critical BT1304765 A remote LDAP user with an admin role is unable to make config changes through the F5 webUI
1300749 2-Critical BT1300749 Syslog target files do not use the hostname configured via system user interface.
1297357-1 2-Critical   WebUI authentication does not follow best practices in some situations
1296997 2-Critical BT1296997 Large core files can cause system instability
1282493-3 2-Critical   Crypto devices are not released after tenants are deleted
1251989 2-Critical BT1251989 Changing the system Date/time back and forth using NTP server brings the system to abnormal state
1207889 2-Critical   FEC configuration on r5k/r10k 25G interfaces
1204985 2-Critical BT1204985 The root-causes of F5OS upgrade compatibility check failures are hidden in /var/log/sw-util.log.
1167477-5 2-Critical   CVE-2021-20233: grub2 - Heap out-of-bounds write due to miscalculation of space required for quoting
1154733 2-Critical BT1154733 LLDP error on management interface
1126865-2 2-Critical BT1126865 F5OS HAL lock up if the LCD module is not responding.
1099069-3 2-Critical BT1099069 Issues with pulling files from F5OS device using SCP
1671517 3-Major   WebUI Dashboard Memory & Storage Statistics are inaccurate and misleading
1624629 3-Major   F5OS A-1.8.0 upgrade takes up to 10 additional minutes to complete
1615917-4 3-Major   L2_agent crashed due to SNMP
1612217 3-Major BT1612217 A large amount of SPVA DoS allow list entries can overload DMA-Agent causing a tenant to fail to pass traffic
1603661-1 3-Major   SysDescr value returns empty string under SNMPwalk, after performing backup/restore configuration
1593385-3 3-Major BT1593385 F5OS Tenant Throughput (bits/packets) and TMM CPU usage higher than expected until VLAN is added or removed
1591553-1 3-Major BT1591553 Including /etc/resolv.conf and /etc/hosts files in QKView capture
1590173 3-Major   K3s server crashes and restarts due to high CPU activity
1588961 3-Major   Observing "Failed to find the service account - robottpobdefault" or "Creating SA robottpobdefaultfailed" log messages in platform.log
1588093 3-Major BT1588093 Forwarding host log files to remote targets
1585853-2 3-Major BT1585853 Telemetry streaming pauses if mgmt-ip gets updated
1585765 3-Major BT1585765 Error message IDs for appliance-orchestration-manager are incorrect
1585749 3-Major BT1585749 Including lspci commands in QKView capture
1583233 3-Major BT1583233 The 'show portgroups' command may not display DDM statistics, or may display stale/out-of-date DDM statistics
1582553 3-Major BT1582553 The 'components component state' data is not displayed in ConfD.
1580165 3-Major   Removing a failed patch ISO can remove base services imported from a different ISO
1579289 3-Major BT1579289 Empty log message when interface changes state
1576141 3-Major BT1576141 K3S installation fails if /var/log/appliance.log is not present
1573493 3-Major   Qkview does not collect the files gid-map.txt, /etc/libnss-udr/passwd, or /etc/libnss-udr/group
1572929 3-Major BT1572929 Changing remote authentication methods from RADIUS/TACACS to LDAP may break remote-gid functionality.
1572597 3-Major   System loses its mgmt-ip address after switching between static and dynamic allocation (DHCP) of IP and rebooting
1572489 3-Major   Allowed valid usernames on F5OS.
1572041 3-Major   AOM SSH password requirements are not working
1566925 3-Major BT1566925 Remove unhelpful troubleshooting files from QKView
1560533-1 3-Major BT1560533 Inconsistent case values (upper and lower case) for different F5OS-C SNMP OIDs
1558797 3-Major BT1558797 BMC self health test falsely logged as failed
1552945 3-Major BT1552945 Tenant images renamed with bracket are not supported
1550413-1 3-Major BT1550413 System events visible in the CLI may not be visible in the GUI
1549753 3-Major   System telemetry exporter send queue and retry settings are causing memory issues
1519869 3-Major BT1519869 BIG-IP tenant reports blank interface
1496397-1 3-Major   Allowing entry of a Subject-Alternative-Name (SAN) for certificate and CSR creation
1496393 3-Major   A key can be created rather using a stored key for CSR creation
1492621-2 3-Major BT1492621 Config-restore fails when backup file has expiry-status field for admin or root user
1492401 3-Major   User with operator role is not having read-access to all pages
1490753 3-Major BT1490753 A linkUp and linkDown traps are sent when an up interface is disabled, and vice versa
1486697 3-Major BT1486697 Configuring Expiry-status of root and admin users should not be allowed
1481797 3-Major BT1481797 Voltage sensor limits incorrect, causing notice messages on r2000 & r4000 appliances
1472917 3-Major   LDAP authenticated admins logging in via the serial console may have trouble disabing appliance mode during system instability
1470917 3-Major BT1470917 LAG aggregated speed is not updated
1469385 3-Major BT1469385 GUI freezes during LDAP user authentication if no remote GID mapped locally.
1468545 3-Major BT1468545 Inconsistency with time zones displayed in log files
1467273 3-Major   LCD restarting internal services periodically due to memory allocation error.
1466397-1 3-Major BT1466397 LDAP authentication is consuming several minutes to authenticate via GUI and SSH.
1461289-1 3-Major BT1461289 On a rSeries appliance, config-backup proceed is broken
1461109 3-Major   GUI error "Unable to get data from stream streams/platform-stats/json"
1455913 3-Major   Tcpdump on F5OS does not honor the -c flag
1451181 3-Major   The Rest API call to list core files returns 500 error when no core files found.
1437765-2 3-Major BT1437765 Restoration of system configuration database may fail if admin user was previously modified
1429721 3-Major BT1429721 SCP as non-root user does not report errors correctly for bad/non-existent files.
1410445 3-Major BT1410445 The system's power state may be incorrectly indicated by the Status LED
1408477 3-Major   When more than one PCIe AER error has occurred, diag-agent reports this as a "RAS AER 'unknown' error" instead of the individual AER errors.
1403817-1 3-Major BT1403817 SNMP IF-MIB misreport the status and speed of LACP LAGs
1403781 3-Major BT1403781 Modifying mgmt interface's description will trigger interface flapping
1401621 3-Major   Modifying a remote server with multiple selectors from the web UI removes the AUTHPRIV configuration.
1397145 3-Major BT1397145 Unable to add blade to Openshift cluster if VELOS partition root password is expired or locked
1394993-1 3-Major BT1394993 Upon configuration changes, the l2-agent container restarts with a core.
1394913-1 3-Major BT1394913 Rare LACPD crash during process termination
1394045 3-Major   Misleading "unable to read AOM SSH login banner" errors are found
1393669 3-Major BT1393669 On adding a member to an existing LAG on webUI, the newly added member's speed does not add up to the LAG's "Current Speed" instantly and requires a reload to see the expected response
1393269 3-Major BT1393269 Error log: "PINGLOOP Failed to ssh to 127.0.0.1"
1391625 3-Major   Hugepages do not get de-allocated after BIGIP NEXT tenant HA disassembly
1388961 3-Major BT1388961 A few SEL entries in /var/log/platform/sel have missing details
1388945 3-Major BT1388945 Fan speed randomly shows as '0'.
1388745 3-Major BT1388745 Large numbers of platform-hal errors logged in platform.log: "Requested Sensor, data, or record not present."
1388477 3-Major   Default GID group mapping authorized even when GID mapped to different group ID
1381661 3-Major BT1381661 LDAP external authentication fails if there is no group definition for user's primary GID
1381277 3-Major BT1381277 Most recent login information is not displayed in F5OS webUI
1381109 3-Major   WS-2022-0322 - d3-color 2.0.0 package
1381057 3-Major BT1381057 Opening and closing preview pane is causing the page scrollbar to disappear on View Tenant Deployments screen
1379625 3-Major BT1379625 Changing the max-age attribute in password policy is not reflecting immediately
1379565-1 3-Major   Observing QKView start from 100% and then going back to 1%
1375133 3-Major   K3S is getting reinstalled after live upgrade, even though there is no K3S version change
1366417-3 3-Major   Long BIG-IP tenant names will cause not having virtual console access
1366337 3-Major BT1366337 Adding a system raid drive fails after successful removal
1366157 3-Major BT1366157 Warning needed about creating tenant with same name as existing user account name
1365977 3-Major BT1365977 Container daemons running as PID 1 cannot be cored on-demand
1359897 3-Major BT1359897 rSeries link down events can be missed
1355113-1 3-Major   VELOS software upgrade does not inform about KubeVirt component upgrade
1354341 3-Major BT1354341 Changing a VLAN from trunked (tagged) to native (untagged) on a LAG in a single transaction can cause traffic outage
1354329 3-Major   It is possible to create a user with 'tenant-console' as its primary role (without creating a tenant) from the ConfD CLI
1354053 3-Major   Suppress LOP SEEPROM object did not find errors during re-licensing
1353085 3-Major   Configure admin/operator roles in LDAP without uidNumber or gidNumber attributes
1352845 3-Major BT1352845 Some internal log content may not appear in external log server
1352449 3-Major BT1352449 iHealth upload is failing with error "certificate signed by unknown authority"
1352421 3-Major BT1352421 L2 services (LACP/LLDP) are down on r2000 and r4000 series appliances
1352353-3 3-Major BT1352353 Remove integrity-check configurable option from CLI
1351893-2 3-Major BT1351893 ConfD Logging 'Failed to change working directory' Error Message
1351541-4 3-Major   Unable to remove the ISO images that share the same minor version with the running version
1351529 3-Major BT1351529 Fixing the log issue stating "UNSUPPORTED STP state" when STP global is configured
1349977 3-Major BT1349977 Setup wizards fails and immediately exits if it is given incorrect credentials.
1349953 3-Major BT1349953 Setup wizard script gives an "All IP addresses must be unique" error when NTP and DNS servers match
1348989 3-Major BT1348989 GUI virtual server CLI has different limitations for days-valid
1348509 3-Major BT1348509 Incorrect file path reported in the telemetry log records
1348093 3-Major   Appliance-setup-wizard traceback on invalid NTP input
1341909 3-Major   Command 'show component' does not show psu-power-in and psu-power-out in CLI and API
1341521 3-Major BT1341521 Incorrect subnet mask returned for GET call for /systems
1338521 3-Major BT1338521 Unable to login when accessing F5OS GUI through a network proxy on a port other than 443.
1338505 3-Major   Qkview is not collecting log data from kubernetes pods
1332293 3-Major BT1332293 Tcpdump performed with an interface filter on VELOS or rSeries will show broadcast traffic from all interfaces
1329797 3-Major BT1329797 RADIUS user logs in through the WebUI without configuring the F5-F5OS-UID, will be disconnected after 10 minutes
1329449-1 3-Major   Missing days-valid, store, and key type logging items of a certificate
1329021-2 3-Major BT1329021 Display order of interfaces/portgroups in ConfD CLI are not in numerical order
1327689 3-Major   Manually remove root and user keys before entering Appliance Mode
1326125 3-Major BT1326125 RADIUS authentication fails if F5-F5OS-HOMEDIR attribute is not specified
1324269 3-Major   LCD "System - Power On" option may not be available immediately after system is powered off
1324257 3-Major   4600 does not boot up after a shutdown
1322685 3-Major BT1322685 Tcpdump sessions are terminated when interfaces are enabled or disabled.
1316097-4 3-Major BT1316097 LAGs not programmed when adding VLAN to LAG
1307577-2 3-Major BT1307577 Add more resilience to the file download API
1307565-2 3-Major BT1307565 The file download API is not working with the x-auth-token header
1306233 3-Major   Low mixed IPv4/IPv6 performance
1305005 3-Major BT1305005 Error handling in F5OS file-download API
1304085-1 3-Major BT1304085 Unable to set local user's password if the same user exists on a remote LDAP server
1294561 3-Major BT1294561 When OCSP is disabled, configurations are not accurately shown outside of 'config' mode
1293249 3-Major BT1293249 AAA server group Port and Type are not displayed on ConfD
1291513 3-Major BT1291513 Some log messages/timestamps do not observe configured timezone
1289861 3-Major   Ability to suppress the proceed warning generated when portgroup mode is changed
1288897-2 3-Major BT1288897 Allowed IP rule name, which contains all underscores, will be deleted while upgrading to F5OS-A 1.7.0 and later versions
1287245-2 3-Major BT1287245 DAGD component crashes during live upgrade or downgrade
1286153 3-Major   Error logs while generating the qkview
1282185-2 3-Major BT1282185 Unable to restore backup file containing expired TLS certificate
1277429-1 3-Major   Operational and Configurational prompts do not persist through user sessions
1270309 3-Major BT1270309 Audit.log may log incorrect username initially for users logging into the CLI, remotely-authenticated users may see hostname in prompt reported as "appliance-1", and remotely-authenticated LDAP users may experience lengthy delays when authenticating
1268433 3-Major BT1268433 Some firewall rules do not generate denial logs
1251957 3-Major   SNMP OIDs to monitor serial number of the device, type of hardware and hostname
1251161-2 3-Major BT1251161 Authentication fails via the webUI when “:” is at the end or beginning of the password
1250925 3-Major BT1250925 Alarm for AOM fault due to "LOP Runtime fault detected: lop:nc-si-rmii:failure"
1238245 3-Major   Prevent system upgrade during firmware update
1211233-4 3-Major BT1211233 F5OS dashboard in webUI displays the system root file system usage, not the entire disk
1205409 3-Major BT1205409 Cannot export or download files from diags/shared/tcpdump path
1196417 3-Major BT1196417 First time user SSH session is getting closed after password change
1188825 3-Major   New role named "user" with read-only access to non-sensitive system level data
1188069 3-Major BT1188069 F5OS installer does not indicate progress or completion state
1185805-1 3-Major BT1185805 The "test media" option during USB install may be interrupted by the hardware watchdog
1162341 3-Major BT1162341 Front panel interface status is not reported in alarms or events
1145049 3-Major BT1145049 K3s cluster deployment sequence is modified to avoid pods entering into UNKNOWN state
1140577 3-Major   config-restore will cause a reboot if the portgroup configuration changes
1136557 3-Major   F5OS config restore fails if .iso or components vary between two devices.
1135021 3-Major   F5OS config-restore with an incorrect primary-key does not produce a warning
1124853-1 3-Major BT1124853 Backup and restore fails when port-profile is mismatched
1124809 3-Major   Add or improve the reporting status of imported images
1008701-1 3-Major BT1008701 Using curl to access 'scp:' URIs on the partition management IP does not work
1505293-1 4-Minor BT1505293 Partition image removal message is truncated
1441425 4-Minor BT1441425 The rSeries appliance log shows "PSU voltage out value < lower limit, value=0".
1411101 4-Minor BT1411101 "Error pf_nic_get_media" failed error for ports with or without SFP connected
1401965-1 4-Minor BT1401965 Copying BIG-IP ISO to /var/import/staging/, leaves ISO loopback mounted
1399929-1 4-Minor BT1399929 F5OS permits user to configure non-existent ethernet interface
1349001 4-Minor BT1349001 F5OS VELOS is polled as Unix device by SNMP using BMC Discovery
1330429 4-Minor BT1330429 Port Mappings screen on webUI displays "GB" for bandwidth instead of "Gb"
1322921 4-Minor   FEC configuration support for 25G interfaces on r2000/r4000
1297349 4-Minor   Tightening controls on uploading files to F5OS
1147673 4-Minor   Downloading QKViews directly from the System Reports screen.
1128633-3 4-Minor BT1128633 Failed upload entries displayed under CLI file transfer-operations
1121921 4-Minor BT1121921 Common name for setup-wizard tool across platforms
1057401 4-Minor   CVE-2018-16402 libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service or possibly have unspecified other impact
1284389 5-Cosmetic   Show system health reports unhealthy during bootup

 

Cumulative fix details for F5OS-A v1.8.0 that are included in this release

1671517 : WebUI Dashboard Memory & Storage Statistics are inaccurate and misleading

Component: F5OS-A

Symptoms:
The webUI Dashboard for rSeries and VELOS devices provides inaccurate details about memory and storage utilization for the device.

Conditions:
Any device that is running a F5OS version older than v1.8.0.

Impact:
Graphical representation on the webUI Dashboard for memory and storage utilization for the device is inaccurate.

Workaround:
Upgrading a device to F5OS v1.8 or greater resolves the issues.

Fix:
ID1233865 and ID1211233-4 both address the underlying issues of inaccurate storage and memory utilization reporting for the platforms. They have both been fixed for F5OS v1.8.0 in addition to ID1671517 that corresponds to the associated webUI changes and improvements.


1637529 : RSeries ATSE v72.41.5.00 firmware

Component: F5OS-A

Symptoms:
RSeries ATSE v72.41.5.00 firmware

Conditions:
RSeries r5000, r10000, or r12000-series appliance.

This update is not applicable to r2000 or r4000-series appliances.

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes ATSE/BE2 interface stability issues. See ID1596625 for more information.


1637525 : RSeries ATSE v72.5.5.00 firmware

Component: F5OS-A

Symptoms:
RSeries ATSE v72.5.5.00 firmware

Conditions:
RSeries r5000, r10000, or r12000-series appliance.

This update is not applicable to r2000 or r4000-series appliances.

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes ATSE/BE2 interface stability issues. See ID1596625 for more information.


1624629 : F5OS A-1.8.0 upgrade takes up to 10 additional minutes to complete

Component: F5OS-A

Symptoms:
F5OS-A implemented the controlled way of upgrading the firmware, and while the firmware upgrade is in progress, the services bring-up has been kept on hold. This mechanism helps in stabilizing the upgrade process. As a result of this, the upgrade time increases by up to 10 minutes when the firmware versions are changed. The time varies depending on the platform and type of firmware versions that got changed.

Conditions:
New firmware versions packaged in ISO that is being upgraded to.

Impact:
No functional impact. Upgrade takes more time but improves the upgrade experience.

Workaround:
None


1620513 : CVE-2024-38477 httpd: NULL pointer dereference in mod_proxy

Links to More Info: K000140784


1617125 : Production license manual activation failed on F5OS-A 1.7.0

Links to More Info: BT1617125

Component: F5OS-A

Symptoms:
A new EVAL/PROD license manual activation attempt will fail in F5OS-A 1.7.0. This issue only applies to F5OS-A 1.7.0.

Conditions:
The manual license activation with a new EVAL/PROD license key.

Impact:
License activation using manual install process will not work.

Workaround:
None

Fix:
Fixed the dossier locking fields used in EVAL/PROD license keys in F5 License server. There is no software changes associated to this fix.

This issue was fixed in F5 License server in F5OS-A 1.7.0 and is not applicable to F5OS-A 1.8.0.


1615969-1 : Tenant operational data is not getting updated properly after upgrade

Component: F5OS-A

Symptoms:
Tenant pods are up and running but not all details are updated.
Intermittently after upgrade to F5OS-A 1.8.0 version, Tenant operation data in confD not getting updated

Conditions:
Occasionally, the tenant's operational data is not completely updated.

Impact:
Operational data for tenant is not updated properly after system upgrades to F5OS-A 1.8.0 intermittently.

Workaround:
Toggle tenant running-state to configured and deployed, then verify the tenant details again.

Fix:
Handled tenant operational map data updates properly.


1615917-4 : L2_agent crashed due to SNMP

Component: F5OS-A

Symptoms:
After upgrading system to 1.8.0, L2-agent crashes.

Conditions:
1. Create system with older version (earlier then 1.8.0)
2. Configure SNMP
3. Upgrade system to 1.8.0 version
4. L2-agent will start crashing.

Impact:
L2-agent crashes and you are unable to do get/set operations for interfaces using ConfD interfaces.

Workaround:
None

Fix:
Fixed an issue causing l2-agent to crash after upgrade.


1614821-5 : CVE-2024-3596 - Blast-RADIUS

Links to More Info: K000141008


1614429 : iHealth upload is failing with error "certificate signed by unknown authority"

Links to More Info: K000140362, BT1614429

Component: F5OS-A

Symptoms:
When attempting to use the QKView upload feature, the upload may fail with the message "certificate signed by unknown authority". This is due to a recent change in certificate authority that is inconsistent between F5OS and iHealth.

Conditions:
Always, after mid-July 2024.

Impact:
Unable to upload QKView files to iHealth with a single click.

Workaround:
You can use the File Export feature to download QKView files, and then upload these files to iHealth.

You can find the QKView files in the GUI at System Settings > File Utilities, then choose "diags/shared" as the base directory, then select "qkview".

Fix:
Certificate authorities used by the iHealth upload feature in F5OS will be updated.


1612405-1 : LACP status shows UP in BIG-IP tenant even if its down on F5OS.

Links to More Info: BT1612405

Component: F5OS-A

Symptoms:
LACP Trunk is UP in BIG-IP tenant even when it’s DOWN on F5OS.

Conditions:
Condition 1:
1. Setup a rSeries or VELOS system.
2. Configure LACP LAG with interfaces operationally down.
3. Make sure LACP Trunk is DOWN on F5OS.
4. Upgrade the software.
5. Launch a BIG-IP tenant.
6. Check LACP trunk status inside tenant.

Condition 2:
1. Setup a rSeries or VELOS system.
2. Configure STATIC LAG with interfaces operationally down.
3. Ensure STATIC Trunk is DOWN on F5OS.
4. Launch a BIG-IP tenant.
5. Check the Trunk status inside the tenant. It will be DOWN.
6. Convert LAG type to LACP
7. Check the Trunk status inside the tenant. It will be UP even though it is down on F5OS.

Impact:
LACP Trunk members are shown as working members even though they are DOWN.

Workaround:
Check the interface config. If the admin is disabled, enable it.

Fix:
The status of LACP members is read whenever an LACP member is added as an operational member.


1612217 : A large amount of SPVA DoS allow list entries can overload DMA-Agent causing a tenant to fail to pass traffic

Links to More Info: BT1612217

Component: F5OS-A

Symptoms:
If the DMA-Agent receives a high volume of SPVA allow list entries at once, it may become overwhelmed and stop working. As a result, no traffic will be able to exit the tenant. This can be identified by observing the DMA-Agent using 100% of the cpu.

Conditions:
This is usually seen in configurations where there are many virtual servers configured with a dos profile that contains an IP-based allow list.

The problem does not arise when VIPs are added individually, but it often happens after TMM is restarted following a tenant reboot.

Impact:
Tenant will fail to pass any traffic on the data-plane.

The TMSTAT sep_stats.tx_send_drops3 will be incremented.

Workaround:
Perform the following on the tenant:
tmsh modify sys db dos.forceswdos value true
tmsh save sys conf

To recover the DMA-Agent in F5OS, set the tenant state to “configured” and then set it back to “deployed.

Fix:
The DMA-Agent now handles a high volume of SPVA allow list entries.


1603661-1 : SysDescr value returns empty string under SNMPwalk, after performing backup/restore configuration

Component: F5OS-A

Symptoms:
System config backup/restore resets the system database to default. Due to this, the sysDescr in SNMP will also reset to default.

Conditions:
This occurs after performing F5OS system config backup and restore.

Impact:
The sysDescr in SNMPwalk displays the default value.

Workaround:
Restart the snmpd docker service.

Fix:
The SNMP sysDescr is updated to the correct value after F5OS system config backup and restore operation.


1596625-2 : BE2 GCI interface training failures during runtime results in failure to process networking traffic

Links to More Info: BT1596625

Component: F5OS-A

Symptoms:
On particular rSeries appliances, one or more symptoms could occur during normal operation:
-- High availability stops working
-- Inbound traffic stops
-- Platform.log contains 'DM Tx Action ring hung'

This is similar to the symptoms in https://cdn.f5.com/product/bugtracker/ID1580489.html, except that this can be triggered during system operation.

Conditions:
-- rSeries r5000, r10000, or r12000-series appliance

This issue does not affect r2000 or r4000-series appliances.

Impact:
The system stops delivering traffic from front-panel ports to the host, although egress traffic may continue to work. If a LACP LAG is configured, ports will be unable to join the LAG.

Workaround:
There is no workaround for this issue.

If an appliance has already locked up, rebooting it might restore network connectivity.

If your system is running F5OS-A version 1.5.x, F5OS-A-1.5.2-29198.R5R10.EHF-4.iso is an Engineering Hot Fix (EHF) that contains a software fix, and is available at

https://my.f5.com/manage/s/downloads?productFamily=F5OS&productLine=F5OS_Appliance_Software&version=1.5.2&container=1.5.2-EHF

Fix:
New FPGA bitstreams stabilize the interface between the ATSE and BE2 chip.


1596149 : Monitor rSeries ATSE to BE2 links and Raise Alarms in the Event of Failures

Component: F5OS-A

Symptoms:
Monitor rSeries ATSE to BE2 links and Raise Alarms in the Event of Failures

Conditions:
F5 rSeries r5000, r10000, or r12000-series appliance.

This update is not applicable to r2000 or r4000-series appliances.

Impact:
In cases where errors are detected between the ATSE and BE2 links, alarms and events will be reported.

Workaround:
Not applicable.

Fix:
Monitor ATSE to BE2 links and raise alarms and report events when errors are detected.


1593385-3 : F5OS Tenant Throughput (bits/packets) and TMM CPU usage higher than expected until VLAN is added or removed

Links to More Info: BT1593385

Component: F5OS-A

Symptoms:
Higher CPU usage and throughput from the tenant than expected. Traffic being directed to a single blade in a multi-blade system.

Conditions:
Repeated deletes/adds of a VLAN from/to a tenant. After approximately 130 deletes, the issue occurs.

Impact:
Traffic imbalance, higher than normal CPU usage.

Workaround:
Re-add the recently deleted VLAN to the tenant.

Fix:
Properly clean up internal storage when a VLAN is deleted from a tenant.


1591645-1 : EPVA related dma-agent crash

Links to More Info: BT1591645

Component: F5OS-A

Symptoms:
A dma-agent seg_fault occurs when there is a conflict between special EPVA allow-list entries.

Conditions:
A conflict between two entries on the allow-list triggers a code path in the dma-agent and resulting in a seg_fault.

Impact:
Traffic loss as the dma-agent needs to be restarted by its watchdog/start up script. Tenants need to re-register with the datapath.

Workaround:
None

Fix:
This issue has been fixed by setting a THREAD local variable in the epva_tbl_mgmt thread, preventing a seg_fault when the edge case method is triggered.


1591553-1 : Including /etc/resolv.conf and /etc/hosts files in QKView capture

Links to More Info: BT1591553

Component: F5OS-A

Symptoms:
The /etc/resolv.conf and /etc/hosts files are included to check the configured parameters in host QKView from the affected device.

Conditions:
F5OS-A 1.7.0 and lower versions QKView capture does not include the /etc/resolv.conf and /etc/hosts files.

Impact:
The /etc/resolv.conf and /etc/hosts files are not captured in F5OS-A 1.7.0 and lower versions.

Workaround:
None

Fix:
The /etc/resolv.conf and /etc/hosts files are included in QKView capture as part of F5OS-A 1.8.0 release.


1590173 : K3s server crashes and restarts due to high CPU activity

Component: F5OS-A

Symptoms:
K3s crashes and restarts due to high CPU load on r2000 platform.

Conditions:
On the r2000 platform, both F5OS and Tenants utilize the same CPUs. However, if the Tenants use a higher percentage of the CPU share, it impacts the K3s server.

Impact:
Tenants will restart when the K3s server restarts.

Workaround:
None

Fix:
It is not advisable to use the r2000 platform with a CPU usage of 90% or higher.


1588961 : Observing "Failed to find the service account - robottpobdefault" or "Creating SA robottpobdefaultfailed" log messages in platform.log

Component: F5OS-A

Symptoms:
Intermittently you may see log messages saying "Failed to find the service account - robottpobdefault" or "Creating SA robottpobdefaultfailed" in platform.log, this is due to either K3S is down/unreachable or API-Server slow/busy or SSH to host is failed.

Conditions:
When K3S is down/unreachable or API-Server slow/busy or SSH to host is failed, you may see log messages like "Failed to find the service account - robottpobdefault" or "Creating SA robottpobdefaultfailed" in platform.log

Impact:
There won't be any functional impact as the service-account is already present but you are unable to check the status of the service account.

Workaround:
None

Fix:
Removed an excessive log message that occurs while k3s is restarting.


1588093 : Forwarding host log files to remote targets

Links to More Info: BT1588093

Component: F5OS-A

Symptoms:
/var/log/messages growing quickly, consuming the disk space, making the box unusable.

Conditions:
Having /var/log/messages as a host-logs files entry to forward the file lines to a remote destination.

Impact:
When syslog generated files are configured to be forwarded as files, forwarding efficiency can be affected compared to utilizing selectors.

The /var/log/messages being in this list can lead to a cyclical logging issue, where the disk space is consumed faster than the logs can be rotated out, potentially resulting in a full disk.

Workaround:
Use selectors instead for any file that is syslog generated.

The host-logs files configuration is meant for text files that cannot be forwarded through selectors configuration.

Fix:
To prevent filling the disk, files that are forwarded out line by line would not be processed locally. This will prevent having entries in /var/log/messages.


1587925 : Modifying a RADIUS server from the web UI requires the Secret to be configured or re-entered

Component: F5OS-A

Symptoms:
Modifying a RADIUS server from the webUI always requires the Secret to be configured or re-entered.

Conditions:
Modifying a RADIUS server from the webUI.

Impact:
It requires the Secret to be entered, even if it is already configured.

Workaround:
If secret configuration is not required, edit the RADIUS server from the CLI.

Fix:
Create a Radius server and edit it. Editing the port or timeout fields no longer requires the Secret to enable saving.


1585853-2 : Telemetry streaming pauses if mgmt-ip gets updated

Links to More Info: BT1585853

Component: F5OS-A

Symptoms:
Telemetry streaming to an external OTEL server is paused for some time if mgmt-ip of the F5OS device is updated.

Conditions:
There should be a telemetry exporter configured to receive data and the mgmt-ip of the F5OS device will be updated at a later time..

Impact:
The external server won’t receive the telemetry data for some time after updating mgmt-ip.

Workaround:
Disable and enable the exporters from ConfD using below commands to re-establish the connection after updating mgmt-ip.

system telemetry exporters exporter <exporter-name> config disabled

system telemetry exporters exporter <exporter-name> config enabled

Fix:
Updated the otel-collector service in F5OS to re-establish the connection with the external server in the event of a lost connection caused by mgmt-ip updates.


1585765 : Error message IDs for appliance-orchestration-manager are incorrect

Links to More Info: BT1585765

Component: F5OS-A

Symptoms:
The error message IDs found on a running system differ from the error message IDs found in the F5OS error catalog.

Conditions:
No specific conditions in the configuration of the system caused this issue.

Impact:
Makes it difficult to find the right information in the F5OS error catalog.

Workaround:
None

Fix:
This issue has been fixed and the error IDs now have the correct values in both the running system and the F5OS error catalog.


1585749 : Including lspci commands in QKView capture

Links to More Info: BT1585749

Component: F5OS-A

Symptoms:
The lspci command helps in analyzing the system's faults by evaluating PCI busses. This command is not captured in the QKView file.

Conditions:
Running QKView.

Impact:
The lspci command output is not included in the QKView.

Workaround:
None

Fix:
The lspci command is added in QKView capture.


1585001-1 : Radius authentication does not work when the shared secret key in the radius configuration is more than or equal to 32 characters

Links to More Info: BT1585001

Component: F5OS-A

Symptoms:
The remote radius users authentication fails when the radius shared secret has more than 31 characters.

Conditions:
The radius shared secret having more than 31 characters

Impact:
The remote radius users will not access to the system.

Workaround:
Log in as an admin into the system and change the radius 'secret' field to have characters less than or equal to 31.

system aaa server-groups server-group <server-group-name>servers server <server-address> radius config secret-key <number-of-characters-should-be<=31>

Then commit the changes.

Fix:
When the radius secret key is longer than 31, the radius users will not have access to the system.


1583233 : The 'show portgroups' command may not display DDM statistics, or may display stale/out-of-date DDM statistics

Links to More Info: BT1583233

Component: F5OS-A

Symptoms:
An F5OS system (rSeries appliance or VELOS partition) may display stale/out-of-date DDM statistics or no DDM statistics if there are interface in the system that do not have SFP modules inserted.

Conditions:
- r5000, r10000, or r12000-series appliance
- VELOS partition
- Previous interfaces in the system that do not have an SFP module inserted.

Impact:
System does not report correct DDM statistics in 'show portgroups' command output.

Workaround:
Run the ‘show portgroups’ command for each interface that has an SFP module inserted, that is, ‘show portgroups portgroup 5’.

Fix:
Fixed the display issue in ‘show portgroups portgroup state ddm data’.


1582817-1 : Unable to add rSeries device IP to 'known-hosts' file

Component: F5OS-A

Symptoms:
Trying to add a rSeries device's IP to a 'known-hosts' file using the CLI command 'file known-hosts known-host' fails.

Conditions:
If the remote host is running F5OS-A-1.8.0, then adding that device's IP to 'known-hosts' file using the CLI command 'file known-hosts known-host' fails.

Impact:
File export/import to remote rSeries device from a local rSeries device using secure mode will fail.

Workaround:
File export/import to remote rSeries device from a local rSeries device can be done using other supported protocol such as https.


1582553 : The 'components component state' data is not displayed in ConfD.

Links to More Info: BT1582553

Component: F5OS-A

Symptoms:
- No data will be displayed as part of “show components component” in ConfD.
- In the absence of component platform information, GUI features default to r5xxx platform, leading to some functional issues for other platforms.

Conditions:
Intermittently occurs when initializing the state data.

Impact:
You cannot view the hardware information, which is updated under “show components component”.

GUI functional issues for other platform:
For r10xxx - Raid Configuration will not be visible.
For r4xxx/r2xxx - Port Groups may not function as expected. STP screens and Port Mappings will show up, which are not applicable to the platform and will be non-functional.

Workaround:
Log into the appliance as root and restart the platform-mgr docker container:

docker restart platform-mgr

Fix:
The functionalities disrupted on the GUI can be accessed via the CLI.


1580489 : BE2 GCI interface training issue results in failure to process networking traffic

Links to More Info: BT1580489

Component: F5OS-A

Symptoms:
Some particular rSeries systems fail to process networking traffic due to the BE2 GCI interfaces not training properly, resulting in an FPGA datapath lockup.

One potential indication of this is the DMA agent detecting a DM Tx Action ring hang, which can be observed in velos.log / platform.log:

dma-agent[13]: priority="Alert" version=1.0 msgid=0x4201000000000130 msg="Health monitor detected DM Tx Action ring hung." ATSE=0 DM=0 OQS=3

Conditions:
RSeries r5000, r10000, or r12000-series appliance

This issue does not affect r2000 or r4000 series appliances.

Impact:
The system stops delivering traffic from front-panel ports to the host, although egress traffic may continue to work. If an LACP LAG is configured, ports will be unable to join the LAG.

Workaround:
None, and F5 continues tracking the BE2 issue via ID1596625.

Fix:
During system startup, FPGA manager now ensures that the BE2 GCI interfaces are brought up and trained properly.


1580165 : Removing a failed patch ISO can remove base services imported from a different ISO

Component: F5OS-A

Symptoms:
Removing a failed patch ISO also removes the base services ISO imported by another ISO. Further upgrade will fail even though importing the patch version is successful. You may observe the below log.

appliance-1(config)# system image check-version iso-version 1.5.2-21056
response Compatibility verification succeeded.

Conditions:
-- Base services are already imported by another ISO.
-- Same version patch ISO import failed.
-- Delete the failed patch ISO.

Impact:
Upgrade to a new successful import of patch ISO of the same version will fail.

Workaround:
Rebooting the device will resolve the issue.

Fix:
While removing the failed patch ISO, added a check that if the base services are imported by another ISO, do not delete the base services ISO.


1579289 : Empty log message when interface changes state

Links to More Info: BT1579289

Component: F5OS-A

Symptoms:
An empty log message is logged:
appliance-1 nic-manager[1]: priority="Info" version=1.0 <msgid=> msg="Updating interface link state" <ifname=> <state=>. >>>>

The empty log message is reported after an interface oper-status changes from either UP/DOWN or DOWN/UP state

Conditions:
An interface is enabled or disabled in F5OS

Impact:
The log message does not report which interface's state changed.

Workaround:
None

Fix:
With the appropriate fix, the empty log is no longer reported


1577049 : CVE-2024-1086 - Linux kernel vulnerability

Links to More Info: K000139430


1576141 : K3S installation fails if /var/log/appliance.log is not present

Links to More Info: BT1576141

Component: F5OS-A

Symptoms:
K3S cluster installation fails.

Conditions:
/var/log/appliance.log is deleted and recreated as directory.

Impact:
K3s cluster installation fails.

Workaround:
Delete /var/log/appliance.log and create it as a file.

Fix:
Added code to verify if the /var/log/applaince.log presents, during K3s installation.


1575925-1 : Running 'show system aaa primary-key state status' while a key migration is in progress can cause key migration errors

Component: F5OS-A

Symptoms:
If a key migration is in progress (initiated via the ConfD action 'system aaa primary-key set'), and while it is in progress the status of the key migration is checked ('show system aaa primary-key state status'), this can intermittently cause the key migration to fail. Under these conditions, future attempts to 'show' this area of state will also return 'application communication failure'.

Conditions:
1. A ConfD primary key migration is initiated on a VELOS Controller or Appliance system.
2. While the key migration is in progress, the status of the migration is checked.

Impact:
Key migration fails, leaving encrypted ConfD elements in a corrupted state. Furthermore, all operational data callbacks for the 'system aaa primary-key' schema tree will fail indefinitely with 'application communication error'.

Workaround:
To workaround this issue, reboot the affected controller(s) or appliance. After the reboot, the user may re-attempt the key migration.

Fix:
Fixed issue where checking status of key migration could cause the migration to fail.


1575417 : Platform-diag-agent memory leak

Component: F5OS-A

Symptoms:
Memory usage for the "platform-diag-agent" process may steadily increase over time.

Conditions:
This can happen when frequently requesting “system health components” from ConfD.

Impact:
The system may eventually run out of memory and affect all services on the system.

Workaround:
None

Fix:
Memory leak fixed. Consider reducing the request frequency. The system can also be rebooted to temporarily restore memory usage to normal levels.


1573493 : Qkview does not collect the files gid-map.txt, /etc/libnss-udr/passwd, or /etc/libnss-udr/group

Component: F5OS-A

Symptoms:
When a QKView is collected, the files gid-map.txt, /etc/libnss-udr/passwd, and /etc/libnss-udr/group are not present in the QKView.

Conditions:
A qkview is collected.

Impact:
It may not be possible to troubleshoot certain issues related to authentication.

Workaround:
None

Fix:
The files gid-map.txt, /etc/libnss-udr/passwd, and /etc/libnss-udr/group have been added to QKView collection. Whenever a QKView is collected, these files are present.


1572929 : Changing remote authentication methods from RADIUS/TACACS to LDAP may break remote-gid functionality.

Links to More Info: BT1572929

Component: F5OS-A

Symptoms:
If RADIUS or TACACS are utilized for authentication, the user’s ‘passwd’ details will be saved in /etc/libnss-udr/passwd. However, if the user switches to LDAP authentication and disables the previous method, their entry may not be removed from /etc/libnss-udr/passwd.

If a user is using GID remapping (by configuring remote-gid), the authentication will fail, at least when logging into the CLI.

Conditions:
- Enable RADIUS authentication and log into the system as a remote RADIUS-defined user.
- Change the authentication method to LDAP and disable RADIUS authentication.
- Configure remote-gid functionality for an LDAP-defined user. This LDAP-defined user should have the same name as the RADIUS-defined user.
- Log into the system as that remote LDAP-defined user.

Impact:
The authentication will fail for the LDAP-defined user. An error message will appear such as: “No valid role group found in user groups: 9002 123 5340”.

Workaround:
Log into the system as a ‘root’ user and clear the information in /etc/libnss-udr/passwd.

Fix:
The remote-gid functionality will no longer be affected by changing authentication methods from RADIUS/TACACS to LDAP. LDAP users with valid credentials will be allowed in.


1572597 : System loses its mgmt-ip address after switching between static and dynamic allocation (DHCP) of IP and rebooting

Component: F5OS-A

Symptoms:
Device not reachable on static IP when DHCP is disabled.

Conditions:
1. Configure static IP and enable DHCP.
2. Disable DHCP and reboot the device.
3. Device is not reachable on static IP.

Impact:
Device connectivity.

Workaround:
Static IP needs to be configured through console.

Fix:
Fixed code to persist static IP.


1572493 : LAG Trunk Configuration is Missing Inside of Tenant

Links to More Info: BT1572493

Component: F5OS-A

Symptoms:
When creating a LACP LAG or Static LAG, the lag and its members will show as up on the F5OS and switch side (Arista and Cisco). However, on the tenant, tmsh will show that neither the trunk nor trunk members are present:
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net trunk
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#

Conditions:
BIG-IP tenant on F5OS system

Impact:
The trunk information will not be visible in the tenant.

- On high-end rSeries appliances (r5000, r10000, and r12000-series systems) and VELOS tenants, traffic will still work.

- On low-end rSeries appliances (r2000 and r4000-series systems), traffic will not flow.

Workaround:
NA


1572489 : Allowed valid usernames on F5OS.

Component: F5OS-A

Symptoms:
User accounts can be created using usernames that are entirely numeric. However, usernames that start with a dash ‘-’, contain “.”, “..”, or any other invalid or illegal characters will not function properly or are non-functional.

Conditions:
While creating a new user on the system with an invalid or illegal usernames.

Impact:
Non-functional user entries will be created and user functionalities like set-password, change-password, and so on won’t be working as expected.

Workaround:
None

Fix:
Fix is provided to prevent using invalid usernames during the creation of user accounts. This ensures that usernames that are considered illegal or unacceptable by the system cannot be used.


1572137-2 : Upload/Download API should work with '/api' and '/restconf'

Links to More Info: BT1572137

Component: F5OS-A

Symptoms:
Upload/Download is not working with '/api' endpoint.

Conditions:
Use '/api' endpoint to upload/download a file.

Impact:
Fails to Upload/Download a file.

Workaround:
None

Fix:
Fixed an issue occurring with the Upload/Download API.


1572041 : AOM SSH password requirements are not working

Component: F5OS-A

Symptoms:
AOM SSH user password requirements are not consistent.

Conditions:
Setting up AOM SSH user and password.

Impact:
Password requirements may not be clear or consistent.

Workaround:
None

Fix:
AOM SSH password requirements have been updated to match documentation. Now, when trying to enter a password, requirements are clearly shown. Ex: Value for 'password' (<string, min: 8 chars, max: 16 chars>):


1566925 : Remove unhelpful troubleshooting files from QKView

Links to More Info: BT1566925

Component: F5OS-A

Symptoms:
Creating a QKView on an F5OS host appears to make a non-sparse copy of /var/log/lastlog
This file is a sparse file and depending on factors, can have a really large file size, though actual consumed disk blocks remain quite low.

Conditions:
Creating a QKView file on F5OS.

Impact:
Exhausted disk space and caused K3s to reap pods to free up ephemeral storage - including killing running tenant (BAD).

Workaround:
Remove the files.

Fix:
None


1566569-1 : Unable to access rSeries system from 172.17.0.0/16 IP subnet

Links to More Info: BT1566569

Component: F5OS-A

Symptoms:
Unable to access the rSeries system from client or server systems in the 172.17.0.0/16 IP subnet

Conditions:
-- r5000-series, r10000-series, or r12000-series appliance

Impact:
Unable to access the rSeries system from client or server systems in the 172.17.0.0/16 IP subnet

Workaround:
To work around this issue, do the following:

1. Log into the system as root
2. If running F5OS-A 1.7.0, edit /var/docker/config/platform.yml. If running F5OS-A 1.5.2, edit /var/docker/config/platform.patch.yml.
3. In the specified file, locate the section for "selinux_labeler", and add a line under it that reads 'network_mode: "none"'. The indentation of this line must match exactly the indentation of the "container_name" and "image" lines.

For example:
  selinux_labeler:
    container_name: selinux_labeler
    network_mode: "none"
    image: ${...
    ...

4. Reboot the system.
5. Once the system is rebooted, log into the system as root, and run "docker network rm config_default"


1560533-1 : Inconsistent case values (upper and lower case) for different F5OS-C SNMP OIDs

Links to More Info: BT1560533

Component: F5OS-A

Symptoms:
AlertSource in SNMP alert contains text as Controller starting with uppercase C instead of lower case in core alert events.
Similarly, for core alert events generated in blade, comes with Blade instead of blade.

Conditions:
Process crash generating core file and SNMP alerts are enabled.

Impact:
Tools processing SNMP alerts might get affected if tooling is case-sensitive.

Workaround:
None

Fix:
Fixed alertSource text for SNMP core alert events to send lower case.
Tools modified to read alertSource of SNMP core alert events require to update as per the correction.


1558797 : BMC self health test falsely logged as failed

Links to More Info: BT1558797

Component: F5OS-A

Symptoms:
The BMC self health test is randomly logged as having failed:

appliance-1 alert-service[8]: priority="Notice" version=1.0 msgid=0x2201000000000029 msg="Received event." event="65543 appliance aom-fault EVENT NA "Bmc Health Self test failed: Device-specific 'internal' failure." "2024-03-01 14:00:00.918553424 UTC"".

Conditions:
Checking the platform log

Impact:
BMC self health test is falsely logged as failed.

Workaround:
None

Fix:
This issue has been fixed and the BMC self health test no longer falsely logs a failure.


1552945 : Tenant images renamed with bracket are not supported

Links to More Info: BT1552945

Component: F5OS-A

Symptoms:
Live upgrades with prior releases with tenants that use images with brackets in their name will fail when going to a version that restricts the tenant image name character set.

Conditions:
Tenants using image filename with brackets won't allow upgrades to releases that validate the image filename character set.

Impact:
The tenant will have to be recreated or upgrade to a version that does not have the validation.

Workaround:
Tenant has to be recreated with the original image that didn't contain brackets.

Fix:
Brackets were included in accepted character set for tenant image filename.


1550413-1 : System events visible in the CLI may not be visible in the GUI

Links to More Info: BT1550413

Component: F5OS-A

Symptoms:
Running "show system events" on the F5OS CLI typically reveals many events that are not visible in the GUI under System Settings > Alarms & Events.

The GUI filters the display of events according to their assigned severity. But since many events are not assigned a severity, such events will be hidden from view.

Conditions:
Events that are not assigned a severity are instead marked "NA". Such events are not visible in the GUI and can only be seen via the CLI or API.

Impact:
The omission of events displayed in the GUI can be misleading. Administrators using the GUI may not be aware of important events that have occurred on the platform.

Workaround:
All system events can be seen by running 'show system events' on the F5OS CLI or by retrieving them via the REST API.

Fix:
On fixed versions, a new option called 'All' has been added to the Severity drop-down selector in the GUI. This displays all events, including ones without a severity assigned.


1549753 : System telemetry exporter send queue and retry settings are causing memory issues

Component: F5OS-A

Symptoms:
Memory issues are seen in system when telemetry exporter is not reachable for a long time.

Conditions:
When exporter is not reachable for a long time.

Impact:
System can go out of memory.

Workaround:
User can disable the send queue and retry setting using ConfD. For example:

appliance-1(config)# system telemetry exporters exporter <<exporter name>> config options send-queue-enabled false

appliance-1(config)# system telemetry exporters exporter <<exporter name>> config options state options retry-enabled false

Fix:
Send queue and retry settings are removed for telemetry exporters.


1536413 : Allowed-ips allowed-ip <name> is not accepting the '-' in the names

Component: F5OS-A

Symptoms:
Allowed IP profile got deleted while upgrading to 1.7.0 from lower versions. allowed-ip profile names with '-' got erased out. which got fixed in 1.8.0

Conditions:
While upgrading to 1.8.0 from lower versions other than 1.7.0, all allowed IP profile names should have atleast one alphanumeric and it should have not have any other special character other than ('-', '_' and '.')

Impact:
Allowed IP profile gets deleted if it is not matching the pattern.

Workaround:
Re-apply the allowed-IP profile configuration without eiphen '-' in the name

Fix:
Fixed the schema such that allowed IP profile name accepts the '-' in profile name.


1519869 : BIG-IP tenant reports blank interface

Links to More Info: BT1519869

Component: F5OS-A

Symptoms:
BIG-IP tenant reports a blank ("") interface member in the trunk when removing one or more interfaces from an aggregation.

Conditions:
BIG-IP tenant reports a blank ("") interface member in the trunk when removing one or more interfaces from an aggregation.

Impact:
BIG-IP tenant has an empty member in the trunk.

Workaround:
No workaround.

Fix:
BIG-IP tenant does not reports a blank ("") interface member in the trunk when removing one or more interfaces from an aggregation.


1505589-1 : Subject-Alternative-Name (SAN) feature now supports client-side SSL Validation

Links to More Info: K000139300

Component: F5OS-A

Symptoms:
Since no SAN was allowed to be inserted into the http-server’s self-signed certificate, client-side SSL validation was not supported.

This impacts Central Manager's VELOS/rSeries provider. The missing SAN field causes the certificate to be rejected.

Conditions:
Using the default self-signed certificate.

Impact:
Client-side SSL validation is not supported.

Workaround:
To add an SAN, you need to edit the /etc/pki/tls/openssl.cnf file and add it. However, this may not be effective for certain software that does not accurately read the configuration file.

Fix:
A new SAN field has been implemented, which is mandatory, and allows users to enter a value in the field. However, if the value “none” is used, the field can be omitted. Additionally, to allow entry of the SAN, a default tls certificate is created in /etc/auth-config/default/f5os.cert that has the SAN populated with the hostname and management-ip values. In the absence of a user-provided self-signed certificate, the http-server will automatically use the default certificate.


1505293-1 : Partition image removal message is truncated

Links to More Info: BT1505293

Component: F5OS-A

Symptoms:
If a partition is enabled and then disabled while running version A, and then upgraded to version "B", attempting to deport partition image "A" fails, the CLI throws truncated error messages.

Conditions:
The partition is upgraded with the state is disabled.

Impact:
Incomplete error messages for the failure reason. The error that is reported is:

"Error: Failed to remove software: 1.5.1-14085, error message: Standby removal failed for following reason: OS version".

Workaround:
None


1498009-1 : Learned L2 entries in data-plane L2 forwarding table may disrupt some traffic flows between tenants

Component: F5OS-A

Symptoms:
While a tenant transitions from active to standby, an egress packet in flight may trigger a L2 learn event in the FPGA data-plane. This can occur for tenants that transmit using a different MAC address while active, such as when MAC masquerading is enabled. If so, a dynamic L2 entry is created from the source MAC address of the egress packet. These dynamic entries also enable the service DAG without setting a service ID, which causes matching packets to be dropped in the VOQ system due to an invalid service DAG lookup result.

This can disrupt egress traffic for another tenant on the same device, attempting to transmit to the destination MAC address that was recently relinquished by the standby tenant. These drops increment the 'ic_voq_drops' counter in the tmctl vqf_global table.

These L2 entries will not be corrected by subsequent L2 learn events for the same MAC address from a different location. Thus, traffic disruption may persist until entries age out.

Conditions:
- MAC masquerade configured on the traffic-group of an HA pair of tenants.

- A failover from tenant A to tenant B.

- Another tenant running alongside tenant 'A' attempts to transmit to the MAC masquerade address that is now owned by tenant 'B'.

Impact:
Traffic disruption from one tenant to another in specific directions.

Workaround:
None

Fix:
L2 entries that are created from host generated L2 learn events, no longer enable the service DAG for matching packets.


1497657 : First SSH login after editing remote RADIUS or TACACS+ user privileges will still apply old privileges

Component: F5OS-A

Symptoms:
The first SSH login after editing role-based privileges for a remote RADIUS or TACACS+ user will still give the user their prior privileges (or, if the user is newly created, login will be rejected with a message saying "This account is currently not available"). Subsequent logins will apply the updated user privileges.

Conditions:
1. RADIUS or TACACS+ Authentication is enabled.
2. A new user is created in one of the above auth systems, or an existing user’s role-based access is modified.
3. The affected user SSHs into F5OS for the first time after the change in step #2.

Impact:
First login to system after creation fails, or first login after modification of user privileges gives the user incorrect privileges.

Workaround:
None

Fix:
Fix issue where first SSH login after editing remote RADIUS or TACACS+ user privileges will still apply old privileges.


1496977 : Remote GID mappings to F5OS roles are disconnected for TACACS+/RADIUS authentication methods.

Links to More Info: BT1496977

Component: F5OS-A

Symptoms:
Remote GID mappings (on a TACACS+ or RADIUS server) to F5OS GIDs/roles are not working correctly. When attempting to configure a remote mapping, it results in the access rejection with a message similar to below:

[root@system ~]# ssh radius_or_tacacs_user@<F5OS system mgmt IP>
Password:
Last login: <date> from <source IP>
No valid role group found in user groups: '9000'
Connection to <mgmt IP> closed.

Conditions:
A remote GID mapping is configured for a role in F5OS and the authentication method used for remote users is RADIUS or TACACS+.

Impact:
Remote users cannot log in to the system.

Workaround:
Configure remote user's GIDs in a way that they correspond to the GIDs in F5OS for the desired role(s). Then, remove any remote GID mappings in the F5OS configuration.

Fix:
Fixed remote GID mapping to F5OS roles for TACACS+/RADIUS authentication methods.


1496837-1 : User-manager's ConfD socket getting closed.

Links to More Info: BT1496837

Component: F5OS-A

Symptoms:
After repeating the change of network type and device reboot, the device goes into a state where the user-manager is not interacting with ConfD.

Conditions:
- Change remote GID role and check '/etc/gid-map.txt' file if the value is reflected.
- Switch network type and reboot the device.

Repeat the above process until '/etc/gid-map.txt' file is not been updated correctly.

Impact:
Any ConfD configuration change that goes through user-manager fails. This includes any of the user’s password changes, or remote GID changes.

Workaround:
Rebooting the system will get the correct GID value from the ConfD and update the '/etc/gid-map.txt' file.

Fix:
The user-manager has no reason to use NSS to lookup any PW/group info, as it deals exclusively with the local user database.

Additionally, there is a ZMQ service that belongs in authentication-mgr (which understands remote authentication) that is in the user-manager container. It forces user-manager to use an ‘/etc/resolv.conf’ that can reference remote sources.

If the user-manager trips over a lookup that goes to LDAP (usually a local-db miss), it can be very slow and time out. The ConfD->user-manager channel is sensitive of slow responses, and shuts down subscriber/callpoint handler/daemon that takes over 15 to 30 seconds to respond. When this happens, the user-manager is going to see an EOF on its ConfD sockets.

This fix forces the user-manager to only lookup on local databases.


1496397-1 : Allowing entry of a Subject-Alternative-Name (SAN) for certificate and CSR creation

Component: F5OS-A

Symptoms:
There is no method available for inputting the SAN field during the creation of certificates or CSR.

Conditions:
While creating a CSR through system aaa tls create-csr in ConfD.

Impact:
The option to include the SAN field in certificates and/or certificate request is not available.

Workaround:
To add an SAN, you need to edit the /etc/pki/tls/openssl.cnf file and add it. However, this may not be effective for certain software that does not accurately read the configuration file.

Fix:
A new SAN field has been implemented, which is mandatory, and allows users to enter a value in the field. However, if the value “none” is used, the field can be omitted. Additionally, to allow entry of the SAN, a default tls certificate is created in /etc/auth-config/default/f5os.cert that has the SAN populated with the hostname and management-ip values. In the absence of a user-provided self-signed certificate, the http-server will automatically use the default certificate.

As this is a new feature, back-porting to older versions has not been implemented and would be difficult and complex.


1496393 : A key can be created rather using a stored key for CSR creation

Component: F5OS-A

Symptoms:
When creating a Certificate Request (CSR), a key must be provided. Since a key was provided by the 'store-tls' option for the TLS key, it was assumed that the CSR was intended to be used with that specific key.

Conditions:
Generating a CSR request via system aaa tls create-csr in confd

Impact:
The certificate request (CSR) functionality is not as flexible as it could be (similar to the self-signed certificate, which allows a key to be created). It is complex to create certificate requests where a new key is required.
Additionally, the absence of a stored key meant that no CSR could be produced.

Workaround:
Create a new key, store it in TLS, and run the create-certificate-request.

Fix:
The create-certificate request now allows a key to be created, or, if none exists, it creates one. If no key is requested and one exists, the process will continue as usual, generating a CSR using the pre-existing key. However, if a key is requested (or does not exist), a new one will be created and both the key and CSR will be shown. It is important to note that a CSR without knowing the key is of no use.


1494945 : ConfD Application Error when tenant interface stats are not available

Component: F5OS-A

Symptoms:
When attempting to get tenant interface stats, the system displays "Error: application error".

Conditions:
The creation or modification of tenants may result in inaccurate handling of historical data by the tenant interface-stats logic. This could lead to the display of an “Error: application error” message when queried.

For example:
appliance-1# tenants tenant cbip-tenant-b state interface-stats down-sample-to 10 average 10s-avg
Error: application error

Impact:
Confd reports the error on the command line and logs the error in platform logs.

2024-01-24T20:12:37.123437567Z: [Error]: confd: msg="Action Point reply error" error="confd error: 'Unknown error', last='Invalid confd_vtype value: 0', errno=5"

Workaround:
None

Fix:
The problem has been resolved in more recent versions of F5OS-A. To resolve it, upgrade to a more recent version of F5OS-A. It will resolve once all interfaces are enabled.


1494809 : Allowing user to configure HostKeyAlgorithms parameters

Component: F5OS-A

Symptoms:
A new config CLI (system security services service sshd config host-key-algorithm) is implemented to allow HostKeyAlgorithms configuration.

Conditions:
In non FIPS mode, to enable or disable ssh-rsa HostKeyAlgorithm, this newly implemented CLI can be used.

Impact:
HostKeyAlgorithm usage was not configurable.

Workaround:
None

Fix:
This is a new CLI that can be used to enable or disable ssh-rsa HostKeyAlgorithm


1492621-2 : Config-restore fails when backup file has expiry-status field for admin or root user

Links to More Info: BT1492621

Component: F5OS-A

Symptoms:
For a root or admin user, if the value for Expiry-status in the backup file is not set to enabled, then config-restore fails.

Conditions:
During backup, if the "Expiry-status" value for admin or root user is not set to enabled, then restore fails with the backup.

Impact:
Database config-restore fails.

Workaround:
For admin and root user, comment expiry-status, expiry-date in the backup file and try to restore.

Fix:
Added NACM rules in ConfD for successful config-restore.


1492401 : User with operator role is not having read-access to all pages

Component: F5OS-A

Symptoms:
- User experiences unauthorized error when trying to access "Tenant Images", "Software Management", "File
Utilities", "Configuration Backup", and "System Report"

- User sees no items when trying to access "File Utilities", "Configuration Backup", and "System Report" pages

Conditions:
User has operator role.

Impact:
User is not able to view certain pages.


1490753 : A linkUp and linkDown traps are sent when an up interface is disabled, and vice versa

Links to More Info: BT1490753

Component: F5OS-A

Symptoms:
When F5OS system is configured with SNMP Targets for managing the Trap notifications, linkUp and linkDown traps will be sent when interface state is toggled.

Conditions:
Always two traps (linkUp and linkDown) will be sent even when the interface state is toggled from UP to DOWN or DOWN to UP.

Impact:
No functional impact, but when two traps are sent, the interface state over SNMP can be misleading.

Workaround:
None

Fix:
The appropriate trap, that is, linkDown trap when F5OS interface state is down and linkUp trap when F5OS interface state is up, will be sent.


1486697 : Configuring Expiry-status of root and admin users should not be allowed

Links to More Info: BT1486697

Component: F5OS-A

Symptoms:
Expiry-status of root and admin users are allowed to be configured and there is a chance of locking out these users.

Conditions:
If Expiry-status of any root or admin user is marked as Locked, that root or admin user cannot log in to the system.

Impact:
There is a chance that default users, such as root and admin, become locked out.

Workaround:
None

Fix:
You cannot edit the ‘Expiry-status’ field in webUI for admin and root users. Thus, it cannot be configured. The 'Expiry-status' field for root and admin users will now always display the default value as 'Enabled'.


1481797 : Voltage sensor limits incorrect, causing notice messages on r2000 & r4000 appliances

Links to More Info: BT1481797

Component: F5OS-A

Symptoms:
The rSeries 2000 and 4000 appliances can incorrectly report voltage sensor errors when the values are within the allowed range.

platform 2023-10-16 19:00:01.263 Z Error appliance-1 diag-agent[8] msgid=0x098200000000001a msg="Component Attribute Changed" component="appliance/hardware/bmc" attribute="p5a:sensor:voltage:p1v05nac" severity="Notice" value="1.03" interface="diag-controller"

platform 2023-10-15 19:00:01.322 Z Error appliance-1 diag-agent[8] msgid=0x098200000000001a msg="Component Attribute Changed" component="appliance/hardware/bmc" attribute="p5a:sensor:voltage:p0v83x557" severity="Notice" value="0.81" interface="diag-controller"

The 2 sensor limits above should be:

- P1V05_NAC == 1.05V +/- 30mV
- P0V83_X557 == 0.83 (0.76V - 0.85V)

This means log messages that report voltage values within the limits can be safely ignored.

Conditions:
RSeries appliances r2x00 or r4x000

Impact:
This is a cosmetic issue.

Workaround:
Review the warning to ensure it is within the defines ranges stated above.

Fix:
The system will not log errors when P1V05_NAC and P0V83_X557 are within the accepted limits.


1472917 : LDAP authenticated admins logging in via the serial console may have trouble disabing appliance mode during system instability

Component: F5OS-A

Symptoms:
If ConfD is not running, F5OS offers an emergency option to disable appliance mode when an administrator logs in successfully via the serial console.

Conditions:
The admin role has been configured with a remote-gid that is not 9000 and the admin successfully authenticates via LDAP on the serial console while ConfD is not running.

Impact:
Remotely-authenticated admin users cannot disable appliance mode if ConfD is offline.

Workaround:
None

Fix:
Remotely-authenticated admin users can disable appliance mode if ConfD is offline.


1470917 : LAG aggregated speed is not updated

Links to More Info: BT1470917

Component: F5OS-A

Symptoms:
LAG's aggregation state lag-speed value is not the aggregate of the member port's actual speed.

Conditions:
Individual port auto-negotiates to a value lower than its initial port speed configuration.

Impact:
The actual speed of the LAG is not displayed when running the show interfaces interface aggregate command. This is just a display issue, with no impact on the actual bandwidth of the LAG.

Workaround:
None

Fix:
The LAG speed reflects accurately the sum of the operational speed of members.


1469401 : ARP request for mgmt interface IP resolving to mgmt0-system inferface's mac

Component: F5OS-A

Symptoms:
1. Configure IP on mgmt0-system from ConfD.
2. Configure IP on mgmt using linux command.
3. ARP request to mgmt-ip resolves to MAC of mgmt0-system.

Conditions:
Configuring IP on mgmt interface using linux and nmcli/ip commands.

Impact:
No impact

Workaround:
None

Fix:
Added code changes to make F5OS to resolve to the correct MAC for mgmt-ip.


1469385 : GUI freezes during LDAP user authentication if no remote GID mapped locally.

Links to More Info: BT1469385

Component: F5OS-A

Symptoms:
The LDAP remote user authentication freezes for a long time (more than a minute).

Conditions:
When trying to authenticate a remote LDAP user through the GUI without mapping any of the remote user GIDs to the F5OS local roles.

Impact:
Authentication freezes for a long period before rejecting the user.

Workaround:
One of the remote GIDs should be mapped to the local F5OS roles.

Fix:
Map the remote GID(s) to the F5OS role(s) to authenticate remote LDAP users successfully.


1468545 : Inconsistency with time zones displayed in log files

Links to More Info: BT1468545

Component: F5OS-A

Symptoms:
PEL logs in F5OS systems are logged in a different time zone, but not in the configured time zone.

Conditions:
If the configured time zone is different from UTC, then the PEL logs can display different time for log messages.

Impact:
Troubleshooting and tracing issues can be difficult, as the time zones used in different logs do not match.

Workaround:
None

Fix:
PEL logs in F5OS systems are logged in the applicable time zone.


1467273 : LCD restarting internal services periodically due to memory allocation error.

Component: F5OS-A

Symptoms:
On a r2000/r4000 system, the LCD may experience an issue causing it to repeatedly restart the ‘platform_monitor’ or ‘bmcservice’ service due to a memory allocation problem.

The lcd.log file displays recurring patterns of log messages such as:

2023-12-13T23:53:37.264375+07:00 -- 2023-12-13T23:53:37.264375+07:00 lcd platform_monitor[1581] Traceback (most recent call last):#012 File "/usr/sbin/platform_monitor.py", line 540, in <module>#012 raise e#012OSError: [Errno 12] Cannot allocate memory
2023-12-13T23:53:39.477464+07:00 -- 2023-06-24T03:11:45+07:00 lcd /etc/watchdog.d/platform_monitor_watchdog.sh: found platform_monitor is not running
<snip>
2023-12-13T23:53:40.025297+07:00 -- 2023-06-24T03:11:46+07:00 lcd watchdog[1424]: test binary /etc/watchdog.d/platform_monitor_watchdog.sh returned 255
2023-12-13T23:53:40.025524+07:00 -- 2023-06-24T03:11:46+07:00 lcd /etc/watchdog.d/platform_monitor_watchdog.sh: Trying to repair platform_monitor ...
<snip>
2023-12-13T23:53:41.667967+07:00 -- 2023-06-24T03:11:48+07:00 lcd /etc/watchdog.d/platform_monitor_watchdog.sh: platform_monitor successfully repaired, pid = 27676

A similar condition may occur for the 'bmcservice' service.

2024-02-22T04:36:38.648864+00:00 -- 2024-03-17T21:05:37+00:00 lcd /etc/watchdog.d/bmcservice_watchdog.sh: found bmcservice is not running
2024-02-22T04:36:39.249053+00:00 -- 2024-03-17T21:05:37+00:00 lcd watchdog[1436]: test binary /etc/watchdog.d/bmcservice_watchdog.sh returned 255
2024-02-22T04:36:39.249787+00:00 -- 2024-03-17T21:05:37+00:00 lcd /etc/watchdog.d/bmcservice_watchdog.sh: Trying to repair bmcservice ...
2024-02-22T04:36:41.140343+00:00 -- 2024-03-17T21:05:39+00:00 lcd /etc/watchdog.d/bmcservice_watchdog.sh: bmcservice successfully repaired, pid = 26226

Conditions:
Excessive LCD memory consumption may occur if the appliance is turned off while external power is still connected. This excess memory usage will not be resolved when the appliance is turned on again.

Impact:
While the LCD is operating in this state, it may not be able to obtain the PSU status from the BMC and update the PSU status LEDs accordingly.

Furthermore, the LCD may not be able to ascertain the system’s current power state from the BMC.

Workaround:
The excessive LCD memory consumption can be recovered by rebooting the LCD.

1) Log into the appliance as a root user.
2) Issue `docker exec -it platform-hal psf call POST:lcd/reboot waitForBootup=true` at the Linux prompt.
3) Wait 60–90 seconds for the LCD to complete a reboot.

Example:

[root@appliance-1:Active] ~ # docker exec -it platform-hal psf call POST:lcd/reboot waitForBootup=true
  field | value
----------+--------
  success | true

Fix:
The excessive LCD memory consumption is fixed in LCD firmware v1.01.069.00.1 and later.


1466397-1 : LDAP authentication is consuming several minutes to authenticate via GUI and SSH.

Links to More Info: BT1466397

Component: F5OS-A

Symptoms:
LDAP authentication is working fine. However, authentication takes several minutes, which lacks a user-friendly experience.

Conditions:
- Configure LDAP server-group.
- Configure LDAP_ALL as an authentication-method.
- Log in using LDAP user via GUI or SSH.

Impact:
The user is forced to wait for several minutes to get the result of LDAP authentication.

Workaround:
None

Fix:
Removed unnecessary GID lookup to speed up LDAP authentication.


1461289-1 : On a rSeries appliance, config-backup proceed is broken

Links to More Info: BT1461289

Component: F5OS-A

Symptoms:
On a rSeries appliance, system database config-backup 'proceed' is broken. It is about overwriting an existing backup file, but it prompts you to proceed even if a file does not exist.

Conditions:
System database config-backup always prompts for the user to proceed even if a file does not exist.

Impact:
No functional impact. When you provide input 'yes', the backup file will be generated.

Workaround:
When prompted to 'proceed', you must respond with 'yes'.

Fix:
The system database config-backup prompts the user with ‘proceed’ option only when the file exists and the user is not provided ‘proceed yes’ in the input CLI command.


1461109 : GUI error "Unable to get data from stream streams/platform-stats/json"

Component: F5OS-A

Symptoms:
When viewing usage visualizations on screens that support them (Tenant details, Dashboard cpu Tab etc.), sometimes when switching between browser tabs an error in notification stream occurs.

Conditions:
-- Viewing a screen that shows data visualizations using notification streams
-- Switching between different browser tabs.

Impact:
An error message is dislayed in place of the visualzation charts.

Workaround:
Refreshing the page will start the notification stream again and user should start seeing data visualisations

Fix:
This issue is happening because GUI is trying to disconnect and reconnect to stream when switching between tabs. This behaviour is prevented now the stream will stay connected even when user switched to different tab.


1455913 : Tcpdump on F5OS does not honor the -c flag

Component: F5OS-A

Symptoms:
When using Tcpdump on F5OS with the -c flag, Tcpdump will not stop after receiving the given number of packets.

Conditions:
A Tcpdump session is started with the -c or --count flag.

Impact:
The Tcpdump session will not terminate after receiving the requested number of packets and will continue until manually terminated.

Workaround:
N/A

Fix:
Tcpdump now honors the -c flag and will terminate after receiving the given number of packets.


1451181 : The Rest API call to list core files returns 500 error when no core files found.

Component: F5OS-A

Symptoms:
The ConfD List Core Files Rest API call request returns a 500 ERROR when no core files are found rather than returning an empty list.

Example:
https://10.10.10.1:8888/restconf/data/openconfig-system:system/f5-system-diagnostics-qkview:diagnostics/f5-system-diagnostics-qkview:core-files/f5-system-diagnostics-qkview:list

Conditions:
1. No core files exist on the system.
2. The Rest API for querying the list of core files is made.

Impact:
Limited, but may affect automation.

Workaround:
Automation can respond to 500 error.

Fix:
Instead of responding with a 500 error, the response is now "none" when no core files exist.


1441425 : The rSeries appliance log shows "PSU voltage out value < lower limit, value=0".

Links to More Info: BT1441425

Component: F5OS-A

Symptoms:
The following message appears in the logs:
66305 psu-1 psu-fault EVENT Network Access "PSU voltage out value < lower limit, value=0" "2023-12-08 09:00:00.900082135 UTC".

Conditions:
The conditions that trigger this issue are unknown at this time.

Impact:
Users see several "PSU voltage out value < lower limit, value=0" logged messages, which could be falsely reported.

Workaround:
None

Fix:
None


1441333 : Rasdaemon memory leak

Links to More Info: BT1441333

Component: F5OS-A

Symptoms:
Rasdaemon will increase in size when excessive (>10000) MCE memory error events occur and may lead to system instability.

Conditions:
Likely due to memory hardware resulting in MCE errors

Impact:
System instability

Workaround:
Rebooting could be a temporary work-around if MCE rate is excessive.

Fix:
Rasdaemon version is upgraded in the current F5OS release.


1437765-2 : Restoration of system configuration database may fail if admin user was previously modified

Links to More Info: BT1437765

Component: F5OS-A

Symptoms:
The restoration of the System Configuration Database fails with this error:
appliance-1(config)# system database config-restore name config_database1 proceed yes
Error: access denied
Database config-restore failed.

Conditions:
In F5OS-A 1.5.1, the expiry status of the ‘admin’ user has been modified even before the System Configuration Database is saved and restored on the device that is currently installed after RMA/factory or F5OS clean install.

Impact:
Unable to restore the System Configuration Database.

Workaround:
1. In F5OS-A 1.5.1, it is recommended not to lock or modify the expiry status of the ‘admin’ user on the RMA/factory or clean installed appliance. If modified, enable the user before taking the backup.
2. Edit the System Configuration Database backup file. For the admin and root user, remove the next line which is highlighted by the arrow, then restore the configuration using the modified file:
           <username>admin</username>
           <config>
             <username>admin</username>
             <password><REMOVED></password>
             <last-change>0</last-change>
             <expiry-date>-1</expiry-date>
             <role>admin</role>
             <expiry-status>enabled</expiry-status> <---


1436153 : F5OS upgrades fail when SNMP configuration contains special characters.

Links to More Info: BT1436153

Component: F5OS-A

Symptoms:
As part of some security fixes, added a special character restriction in SNMP configuration in F5OS-A 1.5.1. This resulted in an upgrade failure to 1.5.1. If an upgrade to 1.5.1 is successful, the SNMP configuration will get deleted implicitly.

Conditions:
Upgrade to 1.5.1 fails when the SNMP configuration contains any special characters. The restricted special characters are: /*!<>^,/

Impact:
If the user encounters this issue, the system will go to an inaccessible state and require a forced downgrade.

Workaround:
Delete the SNMP configuration (community, target, or user) containing special characters before performing an upgrade to 1.5.1.

Fix:
The special characters in the SNMP configuration do not inject any security issues and can have special characters. Hence, the special characters restriction is removed in F5OS-A 1.5.2 and F5OS-A 1.8.0.


1429741 : Appliance management plane egress traffic from F5OS-A host going via BIG-IP Next tenant management interface instead of host management when both are in same subnet

Links to More Info: BT1429741

Component: F5OS-A

Symptoms:
When BIG-IP Next tenant is installed, a default route rule is added on host. If tenant management and host management IPs are on same subnet, then two similar rules are created with destination as same subnet.

The tenant route rule is created with higher priority (metric 0) resulting any management egress traffic destination belonging to same subnet is going through tenant management interface instead of host management interface.

Conditions:
BIG-IP Next tenant is deployed on appliance.

Impact:
End users receiving traffic from appliance, will observe sender IP as tenant management interface instead of host management interface.
    Note:
        a. This issue will be observed only when host management & tenant management subnet is same and also destination to which data is sent is on same subnet.
        b. This impacts management plane traffic within the appliance's management subnets.

Workaround:
N/A

Fix:
N/A


1429721 : SCP as non-root user does not report errors correctly for bad/non-existent files.

Links to More Info: BT1429721

Component: F5OS-A

Symptoms:
Using SCP to retrieve files from F5OS as "admin" or other non-root users should report a proper error when attempting to access an invalid directory or non-existent file.

Instead, the SCP command does nothing, reports no error, and exits with an on-zero exit status.

Conditions:
Attempt to read a non-existent/inaccessible file via SCP.

Impact:
The user is not informed about the failed SCP operation and the reason for the failure.

Fix:
SCP server software now reports errors the invalid/inaccessible filenames.


1411137 : Audit log entries are missing when creating or deleting objects via UI or API

Links to More Info: BT1411137

Component: F5OS-A

Symptoms:
When creating or deleting multiple remote-server related objects via UI or API, multiple restart happens causing log message drop.

Conditions:
While creating or deleting multiple objects related to remote-server, rsyslog restart everytime to apply new configuration. Due to the restart, some log messages are dropped.

Impact:
Log messages are dropped due to multiple restarts of the rsyslog.

Workaround:
None


1411101 : "Error pf_nic_get_media" failed error for ports with or without SFP connected

Links to More Info: BT1411101

Component: F5OS-A

Symptoms:
Error pf_nic_get_media failed for connected or not connected ports coming intermittently.

Conditions:
One or more ports are not connected on R2k/R4K devices.

Impact:
The error is confusing because the port does not have an SFP connected.

Workaround:
None


1410445 : The system's power state may be incorrectly indicated by the Status LED

Links to More Info: BT1410445

Component: F5OS-A

Symptoms:
The power state on an r2000/r4000 system may be incorrectly indicated by the Status LED when the system is in standby.

When an r2000/r4000 system is in the standby power state, the Status LED should be solid amber. Instead, the Status LED may be blinking amber which indicates that communication between the LCD and host CPU has been lost.

Conditions:
An r2000/r4000 system in standby power state.

Impact:
No functional impact.

Workaround:
None

Fix:
Fixed in LCD firmware v1.01.068.00.1 and later.


1408477 : When more than one PCIe AER error has occurred, diag-agent reports this as a "RAS AER 'unknown' error" instead of the individual AER errors.

Component: F5OS-A

Symptoms:
When more than one PCIe AER errors are occurred simultaneously, diagnostics will not report the events.

Conditions:
This occurs when more than one PCIe AER errors occur simultaneously.

Impact:
You are unable to see the individual PCIe errors.

Workaround:
None

Fix:
Updated diagnostics to consider and report more than one PCIe AER errors when occurred simultaneously.


1403817-1 : SNMP IF-MIB misreport the status and speed of LACP LAGs

Links to More Info: BT1403817

Component: F5OS-A

Symptoms:
SNMP polling on IF-MIB provides incorrect status and speed of LACP Lag interfaces.

Conditions:
The issue is seen only on SNMP interface. The correct status and speed display on CLI or GUI.

Impact:
The user will see inappropriate status and speed details when polled for IF-MIB details on SNMP for LACP LAG interfaces.

Workaround:
None

Fix:
Fixed the issue to display the correct values of LACP LAG interfaces in IF-MIB SNMP polling.


1403781 : Modifying mgmt interface's description will trigger interface flapping

Links to More Info: BT1403781

Component: F5OS-A

Symptoms:
Management interface description commit may cause an interface flap.

Conditions:
Change the mgmt interface description for first time and commit.

Impact:
There is a mgmt interface flap.

Workaround:
None


1401965-1 : Copying BIG-IP ISO to /var/import/staging/, leaves ISO loopback mounted

Links to More Info: BT1401965

Component: F5OS-A

Symptoms:
An error occurs:
ERROR: sw-mgmt: priority=error msgid=0x3501000000000154 msg=Unexpected error processing "import /var/export/chassis/import/iso/<image>.iso": [Errno 30] Read-only file system: 'ace-1.1.7-0.0.3.i686.rpm'

Conditions:
Copying a BIG-IP ISO to /var/import/staging/ (rather than /var/F5/system/IMAGES or /var/F5/partition<num>/images)

Impact:
An error occurs and the ISO loopback remains mounted

Workaround:
None

Fix:
Fixed in F5OS-A/C 1.8.0


1401841 : Out of memory issues are seen when multiple telemetry exporters are configured

Component: F5OS-A

Symptoms:
Out of memory issues are seen when too many telemetry exporters are enabled.

Conditions:
When the system is configured with too many exporters with exporter options as "retry-enabled" as "true" and "send-queue-enabled" as "true", and exporter end points are not reachable from device.

Impact:
This will increase memory utilization of the system and could cause the restart of random processes/services to free up the memory.

Workaround:
Disable the unreachable telemetry exporters from ConfD
"system telemetry exporters exporter <name> config disabled"

If there are too many exporters configured, disable some of the exporters.

Fix:
N/A


1401621 : Modifying a remote server with multiple selectors from the web UI removes the AUTHPRIV configuration.

Component: F5OS-A

Symptoms:
The AUTHPRIV option is not available on the webUI. Modifying a remote log server, which has multiple servers, from the webUI removes the AUTHPRIV configuration

Conditions:
Modifying a remote server with multiple selectors from the webUI.

Impact:
The AUTHPRIV selector has been removed from the configuration.

Workaround:
To modify the configuration of a remote server with more than one selector, use the CLI.

Fix:
Added AUTHPRIV option to the webUI. Modifying the configuration of a remote server with more than one selector from the web UI will not remove AUTHPRIV from the configuration


1400221 : OpenTelemetry exporters may not produce data upon first tenant being added to system

Component: F5OS-A

Symptoms:
Telemetry streaming stops when the first tenant is configured.

Conditions:
When OpenTelemetry exporters are configured before the first tenant is configured within F5OS, this can lead to a condition where the exporters stop streaming metrics and logs.

Impact:
OpenTelemetry exporters stop producing metrics and logs.

Workaround:
The work-around is to disable and re-enable all exporters from the ConfD CLI.

system telemetry exporters exporter <name> config disabled

system telemetry exporters exporter <name> config enabled

Fix:
N/A


1399929-1 : F5OS permits user to configure non-existent ethernet interface

Links to More Info: BT1399929

Component: F5OS-A

Symptoms:
Despite the fact that the type "ethernetCsmacd" is NOT shown as "Possible completion" for the type value, the user can type it in when adding an interface component.
The system prohibits you from deleting this non-existent interface while the type is ethernetCsmacd.

Conditions:
User-triggered command for non-exposed type.

Impact:
The configuration contains a non-existent ethernet interface with no actual activity.

Workaround:
Delete the non-existent interface. You can change the interface's type to ieee8023adLag, commit and then you can delete the interface.

Fix:
With this fix, F5OS will reject the creation of ethernetCsmacd.


1398889 : rSeries r5000: assertion in qat-device-plugin FilteringResourceEventHandler.OnDelete causing k8s panic

Component: F5OS-A

Symptoms:
Crash log gets printed in run_plugin.log

Conditions:
The application internally crashes some time during tenant deletion.

Impact:
No functional impact. The log keeps increasing with crash log when it happens.

Workaround:
It automatically recovers by restarting the application.

Fix:
N/A


1398341 : The affinity script crash seen in /var/log/cron logs

Component: F5OS-A

Symptoms:
Affinity script crashes due to unhandled exceptions.

Conditions:
Due to an unhandled null reference, sys-affinity crash is seen.

Impact:
No impact. system-affinity will restart within 1 minute.

Workaround:
N/A

Fix:
N/A


1398145 : The 'file list' command takes a long time and the webUI is stuck in loading

Links to More Info: BT1398145

Component: F5OS-A

Symptoms:
When the 'file list' command is used, it takes a lot of time to get the results for the log/host path. This causes the webUI to be stuck in loading.

Conditions:
Using 'file list' command for log/host.

Impact:
The webUI will not be able to load the files in the log/host.

Workaround:
N/A

Fix:
Optimized the code to achieve faster performance when handling file lists.


1397145 : Unable to add blade to Openshift cluster if VELOS partition root password is expired or locked

Links to More Info: BT1397145

Component: F5OS-A

Symptoms:
If a VELOS partition root password is expired or locked, the system may be unable to add the blade to the Openshift cluster (or manage the cluster).

The "show cluster" command output will report that a blade is reachable ("able to ping"), but will not be able to connect to it ("able to SSH"):

                                                          ABLE ABLE
                                        IN READY TO TO PARTITION
INDEX NAME INSERTED CLUSTER CLUSTER PING SSH STATE LABEL
--------------------------------------------------------------------------------------------------
1 blade-1.chassis.local true false false true false Not In Cluster
2 blade-2.chassis.local true false false true false Not In Cluster
3 blade-3.chassis.local true false false true false Not In Cluster

Conditions:
-- VELOS partition
-- root account in partition is expired or locked

Impact:
- Blade will not join Openshift cluster.
- Unable to deploy Tenants to blade.

Workaround:
Re-enable the root user account for the partition:

system aaa authentication users user root config expiry-status enabled


1394993-1 : Upon configuration changes, the l2-agent container restarts with a core.

Links to More Info: BT1394993

Component: F5OS-A

Symptoms:
On systems running F5OS-A or F5OS-C, wen the owner field of the fdb entry is updated by the system, for L2_LISTENER entries, l2_agent crashes.

Conditions:
Configuration changes triggered by system for L2_LISTENER fdb entries. Note that this field is not used by STATIC fdb entries, but the problem can be reproduced easily with STATIC entries.

Impact:
When l2_agent crashes there is a potential disruption to configuration processing.

Workaround:
None

Fix:
The fix will avoid the crash, and the update of the owner leaf will be processed accordingly.


1394913-1 : Rare LACPD crash during process termination

Links to More Info: BT1394913

Component: F5OS-A

Symptoms:
LACPD crashes, generating a core file.

Conditions:
While the LACPD process terminates, it may crash. Operations such as a host reboot and software upgrade cause the process to terminate.

Impact:
A core file is generated. No functional impact to the system.

Workaround:
N/A

Fix:
LACPD no longer crashes during process termination.


1394905 : Unable to create AOM user

Component: F5OS-A

Symptoms:
When setting up another user in system AOM, a user gets the error "Unable to set AOM ssh username and password --------> failed".

Conditions:
- Creating a second username in AOM
- Using the same password as the first username

Impact:
User cannot create a second username and password.

Workaround:
When creating a new username and password, you must use a different password from the first password that was used.
If you wish to setup a new username using the same password, you must first run "system aom clear-data" to clear out the old username and password combination.

Fix:
Update: User can now set a new username with the existing password.


1394857 : Cannot retrieve AOM username after creating it

Component: F5OS-A

Symptoms:
There is no way to retrieve the AOM username after setting it.

Conditions:
Setting the AOM username and password in ConfD: "system aom set-ssh-user-info username password"

Impact:
If the user forgets their username, there is no way to retrieve it.

Workaround:
You can use "system aom clear-data" to reset all the information and set a new username and password.

Fix:
N/A


1394045 : Misleading "unable to read AOM SSH login banner" errors are found

Component: F5OS-A

Symptoms:
The AOM SSH login banner is an optional field, but a misleading error "unable to read AOM SSH login banner" is found in logs if you do not configure it.

Conditions:
Configure AOM SSH and check the AOM info. The errors will appear in the log.

Impact:
Benign errors "unable to read AOM SSH login banner" are found in the log.

Workaround:
N/A

Fix:
Fixed on F5OS-A 1.8.0. The "unable to read AOM SSH login banner" error does not appear if banner has not been configured.


1393669 : On adding a member to an existing LAG on webUI, the newly added member's speed does not add up to the LAG's "Current Speed" instantly and requires a reload to see the expected response

Links to More Info: BT1393669

Component: F5OS-A

Symptoms:
The status for the newly added member shows as "down" in the REST response and the newly added member's speed does not add up to the "Current Speed" of the LAG on the webUI/REST response.

Conditions:
Occurs on the webUI when adding a member to an existing LAG.

Impact:
"Current Speed" for the LAG appears stale as it does not reflect the newly added member's speed.

Workaround:
The issue only stays momentarily. If the user refreshes the screen, it shows the LAG's Current Speed appropriately.

Fix:
N/A


1393269 : Error log: "PINGLOOP Failed to ssh to 127.0.0.1"

Links to More Info: BT1393269

Component: F5OS-A

Symptoms:
"PINGLOOP Failed to ssh to 127.0.0.1" logged in platform.log by Appliance Orchestration Manager.

Conditions:
1. root user locked with expiry status set to "locked".
2. Appliance rebooted after locking root user.

Impact:
Internal processes relying on root user may malfunction.

Workaround:
Avoid locking the root user account by not setting the expiry status to "locked".
Use appliance mode for root user lockdown.


1391625 : Hugepages do not get de-allocated after BIGIP NEXT tenant HA disassembly

Component: F5OS-A

Symptoms:
After BIGIP NEXT tenant HA disassembly, the huge pages allocated for the HA-deployment pod do not get de-allocated. This can be checked in /proc/meminfo.

Conditions:
This bug can be observed after HA disassembly.

Impact:
No functional impact. 38 MB huge pages will not be available for other processes after the disassembly of HA. After the reassembly of HA, the same huge pages will be used.

Workaround:
N/A

Fix:
N/A


1390425-1 : Libvirt core is generated on downgrade from 1.7.0 -A to 1.6.0 -A

Component: F5OS-A

Symptoms:
A flawed core file is generated intermittently on downgrade from 1.7.0 -A to 1.6.0 -A. The tenant remains healthy and functional after reboot.

Conditions:
Occurs intermittently when a system downgrades from 1.7.0 -A to 1.6.0 -A.

Impact:
A libvirt core file is generated, but the tenant is actually healthy and functional.

Workaround:
N/A

Fix:
N/A


1388961 : A few SEL entries in /var/log/platform/sel have missing details

Links to More Info: BT1388961

Component: F5OS-A

Symptoms:
A few SEL entries in /var/log/platform/sel have missing details or might be blank.

Conditions:
For r2000 and r4000 systems, a few SEL entry types are not fully parsed and details will not be available, particularly those that typically appear during a system restart.

Impact:
No functional impact, but with missing SEL log entries it can be difficult to investigate other problems.

Workaround:
None

Fix:
Improved the logging of SEL entries.


1388945 : Fan speed randomly shows as '0'.

Links to More Info: BT1388945

Component: F5OS-A

Symptoms:
The fan speed is randomly and incorrectly reported as '0'.

Conditions:
Checking the sensors using GET:bmc/sensors.

Impact:
The fan speed is reported as '0'.

Workaround:
None

Fix:
This issue has been fixed, and the fan speed no longer randomly reports as '0'.


1388745 : Large numbers of platform-hal errors logged in platform.log: "Requested Sensor, data, or record not present."

Links to More Info: BT1388745

Component: F5OS-A

Symptoms:
The platform-hal service is intermittently logging a large number of messages similar to the following in platform.log:

appliance-1 platform-hal[8]: priority="Err" msg="Action Error" index=0 message="Requested Sensor, data, or record not present." interface="job-665402" actionKey="GET:lop/pel" jobId=665402

There may be tens of thousands of log messages in some cases.

Conditions:
The conditions that trigger this issue are unknown at this time.

Impact:
The platform.log file becomes filled up with many of these log messages, and they must be filtered out to review the logs effectively.

Workaround:
None

Fix:
None


1388477 : Default GID group mapping authorized even when GID mapped to different group ID

Component: F5OS-A

Symptoms:
When a role (group) is mapped to a custom remote group ID (GID), the default GID (e.g. 9000 for admin) is also authorized for the same group.

Conditions:
The admin role (GID 9000), operator role (GID 9001), user role (GID 9002), or the resource-admin role (GID 9003) are assigned non-default GID.

Impact:
Remote users with GIDs 9000, 9001, 9002, or 9003 maintain the default access for their user role.

Workaround:
Do not assign the F5's default admin, operator, and resource admin role IDs (GID) to the remote user groups. These GIDs are 9000, 9001, and 9003 respectively.

For a customer who uses the versions with the issue, if higher privilege user group IDs are anything different from 9000, 9001, and 9003, do not assign 9000, 9001, and 9003 GIDs to any other group in the external directory, and do not assign default F5 role GIDs to any user. The default GIDs 9000, 9001, and 9003 should be entirely unassigned in the directory, or assigned to placeholder groups that are prohibited from user assignment.

See the role GIDs in ConfD CLI with the following command:

show system aaa authentication roles role

See the 'GID' column in the command output and don't assign those GIDs to users.

Fix:
If a remote-GID is configured for a role, the default GID will no longer authenticate for that role.


1381661 : LDAP external authentication fails if there is no group definition for user's primary GID

Links to More Info: BT1381661

Component: F5OS-A

Symptoms:
LDAP external authentication (e.g. REST API or GUI; but not ssh) fails in the following scenario:
- User is defined in external auth system (e.g. LDAP)
- User has a primary GID assigned
- There is no group definition for user's primary GID

While this is legal, because the numeric GID should be sufficient, when we try to look up the group info and fail, this short circuits authentication resulting in an error.

Conditions:
- User is defined in external auth system (e.g. LDAP)
- User has a primary GID assigned
- There is no group definition for user's primary GID

Impact:
Externally defined users may not be able to log in.

Workaround:
Define a group for the user's primary group ID.

system aaa authentication roles role <group name> config remote-gid <group ID>

Fix:
LDAP external authentication no longer fails if there is no group definition for user's primary GID. The numeric GID is sufficient.


1381277 : Most recent login information is not displayed in F5OS webUI

Links to More Info: BT1381277

Component: F5OS-A

Symptoms:
The most recent login information is not available in the F5OS webUI. These details can only be accessed through the CLI.

Conditions:
When using F5OS webUI.

Impact:
To access the most recent login information, you must use the CLI.

Workaround:
Use CLI command 'show last-logins' to access the recent login information.

Fix:
From F5OS-A 1.8.0, the most recent login information can be found in the User & Roles screen of the F5OS webUI.


1381109 : WS-2022-0322 - d3-color 2.0.0 package

Component: F5OS-A

Symptoms:
Versions of d3-color prior to 3.1.0 are vulnerable to a Regular expression Denial of Service.

Conditions:
N/A

Impact:
F5OS-A 1.8.0 may be affected by WS-2022-0322

Workaround:
N/A

Fix:
d3-color has been upgraded to an unaffected version.


1381057 : Opening and closing preview pane is causing the page scrollbar to disappear on View Tenant Deployments screen

Links to More Info: BT1381057

Component: F5OS-A

Symptoms:
On the "View Tenant Deployments" screen, when there are a significant number of tenants on the tenant data table, there will be a page level scroll. Opening and closing the preview pane by clicking on any row makes the page level scroll bar disappear.

Conditions:
User should be on the "View Tenant Deployments" screen and there should be many tenants configured on the system so that user can see a page level scroll bar.

Impact:
Opening and closing preview pane is causing the page level scrollbar to disappear making it impossible for a user to scroll down and see the tenants that are out of scroll view.

Workaround:
N/A

Fix:
The issue is now fixed and opening and closing preview pane no longer hides the page level scrollbar. The user can scroll down to see the tenants that are hidden in scroll view.


1379845 : CVE-2023-3341:bind: stack exhaustion in control channel code may lead to DoS

Links to More Info: K000137582, BT1379845


1379625 : Changing the max-age attribute in password policy is not reflecting immediately

Links to More Info: BT1379625

Component: F5OS-A

Symptoms:
Even after setting max-age value (maximum age, in days, after which password will be expired) less than 7 days, the warning for password expiration is not displaying at the time of next login.

Conditions:
Set max-age attribute to less than 7 (days) and check if password expiration warning is prompted at the time of next login.

Impact:
Password expiration feature is not working as expected.

Workaround:
N/A

Fix:
Fix is provided to sync the max-age value, updated from ConfD CLI, with the user's password expiration attribute in the /etc/shadow on the system.


1379565-1 : Observing QKView start from 100% and then going back to 1%

Component: F5OS-A

Symptoms:
On a second execution of QKView, it is possible that the percent complete reported by the system diagnostics QKView status command will remain at the previous setting until the QKView collection set-up has been completed. This has no effect on the QKView collection, but it can be confusing.

Conditions:
QKView is executed two or more times.

Impact:
Confusing percent-complete number for a few moments.

Workaround:
Wait for a few moments until QKView capture set-up has finished (up to 30 seconds).


1378805 : Error occurs when changing LAG type for an existing LAG interface on webUI

Links to More Info: BT1378805

Component: F5OS-A

Symptoms:
On the webUI, if a LAG type changes from LACP, an error displays when that LAG type changes back to LACP.

Conditions:
The error occurs when attempting to change the LAG type on an existing LAG interface to a previously used type.

(i.e. Creating a LAG interface with type LACP, changing that type to Static, and then changing it back to LACP)

Impact:
This issue does not affect functionality; however, an unnecessary "Object Already Exist" error pop-up appears.

Workaround:
To avoid the pop-up, change the LAG type to LACP using the CLI in this scenario.

Fix:
Changing the LAG type on an existing LAG interface to a previously used type no longer triggers an error pop-up on the webUI.


1378313 : CVE-2020-22218: libssh2: use-of-uninitialized-value in _libssh2_transport_read

Links to More Info: K000138219, BT1378313


1375133 : K3S is getting reinstalled after live upgrade, even though there is no K3S version change

Component: F5OS-A

Symptoms:
The CLI "show cluster install-status" shows K3S as installing, even though there is no version change. This happens just after live upgrade.

Conditions:
This issue is seen during reboot just after live upgrade.

Impact:
There is no functional impact.

Workaround:
N/A

Fix:
N/A


1366417-3 : Long BIG-IP tenant names will cause not having virtual console access

Component: F5OS-A

Symptoms:
No access to the BIG-IP tenant virtual console.

Conditions:
BIG-IP tenant name is longer than 32 characters.

Impact:
The creation of the tenant-console user fails, preventing access to the virtual console for that tenant.

Workaround:
Use tenant names that don't exceed 32 characters in length.

Fix:
Warn the user when using BIG-IP tenant names that exceed 32 character in length.


1366337 : Adding a system raid drive fails after successful removal

Links to More Info: BT1366337

Component: F5OS-A

Symptoms:
If the system is set up using bare-metal installation of F5OS-A 1.5.1, the user will not be able to add a SSD after removing an existing SSD from RAID.

Conditions:
The system must have been bare-metal installed using F5OS-A 1.5.1.

Impact:
User is unable to remove/add SSD into RAID.

Workaround:
N/A

Fix:
SSD can be added and removed from RAID.


1366157 : Warning needed about creating tenant with same name as existing user account name

Links to More Info: BT1366157

Component: F5OS-A

Symptoms:
When a tenant is created with the same name as an existing user account, the end user will not be able to log into the tenant console with that user account. A warning is not included.

Conditions:
Creating the tenant with the same name as an existing user account.

Impact:
The end user will not be able to connect to the tenant mgmt-ip with the user account.

Workaround:
Delete and re-deploy the tenant again with a different name.

Fix:
A warning that a console user won't be created if it matches the same name as a user account has been added.


1365985 : GID role mapping may not work with secondary GID

Links to More Info: BT1365985

Component: F5OS-A

Symptoms:
When a user in an external authentication system (LDAP, Radius, TACACS) is given a GID for an F5 role, and that GID is a secondary GID, the role assignment may not be discovered. This would result in the inability to access the system or be able to configure the system for that user.

Conditions:
- User in an external authentication system (LDAP, Radius, TACACS)
- GID corresponding to F5 role is a secondary GID (for example, it is not the user's default GID, rather a GID from a group to which the user belongs)

Impact:
Inability to log into the system, or inability to configure the system for the user in question.

Workaround:
The GID for the desired role should be the GID directly mapped to the user in the external authentication system (for example, in LDAP, the gidNumber on the user object should be the F5 role GID), rather than a secondary GID (for example, in LDAP, the gidNumber on a group of which the user is a member).

Fix:
All GID role mappings are properly considered when discovering role assignments for users in external authentication systems.


1365977 : Container daemons running as PID 1 cannot be cored on-demand

Links to More Info: BT1365977

Component: F5OS-A

Symptoms:
- kill -QUIT (or any other core-producing signal) to a container process running as PID 1 does not cause a core file.

- Actual runtime errors do generate cores as expected.

Conditions:
Containers that run their services directly as PID 1.

Impact:
Not possible to force a core file for diagnostic purposes.

Workaround:
None

Fix:
Containers that were running directly as PID 1 have been modified to use a minimal "init" process to catch and forward signals to the real service process.

The command:

"docker exec {containername} kill -QUIT 1"

can be used to core a daemon running as a child of /dev/init.

More complicated containers that have multiple processes running under 'bash' script may need to use

"docker exec {containername} kill -ABRT -1"

Note that if the "docker kill" or "docker stop" commands are used instead of "docker exec", the container will not restart, resulting in an inoperative system.


1365821 : Traffic loss of 5-10 seconds after disable/enable of LACP Lag member on r5000/r10000

Links to More Info: BT1365821

Component: F5OS-A

Symptoms:
Disabling and then re-enabling a LACP Lag member can result in traffic loss of up to 10 seconds on r5000/r10000 platforms.

Conditions:
Disable then re-enable LACP Lag member on r5000/r10000 platforms.

Impact:
Traffic loss lasting up to 10 seconds.

Workaround:
N/A

Fix:
Don't hold a mutex while processing the set of links to initialize. Make a copy of the links and release the mutex instead.


1361117 : ha-1-deployment pod may get restarted when tenant HA is configured

Component: F5OS-A

Symptoms:
When HA is configured on the BIG-IP Next tenants, a new pod of name <tenant-name>ha-1-deployment-<replica-set-hash>-<pod-id> will get created in the tenant namespace.

In some cases, the pod restart count may be 1.

Conditions:
When HA is set up on BIG-IP Next tenants on r-Series.

Impact:
No functional impact. The pod will come to running state automatically.

Workaround:
N/A

Fix:
N/A


1360905 : Unexpected log messages in /var/log/boot.log post-integrity recovery

Links to More Info: BT1360905

Component: F5OS-A

Symptoms:
Users may observe the following inappropriate log message in /var/log/boot.log after recovering from integrity failure:

Sep 28 08:45:08 appliance-1 journal: FIPS Integrity Check: This system has been placed in an error state. Try to recover the system using /usr/libexec/ostree_recover utility or reinstall the system. On many devices pressing the escape key followed by '(' key will bring up a menu that allows the system to be restarted.

Conditions:
The integrity failure occurs when the device is in FIPS mode, and a user alters or removes a file, subsequently executing an on-demand integrity test or a boot-up integrity test.

Impact:
There are no noticeable performance issues or anomalies associated with these log messages, and the issue does not affect the overall system performance or user experience. There are no potential risks or security concerns related to the inappropriate log messages.

Workaround:
N/A

Fix:
The code has been modified to provide more user-friendly log messages.


1359897 : rSeries link down events can be missed

Links to More Info: BT1359897

Component: F5OS-A

Symptoms:
The rSeries platform can occasionally fail to detect a link going down due to the removal of the cable.

Conditions:
Remove fiber optic cable.

Impact:
Links that are DOWN stay operationally UP. This can lead to erroneous LACP and/or LAG state.


1359277 : ConfD CLI timed out and subsequently sees Error: application communication failure

Links to More Info: BT1359277

Component: F5OS-A

Symptoms:
CLI times out if the respective action is not completed within the specified time interval.

Conditions:
The action to perform takes more time than the specified timeout interval.

Impact:
Unable to perform ConfD action.

Workaround:
The respective container can be restarted or a system reboot can be performed.

Fix:
When there is a timeout event, the CLI disconnects from handler and is not able to connect with handler again to perform subsequent actions.
A fix has been implemented to reconnect successfully in case of a timeout event. This prevents application communication failure error. You might still see a timeout when the system is busy but you will still be able to perform required actions a few minutes/seconds later.


1355277-2 : Incorrect Vlan Listeners when a Static FDB is configured

Links to More Info: BT1355277

Component: F5OS-A

Symptoms:
When a Static FDB is configured on an interface, Vlan Listeners associated with that interface will have an extra Service ID configured for Service ID 1.

Conditions:
A Static FDB is configured on an interface.

Impact:
Extra broadcast traffic will be generated on the system, which could affect performance.

Workaround:
N/A

Fix:
N/A


1355113-1 : VELOS software upgrade does not inform about KubeVirt component upgrade

Component: F5OS-A

Symptoms:
During F5OS software upgrades with VELOS chassis systems, there is a lack of visibility into which individual software components will be updated before the upgrade. This can lead to tenant degradation. In particular, when upgrading system controllers, the upgrade may include an update to the KubeVirt Kubernetes Extension, which will disrupt tenant operations.

Conditions:
VELOS F5OS system controller software upgrades include an update to the KubeVirt Kubernetes Extension.

Impact:
The traffic of all tenants that have been deployed will be disrupted.

Workaround:
None

Fix:
During an F5OS software upgrade on VELOS chassis systems, it is important to consider that the traffic of deployed tenants may experience temporary interruptions until the upgrade is finished.


1354373-1 : WebUI malfunctions when navigating to HSM Details with inactive FIPS drivers

Links to More Info: BT1354373

Component: F5OS-A

Symptoms:
If the FIPS card is not initialized properly due to inactive FIPS drivers, navigating to certain pages will break the webUI.

Conditions:
When the FIPS card is not initialized properly due to inactive FIPS drivers, the "HSM Details" and "Add FIPS Partition" screens on the webUI break.

Impact:
A blank screen appears, and users are unable to see the left navigation bar to switch to other screens.

Workaround:
To work around this issue, remove the screen name from the URL, which will navigate the user to the dashboard screen.

Fix:
On a system where the FIPS card is not initialized properly, navigating to the "HSM Details" and "Add FIPS Partition" screens no longer results in a break.


1354341 : Changing a VLAN from trunked (tagged) to native (untagged) on a LAG in a single transaction can cause traffic outage

Links to More Info: BT1354341

Component: F5OS-A

Symptoms:
Traffic outage after changing a VLAN assigned to a LAG from Trunk to Native in a single commit.

Conditions:
Changing a VLAN assigned to a LAG from Trunk to Native in a single commit.

Impact:
Traffic outage.

Workaround:
First remove the Trunk VLAN from the LAG, then commit the change. Then add the Native VLAN to the LAG and commit the change.


1354329 : It is possible to create a user with 'tenant-console' as its primary role (without creating a tenant) from the ConfD CLI

Component: F5OS-A

Symptoms:
Admin can create a user with 'tenant-console' as its primary role from the ConfD CLI. This may create tenant console access issues if a tenant gets created with the same name as the user. The 'tenant-console' role is reserved for tenants, so it shouldn't be possible to create a user with the 'tenant-console' role.

Conditions:
Admin has created a user with the 'tenant-console' role and is now trying to create a tenant with the same name as the user.

Impact:
Console access to the tenant won't be working.

Workaround:
N/A

Fix:
The issue will be fixed by providing a validation handler so that no user other than the 'tenant-console' user can have the 'tenant-console' role.


1354053 : Suppress LOP SEEPROM object did not find errors during re-licensing

Component: F5OS-A

Symptoms:
During licensing, F5OS can request data from platform SEEPROM that has not been programmed into the SEEPROM. In such cases, platform-hal logs an error message:

“appliance-1 platform-hal[8]: priority="Err" msg="Action Error" index=0 message="LOP Result Error: SeepromObjectNotFound (0x11)".

Conditions:
During licensing, platform-hal requests un-programmed values. Therefore, an error message is logged in the platform log.

Impact:
These log messages are not harmful and do not impact the operation of the system.

Workaround:
None

Fix:
To suppress these messages, upgrade to a newer version of F5OS. Updated F5OS has these messages suppressed and no longer present in the logs.


1353161 : Snmpd daemon stuck in loop deleting and recreating 'system snmp communities community' entry after recreating and deleting SNMP config a few times

Component: F5OS-A

Symptoms:
Snmpd daemon stuck in loop deleting and recreating 'system snmp communities community' entry after recreating and deleting SNMP config a few times.

Conditions:
1. Put an SNMP configuration, e.g.:

curl -sku admin:admin -H "content-type: application/yang-data+json" https://localhost/api/data/openconfig-system:system/f5-system-snmp:snmp -XPUT -d @put2.json

# jq -c . <put2.json
{"f5-system-snmp:snmp":{"targets":{"target":[{"name":"i10_2_108_100","config":{"name":"i10_2_108_100","community":"verynicecommunity","security-model":"v2c","ipv4":{"address":"10.2.108.100","port":162}}},{"name":"i10_2_108_101","config":{"name":"i10_2_108_101","community":"verynicecommunity","security-model":"v2c","ipv4":{"address":"10.2.108.101","port":162}}}]},"communities":{"community":[{"name":"verynicecommunity","config":{"name":"verynicecommunity","security-model":["v2c"]}}]},"engine-id":{"config":{"value":"mac"}}}}
#

2. Wait 10 seconds or so

3. Delete/clear the SNMP config, using one of the two methods:

a. curl -sku admin:admin -H "accept: application/yang-data+json" https://localhost/api/data/openconfig-system:system/f5-system-snmp:snmp -XDELETE
b. from the confd CLI in config mode:
no system snmp ; commit no-confirm

4. Wait 15 seconds, while monitoring /var/log/messages for repeating audit messages related to the SNMP config.

5. Repeat first three steps.

Impact:
High CPU and inconsistent state (SNMP community string comes and goes from 'show running-config system snmp' output while the user is watching it).

Workaround:
Restart snmpd container using docker command.

Fix:
We obsoleted old SNMP configuration commands.

Behavior Change:
In latest F5OS releases (from F50S-A-1.2.x and F5OS-C-1.6.x onwards) SNMP configuration commands have been simplified. For backward compatibility, the old style SNMP configuration works until F5OS 1.7.0 and keeping a confirmation warning in the CLI asking user to use new simplified snmp commands and the old style commands will be obsolete in future releases.

In latest release (from F50S-A-1.8.x and F50S-C-1.8.x), the old SNMP configuration commands are obsolete.


1353085 : Configure admin/operator roles in LDAP without uidNumber or gidNumber attributes

Component: F5OS-A

Symptoms:
In previous versions of F5OS, when using LDAP for third-party authentication, having uidNumber and gidNumber LDAP attribute mappings was required. These attributes are common on unix systems and unix-based directories, but are optional in Windows environments. In Windows environments (For example, Active Directory), admin may be required to manually add uidNumber attributes to users, and gidNumber attributes to admin/operator groups.

Conditions:
Third-party LDAP authentication using Active Directory or other LDAP directory where uidNumber and gidNumber attributes are not provided by default.

Impact:
In the above conditions, administrators are required to add uidNumber attributes to users in the directory, and gidNumber attributes to admin/operator groups.

Workaround:
Create uidNumbmer/gidNumber attributes if not present in directory.

Fix:
A feature was added to map LDAP groups to F5OS roles using LDAP filter (group names) instead of numeric IDs. Additionally, code was added to use objectSid mapping instead of uidNumber/gidNumber to eliminate the need to create missing attributes in Active Directory environments.


1352845 : Some internal log content may not appear in external log server

Links to More Info: BT1352845

Component: F5OS-A

Symptoms:
When a remote log server is configured, some internal log content may not appear in the logs on the remote server. Notable are logs related to audit login failures.

Conditions:
Remote logging server is configured. Log messages do not appear on remote server for user trying to log in with wrong password repeatedly, causing account lockout.

Impact:
Brute-force password attack indications may not be seen on external log server.

Workaround:
For logs of this type, consult the log files directly on the appliance.


1352449 : iHealth upload is failing with error "certificate signed by unknown authority"

Links to More Info: BT1352449

Component: F5OS-A

Symptoms:
When attempting to use the QKView upload feature, the upload may fail with the message "certificate signed by unknown authority". This is due to a recent change in certificate authority that is inconsistent between F5OS and iHealth.

Conditions:
Always, after mid-September 2023.

Impact:
Unable to upload QKView files to iHealth with a single click.

Workaround:
Users may use the File Export feature to download QKView files to their PCs, and then upload those files to iHealth.

You can find the qkview files in the GUI at System Settings :: File Utilities, then choose "diags/shared" as the base directory, then select "qkview".

Fix:
Certificate authorities used by the iHealth upload feature in F5OS will be updated.


1352421 : L2 services (LACP/LLDP) are down on r2000 and r4000 series appliances

Links to More Info: BT1352421

Component: F5OS-A

Symptoms:
LLDP and LACP will appear to be non-functional on the F5OS system.

LLDP/LACP PDUs reach the F5OS system, which can be verified with tcpdump.

Conditions:
-- r2000 and r4000 series appliances.
-- LLDP or LACP is configured.
-- Links are up.

Impact:
L2 protocols fail to negotiate or register inbound data.

Workaround:
Reboot.


1352353-3 : Remove integrity-check configurable option from CLI

Links to More Info: BT1352353

Component: F5OS-A

Symptoms:
In F5OS systems, root and admin users are allowed to toggle the integrity-check option from the CLI. When in FIPS mode, integrity-check should always execute on system startup and when demanded. Since the integrity-check option is configurable, users can disable it which puts the integrity of the system at risk.

Conditions:
The configurable integrity-check option is visible when the device is in FIPS mode.

Impact:
An admin or root user could access the CLI and disable integrity-check. This could replace files and packages which could impact the integrity of the system.

Workaround:
N/A

Fix:
We have removed the enable/disable integrity-check option from the CLI.


1352045 : Not able to connect to tenant console via virtctl after upgrade

Links to More Info: BT1352045

Component: F5OS-A

Symptoms:
Unable to connect to tenant console via virtctl after upgrading from an older version to 1.7.0. It will happen only if any virtctl console is active while doing upgrade. After upgrading, there will be stale kubectl process with older certificates present which will cause errors.

Conditions:
Virtctl console is active for tenant at the same time live upgrade is initiated.

Impact:
Not able to connect console to any tenant after upgrade to 1.7.0.

Workaround:
Kill kubectl process manually.

Fix:
User is able to connect to the tenant console via virtctl after upgrading.


1351981 : QAT count is not dynamically updated for active tenants after license upgrade

Component: F5OS-A

Symptoms:
The QAT count of BIG-IP Next tenants does not change for active tenants after license upgrade.
The QAT count does not match the expected value for the particular license.

Conditions:
The issue is seen only for BIG-IP Next tenants that are deployed with the old license.

Impact:
Incorrect QAT count for active (old) BIG-IP Next tenants.
No impact on new tenants after license upgrade.
No impact on BIG-IP tenants.

Workaround:
Deployed BIG-IP Next tenants need to be moved to configured and back to deployed for the right QAT value to be updated.

Fix:
N/A


1351893-2 : ConfD Logging 'Failed to change working directory' Error Message

Links to More Info: BT1351893

Component: F5OS-A

Symptoms:
When running the tcpdump client from the ConfD command line interface, ConfD logs 'failed to change working directory /var/roothome' error message in the devel.log file.

Conditions:
Running tcpdump client from the ConfD CLI.

Impact:
No known impact.

Workaround:
No work around.

Fix:
When ConfD executes external commands, the working directory is set to the user home directory by default. ConfD logs error if unable to find the user's home directory.


1351541-4 : Unable to remove the ISO images that share the same minor version with the running version

Component: F5OS-A

Symptoms:
Removal of ISO (controller/partition/appliance) fails when a same minor version is shared.

Example: Import 1.5.1 and upgraded the system to 1.6.1. Later import 1.6.2(1.6.*) and upgraded the system to 1.6.2. When the system is on 1.6.2 unable to delete 1.6.1.

Conditions:
The major and minor version of the current ISO must be same as the ISO version that is being removed/deleted.

Impact:
Unable to remove the unused ISO.

Workaround:
For controller/appliance, you must remove the ISO on a software version that includes different minor release. For example, you can remove 1.6.1-5555 while running ISO version 1.5.X or 1.7.X.
 
For partition, disable and unset the ISO versions of any partitions that use the same minor version of the ISO that needs to be removed. For example, you can remove 1.6.1-5555 by disabling all the partitions running on 1.6.X and de-configure the SW versions.


1351529 : Fixing the log issue stating "UNSUPPORTED STP state" when STP global is configured

Links to More Info: BT1351529

Component: F5OS-A

Symptoms:
A log message appears, stating "UNSUPPORTED STP state" when STP global is configured to RSTP.

Conditions:
Removing the global config (initially set to STP) and setting it to RSTP.

Impact:
Reliable and correct log messages.

Workaround:
NA


1349977 : Setup wizards fails and immediately exits if it is given incorrect credentials.

Links to More Info: BT1349977

Component: F5OS-A

Symptoms:
If incorrect credentials are entered while using the setup wizard tool, it fails and exits immediately without allowing the user to correct the given credentials.
The setup wizard utility should make it clear that only non-root admin accounts can be used.

Conditions:
Incorrect credentials are passed to the setup wizard tool.

Impact:
User is not given the chance to correct incorrect credentials.


1349953 : Setup wizard script gives an "All IP addresses must be unique" error when NTP and DNS servers match

Links to More Info: BT1349953

Component: F5OS-A

Symptoms:
When the given IP addresses of NTP and DNS servers match, the setup wizard script gives the error, "All IP addresses must be unique" even though it is a valid configuration.

Conditions:
The IP addresses of NTP and DNS servers given to the Setup wizard tool are the same.

Impact:
Through the setup wizard tool, the user is not able to provide the same IP address for NTP and DNS servers, which is a valid configuration.

Workaround:
The same IP address for NTP and DNS servers can be configured using the webUI or CLI instead of the setup wizard tool.


1349001 : F5OS VELOS is polled as Unix device by SNMP using BMC Discovery

Links to More Info: BT1349001

Component: F5OS-A

Symptoms:
Hostname polling via SNMP interface is not available.

Conditions:
Using SNMP

Impact:
You are unable to see the hostname using SNMP interface.

Workaround:
None

Fix:
User can get hostname via SNMP interface using below oid:

SNMPv2-MIB::sysName.0


1348989 : GUI virtual server CLI has different limitations for days-valid

Links to More Info: BT1348989

Component: F5OS-A

Symptoms:
The range of acceptable values for days-valid for a certificate had inconsistent range limits between the GUI and CLI.

Conditions:
Creating a self-signed certificate.

Impact:
Possible to enter a value that cannot be reflected in both the GUI and CLI.

Workaround:
Limit the number of days-valid to the smaller of the two limits (65535).

Fix:
Both the CLI and the GUI now have the same range limits.


1348509 : Incorrect file path reported in the telemetry log records

Links to More Info: BT1348509

Component: F5OS-A

Symptoms:
Incorrect file path reported in the telemetry log records.

Conditions:
N/A

Impact:
The log file data being collected for telemetry is:
/var/F5/system/log/platform.log.

However, the file location value in the telemetry log records is shown as /var/F5/partition/log/platform.log.

Workaround:
N/A

Fix:
N/A


1348145 : Observing 'Failed to send restarting msg to VF' during reboot with tenants deployed causing reboot time to increase

Links to More Info: BT1348145

Component: F5OS-A

Symptoms:
While rebooting with tenants deployed, the reboot time increased by 2-3 minutes. A "Failed to send restarting msg to VF" message also appears.

Conditions:
Occurs when rebooting a system where tenants are deployed.

Impact:
No functional impact.

Workaround:
N/A

Fix:
Rebooting time is no longer negatively impacted by tenants being deployed.


1348093 : Appliance-setup-wizard traceback on invalid NTP input

Component: F5OS-A

Symptoms:
Appliance setup wizards throw an uncaught Python traceback if you enter non-numeric input for the NTP port

[root@appliance-1 ~]# appliance-setup-wizard
Traceback (most recent call last):
  File "/usr/bin/appliance-setup-wizard", line 1355, in <module>
    curses.wrapper(main)
  File "/usr/lib64/python2.7/curses/wrapper.py", line 43, in wrapper
    return func(stdscr, *args, **kwds)
  File "/usr/bin/appliance-setup-wizard", line 1329, in main
    if scene.setting.is_valid(input_string) is not True:
  File "/usr/bin/appliance-setup-wizard", line 282, in is_valid_ntp_port
    int(input_string) < MIN_NTP_PORT or
ValueError: invalid literal for int() with base 10: 'abc'

Conditions:
Giving non-numeric value as NTP port configuring via wizard-setup

Impact:
Throws an uncaught Python traceback.

Workaround:
None

Fix:
Fixed in F5OS-A 1.8.0


1341909 : Command 'show component' does not show psu-power-in and psu-power-out in CLI and API

Component: F5OS-A

Symptoms:
The command does not show psu-power-in and psu-power-out in CLI and API.

Conditions:
Running show components component <psu> in confd

Impact:
PSU power details are not retrieved using ‘show component' command.

Workaround:
PSU power details can be retrieved through the following HAL APIs:

docker exec -it platform-hal psf run GET:lop/object/sensor-psu-power-in

docker exec -it platform-hal psf run GET:lop/object/sensor-psu-power-out

Fix:
The ‘show component’ command shows psu-power-in and psu-power-out in CLI and API.


1341869-1 : Failed to delete tenant pods

Component: F5OS-A

Symptoms:
Stale tenant pods will persist in Kubernetes.

kubectl get pods will list the tenant pods, although tenants are deleted.

Conditions:
When user deploys 10 to 15 tenants and deletes all of them at the same time.

Impact:
Deleted tenant resources will still be running in Kubernetes and consuming resources.

Workaround:
Create a tenant with the same name and delete.

Fix:
N/A


1341521 : Incorrect subnet mask returned for GET call for /systems

Links to More Info: BT1341521

Component: F5OS-A

Symptoms:
Subnet mask returned from Get call for /systems returns the wrong netmask for the management IP on VELOS and rSeries.

Conditions:
BIG-IP Next instances on VELOS and rSeries.

Impact:
Does not impact any functionality. GET API call for /systems returns the wrong subnet mask for the management IP.

Workaround:
Log in to the machine/tenant and check the management IP address by using the ip addr show command.

Fix:
N/A


1338601-1 : On multi tenants cases on system reboots tenant goes to INOPERATIVE state

Component: F5OS-A

Symptoms:
- Tenant state shows running ConfD.
- Tenant management IP is not reachable.
- Inside tenant VM, prompt shows INOPERATIVE.

Conditions:
Issues observed on system reboots when a higher number of tenants (>36) is deployed on r12k.

Impact:
Tenant goes to inoperative state.

Workaround:
Move tenant to configured and deployed state with little delay.

Fix:
N/A


1338521 : Unable to login when accessing F5OS GUI through a network proxy on a port other than 443.

Links to More Info: BT1338521

Component: F5OS-A

Symptoms:
Users are not able to log in to the UI when trying to access F5OS GUI through a network proxy running on a port other than 443.

Conditions:
GUI should be accessed via a network proxy running on a port other than 443.

Impact:
Users are not able to log in to the GUI.

Workaround:
None

Fix:
After the fix, GUI now reads the port along with the hostname from the URL and can use the port in making API calls (including login API calls).


1338505 : Qkview is not collecting log data from kubernetes pods

Component: F5OS-A

Symptoms:
Qkview does not collect log data from kubernetes pods found on an F5OS Appliance

Conditions:
-- F5OS-A
-- Qkview

Impact:
Limited ability to diagnose kubernetes pod issues

Workaround:
Collect log files for kubernetes pods manually.

Use the command:
kubectl logs <pod-name>

Fix:
Qkview will now collect kubernetes pod logs.


1332997 : Device stuck at "unmounting containers" after performing reboot

Links to More Info: BT1332997

Component: F5OS-A

Symptoms:
When we open the console session of any tenant on F5OS-A using virtctl console <tenant_name>.

when you reboot the system, during reboot sometimes the system might end up in "unmounting containers"

Conditions:
Open the console session to any of the tenants using virtctl utility and reboot the system.

Impact:
After rebooting, system takes time to fully start up.

Workaround:
Power off and on the system whenever the issue is hit.

Fix:
Fixed the issue related to device stuck at unmounting containers after the reboot.


1332781 : A remote user with the same username as the local F5OS user will be granted the local user's roles

Links to More Info: BT1332781

Component: F5OS-A

Symptoms:
If you create a remote user on the RADIUS, TACACS+, or LDAP servers with the same username as a local F5OS user, the remote user will be granted the local user's roles upon authentication.

Conditions:
A remote user is created with the same username as a local user and remote authentication is enabled.

Impact:
Remote user will take the local user's privileges.

Workaround:
Do not create a remote user with the same username as the local user. If you have created already, change the username for either the local user or the remote user.

Fix:
If a remote user is created with the same username as a local user, the remote user's authentication will be rejected. Only the local user will have access to the F5OS system.


1332293 : Tcpdump performed with an interface filter on VELOS or rSeries will show broadcast traffic from all interfaces

Links to More Info: BT1332293

Component: F5OS-A

Symptoms:
When performing a tcpdump in VELOS or an rSeries appliance, a traffic capture limited to a specific interface will show broadcast traffic hitting other interfaces.

Conditions:
- VELOS platform or r5000 / r10000 / r12000 series appliance
- Running a packet capture on a specific interface (e.g. 1/1.0 or 1.0)

Impact:
This can cause confusion or impede troubleshooting when unexpected broadcast traffic is seen in a capture such as ARP or Miscabling Protocol traffic.

Workaround:
None

Fix:
This issue is now corrected.


1330429 : Port Mappings screen on webUI displays "GB" for bandwidth instead of "Gb"

Links to More Info: BT1330429

Component: F5OS-A

Symptoms:
When a user navigates to the "Port Mappings" screen on the webUI, Capacity Bandwidth and Allocated Bandwidth incorrectly display "GB" as the units. It should be "Gb" [gigabit].

Conditions:
Going to the "Port Mappings" screen on the webUI.

Impact:
This does not affect the functionality. Capacity Bandwidth and Allocated Bandwidth values are correct except for the units.

Workaround:
N/A

Fix:
The "Port Mappings" screen now displays appropriate units for Capacity Bandwidth and Allocated Bandwidth, correcting the representation to "Gb."


1329797 : RADIUS user logs in through the WebUI without configuring the F5-F5OS-UID, will be disconnected after 10 minutes

Links to More Info: BT1329797

Component: F5OS-A

Symptoms:
When a RADIUS user is configured without F5-F5OS-UID and then logged in through the WebUI, they will be disconnected after 10 minutes. This problem has also been observed with other remote authentication methods where the UID and GID are configured.

Conditions:
1) Create a RADIUS user without F5-F5OS-UID configured
2) Logged in as the RADIUS user through WebUI

Impact:
If logged in as the RADIUS user through the WebUI, they will be disconnected after 10 minutes. This problem has also been observed with other remote authentication methods where the UID and GID are configured.

Workaround:
To avoid encountering this problem, the F5-F5OS-UID should be provided. Additionally, the UID for every user (which spans across all remote users as well as local users) should be unique (or have the same GID).

Fix:
UID is not defaulting to 1001 for RADIUS and TACACS+ users anymore. UID is assigned from the range 40,000 - 65,000 for remote users.


1329449-1 : Missing days-valid, store, and key type logging items of a certificate

Component: F5OS-A

Symptoms:
Logging most of the certificate request fields but not logging days-valid, store, and key type fields. This was because some fields were added for the creation of the certificate and the logging was done as part of the certificate request.

Conditions:
Always

Impact:
The user will still see logging of all items used in the creation of a self-signed certificate, except for a few that are not necessary for the certificate request.

Workaround:
Check the history and observe the values that were entered.

Fix:
The key type and days-valid will now be logged. The store-tls is a logic value and not loggged.


1329021-2 : Display order of interfaces/portgroups in ConfD CLI are not in numerical order

Links to More Info: BT1329021

Component: F5OS-A

Symptoms:
Interfaces/portgroups are not listed in numerical order when viewing from the ConfD CLI.

Conditions:
Occurs when running the following commands on the ConfD CLI:

show interfaces interface state oper-status

show running-config portgroups portgroup

Impact:
Affects readability.

Workaround:
N/A

Fix:
Interfaces/portgroups are now listed in numerical order when displayed from the CLI.


1328405 : F5OS system stopped generating tmstat snapshots

Links to More Info: BT1328405

Component: F5OS-A

Symptoms:
The F5OS system is not generating the tmstat snapshots, which helps us in diagnosing issues.

Conditions:
System is running an affected version of F5OS software (F5OS-A 1.2.0 and above, or F5OS-C 1.6.0 and above).

Impact:
Impacts the supportability of the device; the support teams usually rely on the snapshots while working on field issues.


1327689 : Manually remove root and user keys before entering Appliance Mode

Component: F5OS-A

Symptoms:
In order to enter appliance mode, the root and other user public keys must be removed from /root/.ssh/authorized keys.

Conditions:
Configuring appliance mode on an F5OS device.

Impact:
Misconfiguration within Appliance Mode.

Workaround:
If any keys were manually added prior to enabling Appliance Mode, remove them.
https://my.f5.com/manage/s/article/K000140791

As a best practice, deny network access to the control plane to trusted users.

Note: Users may disable Appliance Mode in order to perform the mitigations above.

Fix:
Appliance Mode is configured as expected.


1327137 : Interfaces take longer than expected to come up

Links to More Info: K000138753

Component: F5OS-A

Symptoms:
-- Interfaces take longer than expected to be marked UP (40+ seconds)
-- LACP status remains down until the interfaces are marked UP

Conditions:
-- rSeries appliance
-- F5OS-A
-- 100G interfaces

Impact:
For SFP/QSFP interfaces:
-- 25G/10G interfaces take over 10 seconds to be marked UP
-- 100G interfaces take 30+ seconds to be marked UP.

Workaround:
None


1326125 : RADIUS authentication fails if F5-F5OS-HOMEDIR attribute is not specified

Links to More Info: BT1326125

Component: F5OS-A

Symptoms:
Authenticating F5OS users against an external RADIUS server fails if the server does not specify an F5-F5OS-HOMEDIR attribute.

The F5-F5OS-HOMEDIR attribute is supposed to be optional.

Conditions:
F5OS system authenticating against a RADIUS server

Impact:
F5OS authentication fails even if the server sends back the required F5-F5OS-GID attribute.

Workaround:
Configure the RADIUS server to include an F5-F5OS-HOMEDIR attribute with a value of "/tmp"


1325893 : A vqf-dm system software core file is occasionally observed on system reboot

Component: F5OS-A

Symptoms:
The line-dma-agent or vqf-dm occasionally hits a cosmetic failure state as the entire system is rebooting, leading to absolutely zero effect of the state of the system.

Conditions:
Traffic is being sent to a tenant while rebooting, and the tcp-dump-daemon system software does not get shut down first before the line-dma-agent

Impact:
A core file is observed on the system after the system finishes rebooting.

Workaround:
N/A

Fix:
A decision has to be made about some older code in the line-dma-agent in order to avoid this cosmetic core file.


1324269 : LCD "System - Power On" option may not be available immediately after system is powered off

Component: F5OS-A

Symptoms:
The "System - Power On" option on the LCD may not be available immediately after the system is powered off.

It may take some time before the LCD recognizes the system has been powered off and provides access to the "Power On" option within the "System" menu.

Conditions:
System is powered off yet the "System - Power On" option is not available on the LCD.

Impact:
Power-on via the LCD will not be available until the LCD recognizes that the system is powered down and makes the "Power On" option available.

As an alternative, the system may be powered on via the AOM menu.

Workaround:
Use the AOM menu to power on the system instead of the LCD.

Fix:
Fixed in LCD UI v1.13.10 and later.


1324257 : 4600 does not boot up after a shutdown

Component: F5OS-A

Symptoms:
Powering on the system does not take you back to the "System" menu

Conditions:
Powering on the system via the LCD UI

You may briefly see a "Please wait" message which quickly disappears, after which you see the Power On menu again.

Impact:
The rSeries LCD power control options are unreliable and do not give adequate information about the state of powering on

Workaround:
None

Fix:
"System" page options with confirmation pop-ups now (correctly) navigate back to the "System" page after confirming via the pop-ups.


1322921 : FEC configuration support for 25G interfaces on r2000/r4000

Component: F5OS-A

Symptoms:
All previous releases of F5OS-A did not support manual FEC configuration.

Conditions:
The r2000/r4000 is using the 4x25G port-profile mode.

Impact:
Unable to manually configure forward error correction.

Workaround:
None

Fix:
This release adds support for manual FEC configuration for the 25G interfaces.


1322817 : BIND vulnerability CVE-2023-2828

Links to More Info: K000135312, BT1322817


1322685 : Tcpdump sessions are terminated when interfaces are enabled or disabled.

Links to More Info: BT1322685

Component: F5OS-A

Symptoms:
All tcpdump sessions terminates abruptly when an administrator enables or disables an interface on the system, even if the interface is not participating in the tcpdump session.

Conditions:
When an administrator enables or disables an interface on the system.

Impact:
All the current running tcpdump sessions are terminated and have to be restarted.

Workaround:
Do not make modifications to interfaces when the tcpdump sessions are active.

Fix:
None


1316097-4 : LAGs not programmed when adding VLAN to LAG

Links to More Info: BT1316097

Component: F5OS-A

Symptoms:
Traffic from a LAG is not reaching the tenant.

Conditions:
1) Add a VLAN to a LAG and add that VLAN to a tenant in the same commit.

2) Configuration read following blade reboot.

Impact:
LAGs are not programmed; traffic doesn't reach tenant.

Workaround:
Workaround for condition (1): Add the VLAN to the LAG, commit; then add the VLAN to the tenant.

Fix:
Fix usage of mutexes to prevent deadlock with LAG programming is happening in parallel with VLAN programming.


1307577-2 : Add more resilience to the file download API

Links to More Info: BT1307577

Component: F5OS-A

Symptoms:
If basic authentication is being used in place of the x-auth-token, then the system blocks the requests and eventually stales in the request queue.

Conditions:
Use of basic authentication instead of the x-auth-token causes this situation in file download.

Impact:
No new download requests can be made.

Workaround:
Restart the platform-services.

Fix:
N/A


1307565-2 : The file download API is not working with the x-auth-token header

Links to More Info: BT1307565

Component: F5OS-A

Symptoms:
The x-auth-token in the header of the request is not working for file download.

Conditions:
Try to download a file using the file download API with the x-auth-token header.

Impact:
The file download fails when using the file download API with the x-auth-token header.

Workaround:
Pass x-auth-token as part of the form-data of the API instead of in the header.

Fix:
N/A


1306233 : Low mixed IPv4/IPv6 performance

Component: F5OS-A

Symptoms:
Mixed IPv4/IPv6 performance does not increase after changing the ‘PVA Offload Initial Priority’ (fastl4 profile) to ‘High’.

Conditions:
Mixed IPv4 and IPv6 traffic with ‘PVA Offload Initial Priority’ (fastl4 profile) set to ‘High’.

Impact:
Lower than expected performance of mixed IPv4 and IPv6 traffic.

Workaround:
None

Fix:
Lower the allowable rate of incoming broadcast/DLF packets.


1305005 : Error handling in F5OS file-download API

Links to More Info: BT1305005

Component: F5OS-A

Symptoms:
Upon file download failure, API is returning an Apache error page that isn't an F5OS-specific error and isn't aligned with other F5OS API errors. This is a negative user experience.

Conditions:
Due to unhandled errors, when data not in the FormData format are passed through a Curl request, an Apache error page is thrown, misaligning from other F5OS APIs errors.

Impact:
There is no functional impact. It is a negative user experience.

Workaround:
N/A

Fix:
All errors are handled in the file-download API and aligned with other F5OS APIs errors with no more Apache error pages in error cases.


1304921 : F5OS file download API does not work with basic authentication

Component: F5OS-A

Symptoms:
File upload and download using basic auth is not supported.

Conditions:
When trying to upload or download the file from F5OS using basic auth.

Impact:
Upload/download failed with authentication error.

Workaround:
None

Fix:
File download API work with basic auth and x-auth-token.


1304765-3 : A remote LDAP user with an admin role is unable to make config changes through the F5 webUI

Links to More Info: BT1304765

Component: F5OS-A

Symptoms:
When a remote user's GID is mapped to the F5OS system's local GID, the GID mapping is not parsed correctly by the system. If the remote GID is known to the F5 system, there is no issue. For example, a mapping of the form 9000:9000 works fine. However, mapping of the form 5555:9000, 6666:9000 etc. will not work.

Conditions:
Local GID is being mapped to a remote GID.

Impact:
The admin user mapped to a remote GID cannot access the ConfD config mode.

Fix:
Update the system to the version with the fix.


1304085-1 : Unable to set local user's password if the same user exists on a remote LDAP server

Links to More Info: BT1304085

Component: F5OS-A

Symptoms:
If a user exists locally (in F5OS) as well as on a remote LDAP server, and LDAP-based authentication is configured as an accepted authentication method, attempting to set the user's local password in F5OS will fail. In the ConfD CLI, an error like the following will be observed:

syscon-1-active(config)# system aaa authentication users user ldap_user config set-password
Value for 'password' (<string>): ****************
Error: Rejected,
Configured password-policy:
min-length:6
required-differences:8
max-letter-repeat:3
policy applies to root:true

It should be emphasized that in the case of such duplicate user definitions locally/remotely, the local user's credentials will need to be used to login even if remote authentication is preferred.

Conditions:
A user exists locally (in F5OS) as well as on a remote LDAP server, and LDAP-based authentication is configured as an accepted authentication method.

Impact:
Unable to set the local user's password.

Workaround:
Temporarily remove LDAP as an authentication method, set the user's password, and then re-configure the preferred authentication method(s).

Fix:
Fixed issue with setting a local user's password when an identically named user exists on a remote LDAP server and LDAP is enabled as an authentication method


1300749 : Syslog target files do not use the hostname configured via system user interface.

Links to More Info: BT1300749

Component: F5OS-A

Symptoms:
Syslog target files, for example: /var/F5/system/log/platform.log, use a hardcoded nodename for every device as a hostname.

Conditions:
No special conditions.

Impact:
In a remote log collector, source IPs are the only way to differentiate among devices.

Workaround:
It is possible to do an irule workaround that replaces custom strings in syslog traffic depending on the client's IP address. This iRule is applied to the virtual server on another LTM that consumes the syslog traffic and load balances.


when CLIENT_DATA {
   switch [IP::client_addr] {
       "10.10.10.10" { UDP::payload replace 38 11 "ABCDC01F5OS01" }
       "10.10.10.20" { UDP::payload replace 38 11 "ABCDC01F5OS02" }
       }
}

Below is the example message after irule workaround.

Jul 31 03:33:50 10.10.10.10 2023-07-31T07:33:50.181136+00:00 appliance-1 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 0 (1:Enabled 2:Disabled ... )".

to this

Jul 31 06:00:01 10.10.10.10 2023-07-31T10:00:01.356324+00:00 ABCDC01F5OS01 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 1 (1:Enabled 2:Disabled ... )".
Jul 31 06:00:04 10.10.10.20 2023-07-31T10:00:04.983677+00:00 ABCDC01F5OS02 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 0 (1:Enabled 2:Disabled ... )".

Fix:
Infrastructure to use the system hostname user configuration in the syslog target logs has been added with a knob and it is enabled by default. It can be turned off if old behavior is preferred.


1297357-1 : WebUI authentication does not follow best practices in some situations

Component: F5OS-A

Symptoms:
Under certain circumstances, the WebUI interface and RestConf requests do not follow best practices when handling authentication-related requests.

Conditions:
Undisclosed.

Impact:
Undisclosed.

Workaround:
Secure access to the F5OS GUI and expose only to trusted users and networks.

Fix:
WebUI and RestConf requests now follow best practices.


1297349 : Tightening controls on uploading files to F5OS

Component: F5OS-A

Symptoms:
The File Upload Manager permits arbitrary file types to be uploaded by an admin user.

Conditions:
-- Uploading files
-- User role is admin

Impact:
Arbitrary file types can be uploaded.

Workaround:
Do not upload untrusted files to the F5OS system. Reduce access to the management plane to trusted users.

Fix:
Only .iso, .os, .img, and .patch files are permitted to be uploaded.


1296997 : Large core files can cause system instability

Links to More Info: BT1296997

Component: F5OS-A

Symptoms:
When a system generates and stores large core files, it can cause the system unstable.

Conditions:
F5OS generates a large core file.

Impact:
F5OS core-writing script does not check filesystem availability before writing a core file and can fill up the filesystem, causing catastrophic system instability until disk-space is reclaimed.

For more information of other impacts see
1185577 - F5OS-A memory leak in ImageAgent process on rSeries hosts may affect tenant performance or lead to unexpected restarts of tenant or host
https://cdn.f5.com/product/bugtracker/ID1185577.html

1284705 - Appliance Orchestration Manager core file may consume entire root filesystem
https://cdn.f5.com/product/bugtracker/ID1284705.html

1290949 - Invalid memory read in appliance orchestration manager
https://cdn.f5.com/product/bugtracker/ID1290949.html

1327701 - Space in SNMP community/user/target name causing snmpd container restart
https://cdn.f5.com/product/bugtracker/ID1327701.html

Workaround:
None

Fix:
F5OS now takes into account the available filesystem space before writing a core file. If the core file is too large then it will be truncated and deleted to maintain system stability. The system log message will indicate if the core file was too large to safely write.


1294561 : When OCSP is disabled, configurations are not accurately shown outside of 'config' mode

Links to More Info: BT1294561

Component: F5OS-A

Symptoms:
When the OCSP feature is disabled, making any changes to OCSP configurations (i.e. nonce request, override-responder) are not being updated outside of 'config' mode on the ConfD CLI. When the OCSP feature is enabled, there is no issue.

Conditions:
Occurs when OCSP is set to 'disabled' and changes are made to the OCSP configurations. Running 'show system aaa authentication ocsp' will display incorrect information.

Impact:
No functional impact. User will not be able to see an accurate display of the OCSP configurations while the feature is disabled.

Workaround:
N/A

Fix:
Starting in F5OS 1.8.0, OCSP configurations are accurately displayed even if the feature is disabled.


1293249 : AAA server group Port and Type are not displayed on ConfD

Links to More Info: BT1293249

Component: F5OS-A

Symptoms:
When a server group is created on an F5OS appliance, "show system aaa server-groups" does not display the Port and Type of the server group.

Conditions:
When a AAA server group is created (LDAP/RADIUS/TACACS).

Impact:
This is a cosmetic issue.

Port and Type information is not displayed on ConfD:

appliance-1# show system aaa server-groups
NAME TYPE ADDRESS PORT
-------------------------------------------
ldap-group - 10.50.5.25 -

Workaround:
The Port and Type information can be viewed via Web UI.


1292405-6 : CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64

Links to More Info: K000137702, BT1292405


1291513 : Some log messages/timestamps do not observe configured timezone

Links to More Info: BT1291513

Component: F5OS-A

Symptoms:
Some logfiles and timestamps report the time as UTC even when the system is configured with a non-UTC timezone.

Conditions:
The orchestration-manager is not aware of the configured timezone, so Openshift/Kubernetes/Ansible log files produced by this component are reported as UTC. Also, the 'user login/last login' times reported by the CLI are always in UTC.

Impact:
Difficult to correlate timestamps across log files.

Workaround:
None

Fix:
Orchestration Manager recognizes the current timezone setting, and produces all timestamps as localtime using RFC3339 format (localtime + offset). All debug logfiles produced by this component are now timezone aware.

The sshd/login programs report login/last login times as localtime, not UTC. The CLI no longer (incorrectly) reports login time.


1289861 : Ability to suppress the proceed warning generated when portgroup mode is changed

Component: F5OS-A

Symptoms:
When the user commits portgroup mode changes, the system generates a proceed warning to inform the user of the potential consequences.

Conditions:
When committing portgroup mode changes.

Impact:
While the proceed warning is present, the user needs to input “yes” or “no” before the transaction is committed.

Workaround:
None

Fix:
Now you have the option to suppress the proceed-warning for the entire system. The setting is called portgroup-confirmation-warning and can be disabled in confd with the following command:

system settings config portgroup-confirmation-warning off


1288897-2 : Allowed IP rule name, which contains all underscores, will be deleted while upgrading to F5OS-A 1.7.0 and later versions

Links to More Info: BT1288897

Component: F5OS-A

Symptoms:
Customer are able to create an allowed-ip rule with a name containing all underscores, hyphens or dots, which is not readable.

Conditions:
Creating an allowed-ip rule with a name which contain only allowed special characters.

Impact:
Created allowed-ip rule, with a name containing only underscores, hyphens or dots, will be deleted during upgrade.

Workaround:
Customer must rename the allowed-ip rule name that contain all special characters with a name containing at least one alpha-numeric character before upgrading to F5OS-A 1.7.0 or later Versions.


1287245-2 : DAGD component crashes during live upgrade or downgrade

Links to More Info: BT1287245

Component: F5OS-A

Symptoms:
The DAGD component crashes occasionally during live upgrade or downgrade. However, these incidents won't affect the overall system, and the DAGD component will restart automatically without requiring any user action.

Conditions:
The DAGD component crashes occur rarely during live upgrade or downgrade.

Impact:
There is no impact on the overall health of the system.

Workaround:
N/A

Fix:
N/A


1286153 : Error logs while generating the qkview

Component: F5OS-A

Symptoms:
System logs following errors under platform.log while capturing qkview
---
2023-04-09T13:21:23.774606+00:00 appliance-1 tcam-manager[78]: priority="Err" version=1.0 msgid=0x6b01000000000007 msg="ERROR" MSG="handle_dbg_cmd_snapshot: bad tcam id 2".
2023-04-09T13:21:32.905003+00:00 appliance-1 tcam-manager[78]: priority="Err" version=1.0 msgid=0x6b01000000000007 msg="ERROR" MSG="handle_dbg_cmd_snapget: bad row id 512".
---

Conditions:
Generating a qkview

Impact:
The errors are false alarms, they don't have any functional impact.


1284389 : Show system health reports unhealthy during bootup

Component: F5OS-A

Symptoms:
In FIPS supported hardware, during the device boot-up, show system health report shows unhealthy due to fips-state reports -1 during boot-up.

Conditions:
-- during boot-up
-- FIPS partition not initialized

Impact:
No functionality impact, it's a cosmetic issue and reports unhealthy in confd and logging.

Workaround:
None

Fix:
While the device is booting, the fips state starts with -1 and it shows unhealthy till the device completely boots up, but actually, the -1 state is not initialized, so updated the code that, don't report the -1 state as unhealthy.


1282493-3 : Crypto devices are not released after tenants are deleted

Component: F5OS-A

Symptoms:
Deleting the tenants does not release the crypto devices that were allocated to those tenants while creating them.

Conditions:
When a software upgrade was initiated incorrectly such as:
1. Upgrading only OS version
2. Upgrading only Service version

Impact:
Crypto devices behavior will be unexpected.

Workaround:
Always upgrade the software with ISO that contains the correct OS and services combination.

Fix:
None.


1282185-2 : Unable to restore backup file containing expired TLS certificate

Links to More Info: BT1282185

Component: F5OS-A

Symptoms:
If a user attempts to restore a configuration backup whose contents include a TLS certificate that has expired, the configuration restore will fail.

Conditions:
User attempts to restore a configuration backup file which contains an expired TLS certificate.

Impact:
User is unable to restore their backed up configuration.

Workaround:
While there is no workaround for the issue, once the backup has been collected, this can be avoided by de-configuring any TLS certificates before collecting a configuration backup, and re-setting them manually after the configuration backup has been restored.

Fix:
Fixed issue where configuration backup files containing expired TLS certificates could not be successfully used for configuration restore.


1277429-1 : Operational and Configurational prompts do not persist through user sessions

Component: F5OS-A

Symptoms:
prompt1 (Operational) and prompt2 (Configurational) do not persist over user sessions and logins once configured.

Conditions:
Configure both prompts, exit from session and re-login. It can be observed that the configured prompts are reset to default.

Impact:
Hard to identify the terminal session without configured prompts when working with multiple terminal sessions with new logins.

Workaround:
None

Fix:
Operational (oper-prompt) and Configurational (config-prompt) prompts can be configured which persist over sessions and logins.


1270309 : Audit.log may log incorrect username initially for users logging into the CLI, remotely-authenticated users may see hostname in prompt reported as "appliance-1", and remotely-authenticated LDAP users may experience lengthy delays when authenticating

Links to More Info: BT1270309

Component: F5OS-A

Symptoms:
The audit log may initially show the incorrect username when users log in to the CLI:

For example:

msg="audit" user="[one username]/[number]" cmd="created new session via cli from 192.0.2.1:56166 with ssh".
msg="audit" user="[one username]/[number]" cmd="CLI 'show system state hostname'".
msg="audit" user="[one username]/[number]" cmd="CLI done".
msg="audit" user="[one username]/[number]" cmd="terminated session (reason: normal)".
msg="audit" user="[actual username]/[another number]" cmd="created new session via cli from 192.0.2.1:56166 with ssh".
msg="audit" user="[actual username]/[another number]" cmd="CLI 'exit'".
msg="audit" user="[actual username]/[another number]" cmd="terminated session (reason: normal)".


Or:

confd[121]: audit user: [tenant name]/[number] assigned to groups: admin
confd[121]: audit user: [tenant name]/[number] CLI done
confd[121]: audit user: [tenant name]/[number] terminated session (reason: normal)
confd[121]: audit user: test_user/[number] assigned to groups: admin


If role GID mapping is configured, remotely-authenticated users may see the hostname reported in the prompt as "appliance-1", rather than the correct hostname. For instance:

User f5osadmin last logged in 2023-10-01T01:02:03.123456+00:00, to appliance-1 from 192.0.2.1 using cli-ssh
f5osadmin connected from 192.0.2.1 using ssh on appliance-1.chassis.local
appliance-1#


Remotely-authenticated LDAP users may experience lengthy delays when authenticating via SSH, particularly if one or more of the following are true:
- the LDAP server has a large number of groups
- the LDAP server has many users in groups
- there is noticeable latency between the F5OS system and the LDAP server

Conditions:
When trying to use remote authentication, multiple user accounts have the same UID (user identifier). The user IDs may overlap between multiple remote users, or between remote users and local users.

Impact:
The audit.log will show an incorrect username for the first few entries.

The CLI prompt may display the generic hostname "appliance-1".

Workaround:
To avoid the audit.log reporting an incorrect username, ensure all user accounts have unique user IDs.

If that is not practical, or to work around the other symptoms of this issue, the following procedure will work around the issue; this procedure will be reverted by any software version changes.

1. Log into the rSeries appliance as root

2. Put the script below into /etc/cron.hourly, as a file named "ID1270309-workaround", and then mark it executable ("chmod 755 /etc/cron.hourly/ID1270309-workaround").

===
#!/bin/bash

set -Eeuo pipefail

# f5_confd_cli from different versions of F5OS-A
# 1.5.0 / 1.5.1
# 1.5.1 with the fix for ID1301837
MATCHING_CHECKSUM=( "5496b29958666ab7eeb44e1dbc78afb4c99a08d5" "a5d4a6928fb77fd089ed8289f1162220d30e2c8c" )
# The same file, with the patch below applied to it.
MODIFIED_CHECKSUM=( "37ab85644d33f1fdd1724e284aa694c897a4e898" "8d552eb9f79853dacf762d9ee21c06cc950383f3" )

FILE=/var/lib/controller/f5_confd_cli

CHECKSUM=$(sha1sum "$FILE" | awk '{print $1}')

if [[ "${MATCHING_CHECKSUM[@]}" = *"$CHECKSUM"* ]]; then
    :
elif [[ "${MODIFIED_CHECKSUM[@]}" = *"$CHECKSUM"* ]]; then
    # Already modified. Nothing to do
    exit 0
else
    echo >&2 "f5_confd_cli is in unknown state, not modifying."
    exit 0
fi

patch -p1 "$FILE" << 'EOF'
--- /var/lib/controller/f5_confd_cli.ID1270309.orig 2023-09-05 15:35:44.651749231 -0700
+++ /var/lib/controller/f5_confd_cli 2023-09-05 15:37:08.894286756 -0700
@@ -180,16 +180,11 @@
     echo "System Time: $date"
 fi
 
-# Read the hostname from /system/state/ if it exists,
-# otherwise default to the hostname
-hostname_cli_out=$(echo "show system state hostname" | /var/lib/controller/confd_cli -N)
-
-hname=${HOSTNAME}
-if [[ ! -z "${hostname_cli_out}" ]]; then
- if [[ "$hostname_cli_out" == *"system state hostname"* ]]; then
- hname=$(echo ${hostname_cli_out} | awk '{print $(NF)}')
- fi
+if [ -r /etc/f5_sys_hostname/env ]; then
+ . /etc/f5_sys_hostname/env
 fi
+hname=${SYS_CONFIG_HOSTNAME:-$HOSTNAME}
+
 if [[ -z "${supplementary_gids}" ]]
 then
     exec /var/lib/controller/confd_cli -C -H ${hname} -u ${USER} --gid "${primary_gid}"
EOF
===

This script will check and potentially update the login script once an hour to apply the workaround. After a system reboot or the system_manager docker container restarts, there is a potential period of up to an hour before the workaround is reapplied.

This workaround will also only function for specific versions of F5OS software; currently, only for F5OS-A 1.5.0 and F5OS-A 1.5.1.


1268433 : Some firewall rules do not generate denial logs

Links to More Info: BT1268433

Component: F5OS-A

Symptoms:
system_latest_vers network namespaces are disabled by default to prevent host kernel log flooding from inside a container.

Conditions:
By default, all network namespace logs are disabled except for init namespace.

Impact:
When traffic is denied from an IP, we do not get a message saying traffic from a particular IP is denied.

Workaround:
Command to enable system_latest_vers network namespace denial logs:
sysctl -w net.netfilter.nf_log_all_netns=1 (not-persistent)

Persistent solution:
1) Create a file: /etc/sysctl.conf

2) Run the command:
echo "net.netfilter.nf_log_all_netns = 1" >> /etc/sysctl.conf


1251989 : Changing the system Date/time back and forth using NTP server brings the system to abnormal state

Links to More Info: BT1251989

Component: F5OS-A

Symptoms:
Upon changing the system date following things can be observed in the appliance
1. K3S cluster pods go into an errored state.
2. Cannot bring up the tenant on the Cluster

Conditions:
Either by using an NTP server or by using CLI date/time can be changed.

Changing the date forward and moving back to the original date.

Impact:
The K3S cluster does not come UP properly and eventually it brings down the tenant

Workaround:
Workaround:

1. Identify the pods which are having certificate issues.
2. In the case of the K3S cluster and kubevirt pods, It can be recovered by deleting the pods.

Fix:
Check for pods in an errored state and delete using the following commands.

kubectl delete pod <name> -n <namespace> --force


1251957 : SNMP OIDs to monitor serial number of the device, type of hardware and hostname

Component: F5OS-A

Symptoms:
Device serial number, type, and hostname are not available for the SNMP interface.

Conditions:
Install the F5OS-A/F5OS-C version and run SnmpWalk.
You cannot find the device’s serial number, type, and hostname.

Impact:
You are not able to poll for device serial number, type, and hostname through the SNMP interface.

Workaround:
None

Fix:
Added support for device serial number, type, and hostname for SNMP interfaces.


1251161-2 : Authentication fails via the webUI when “:” is at the end or beginning of the password

Links to More Info: BT1251161

Component: F5OS-A

Symptoms:
After modifying the user's password to include ":" either at the beginning or the end of the password, the user is not able to log in via the webUI.

The user is able to log in via the CLI (SSH).

Conditions:
The password includes ":" at the beginning or end of the password string.

Impact:
User not able to log in via the webUI.

Workaround:
Do not use ":" at the beginning or end of the password string.

Since it is possible to log in via the CLI, modify the password accordingly.


1250925 : Alarm for AOM fault due to "LOP Runtime fault detected: lop:nc-si-rmii:failure"

Links to More Info: BT1250925

Component: F5OS-A

Symptoms:
The AOM may report a runtime fault after a failure to configure the NC-SI RMII interface. This results in a system alarm for "Fault detected in the AOM" and an event indicating that "LOP Runtime fault detected: lop:nc-si-rmii:failure".

Conditions:
The conditions causing the LOP runtime fault for NC-SI RMII interface configuration are not known.

Impact:
The AOM uses the NC-SI RMII interface to allow external SSH access directly to the AOM through the management interface. When the interface configuration fails, then the AOM is not accessible via SSH.

Workaround:
A reset of the AOM can correct this issue. Login to the system as root. Issue the following command to reset the AOM.

docker exec -ti platform-hal psf POST:lop/object/reset-device device=Aom
 
Wait approximately 10 minutes and check the AOM runtime status to verify the the "LOP Runtime fault detected: lop:nc-si-rmii:failure" condition has cleared.

docker exec -ti platform-hal psf GET:lop/object/health

For example, a healthy LOP with no runtime status faults will return "runtimeStatus" equal to zero as shown below.

[root@appliance-1 ~]# docker exec -ti platform-hal psf GET:lop/object/health
  field | value
-----------------------------+--------
  postBitDescriptionItems | []
  postStatus | 0
  runtimeBitDescriptionItems | []
  runtimeStatus | 0

Fix:
Fixed with AOM version 2.00.350.0.1 and later.


1238245 : Prevent system upgrade during firmware update

Component: F5OS-A

Symptoms:
Triggering a system upgrade when BIOS update is in progress will result in a system reboot, interrupting all processes. The system will get into an inaccessible state.

Conditions:
Trigger system software upgrade when firmware update is running in the background.

Impact:
System gets into inaccessible state and ConfD session become unreachable.

Workaround:
None

Fix:
A compatibility check failure message is displayed stating that the firmware update is in progress.


1233865-5 : Memory capacity and utilization details are confusing / misleading

Component: F5OS-A

Symptoms:
The memory statistics do not provide a clear or accurate representation of the total memory and how it is being utilized.

Conditions:
Using ConfD to retrieve information about memory capacity and utilization.

Impact:
There are no clear, easy-to-understand statistics for memory capacity and utilization.

Workaround:
N/A

Fix:
More detailed, granular memory statistics are provided to give user a clear understanding of total memory and how it is being used.


1211233-4 : F5OS dashboard in webUI displays the system root file system usage, not the entire disk

Links to More Info: BT1211233

Component: F5OS-A

Symptoms:
The Dashboard page displays disk usage information that can be misleading.

For example, on an r5900 the following information may be shown:

Storage Capacity: 109.4GB
System Storage Free: 89.1GB
System Storage Used: 15%

However, the storage capacity is a value taken from the root (/) filesystem. It does not represent the entire 800GB disk, and does not show information about the file systems where tenant images reside.

Conditions:
View Dashboard page in webUI.

Impact:
This is a cosmetic issue.

Workaround:
Linux commands such as "df -hl -t ext4" will provide detailed information about disk usage.

Another breakdown of the disk partition use can also be seen using "lsblk /dev/nvme0n1". Note that nvme0n1 is the physical disk of interest.

Example from rSeries appliance:

# lsblk /dev/nvme0n1
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259:0 0 683.5G 0 disk
|-nvme0n1p1 259:1 0 1G 0 part /boot/efi
|-nvme0n1p2 259:2 0 1G 0 part /boot
|-nvme0n1p3 259:3 0 455.3G 0 part
| `-partition_tenant-root 253:2 0 455.3G 0 lvm /var/F5/system/cbip-disks
|-nvme0n1p4 259:4 0 113.9G 0 part
| `-vdo_vol 253:3 0 227.7G 0 vdo
| `-partition_image-export_chassis 253:4 0 227.7G 0 lvm /var/export/chassis

Fix:
N/A


1208573-2 : Disabling Basic Authentication does not block the RESTCONF GET requests

Links to More Info: BT1208573

Component: F5OS-A

Symptoms:
When basic authentication is disabled by user, RESTCONF GET requests are not getting blocked.

Conditions:
User disables basic authentication. RESTCONF GET requests never get blocked.

Impact:
No effect on configuration. Some of the APIs data will be displayed in RESTCONF GET requests, even when basic authentication is disabled.

Workaround:
N/A

Fix:
The GET operation for the APIs has been blocked when basic authentication is disabled.


1207889 : FEC configuration on r5k/r10k 25G interfaces

Component: F5OS-A

Symptoms:
FEC configuration has been added

Conditions:
Interfaces which require FEC configuration to a non default setting.

Impact:
FEC and be enabled or disabled.

Workaround:
None

Fix:
FEC configuration is supported.


1205409 : Cannot export or download files from diags/shared/tcpdump path

Links to More Info: BT1205409

Component: F5OS-A

Symptoms:
The diags/shared/tcpdump path gives access to the tcpdump files captured for system diagnostics. However, these files could not be downloaded from the webUI to the local system.

Conditions:
- User generates a tcpdump file for system diagnostics
- User navigates to the diags/shared/tcpdump path in the webUI and tries to download file, resulting in an error

Impact:
Unable to download tcpdump files from diags/shared/tcpdump path in the webUI. Hence, a user cannot access these files from the webUI.

Workaround:
Create /var/docker/config/platform.override.yml with these contents:

version: '2.1'
services:
  http-server:
    volumes:
      - /var/F5/system/shared/tcpdump:/var/shared/tcpdump

Then, restart platform-services.

Fix:
User is now able to download and export files from diags/shared/tcpdump path to any required destination without any errors.


1204985 : The root-causes of F5OS upgrade compatibility check failures are hidden in /var/log/sw-util.log.

Links to More Info: BT1204985

Component: F5OS-A

Symptoms:
When performing a live upgrade, if the upgrade compatibility check fails, users can only see "System database upgrade compatibility check failed" error message. The applicable information about what failed is neither displayed nor shown in platform.log/velos.log.

Conditions:
1. Perforrm a live-upgrade.
2. If the upgrade compatibility check fails, users can only see "System database upgrade compatibility check failed" error message. The applicable information about what failed is neither displayed nor shown in platform.log/velos.log.

Impact:
Upgrade failure logs are not logged in platform.log/velos.log.

Workaround:
None

Fix:
This issue is fixed and displays the error scenarios in platform.log/velos.log.


1196417 : First time user SSH session is getting closed after password change

Links to More Info: BT1196417

Component: F5OS-A

Symptoms:
User SSH session is getting closed after password change, at the time of first SSH login.

Conditions:
When changing password at the time of first SSH login.

Following is an example:
ssh jeevan1@10.238.160.60
The authenticity of host '10.238.160.60 (10.238.160.60)' can't be established.
ECDSA key fingerprint is SHA256:RlyjC/Tx6uI7rX9zZy6q0ADKkx6GNReSyb1iohYnKio.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.238.160.60' (ECDSA) to the list of known hosts.
jeevan1@10.238.160.60's password:
You are required to change your password immediately (root enforced)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user jeevan1.
Changing password for jeevan1.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to 10.238.160.60 closed. <=== SSH session shouldn't be closed.

Impact:
No impact on any of the features due to this issue. The user just needs to log in again with the changed password as the current SSH session will be closed after password change.

Workaround:
N/A

Fix:
N/A


1188825 : New role named "user" with read-only access to non-sensitive system level data

Component: F5OS-A

Symptoms:
To meet security requirements, you need to create a user account on F5OS that cannot access sensitive data, such as platform logs, system events, login activities, and more.

Conditions:
Create user account with roles available on the F5OS using the following CLI command:
system aaa authentication users user <user_name> config role <role_name>

Impact:
F5OS is unable to meet defined security requirements.

Workaround:
None

Fix:
A new user role named “user” is provided on F5OS to have a role with no access to the sensitive data such as platform logs, system events, and login activities and meet security requirements.


1188069 : F5OS installer does not indicate progress or completion state

Links to More Info: BT1188069

Component: F5OS-A

Symptoms:
The F5OS installer does not indicate the process or completion state of upgrade/installation.

Conditions:
Upgrade/reboot the system.

Impact:
You are unable to identify the readiness state of system.

Workaround:
None

Fix:
The upgrade, installation or initialization detail is now included in the system's bash prompt.


1185805-1 : The "test media" option during USB install may be interrupted by the hardware watchdog

Links to More Info: BT1185805

Component: F5OS-A

Symptoms:
During USB booting there is an option for "Test this media & install F5OS". If this is selected then the system verifies the media for only 5 minutes before the hardware watchdog reboots the device and the verification is interrupted.

Conditions:
USB booting, "test media" option selected.

Impact:
The "test media" option does not work.


1167477-5 : CVE-2021-20233: grub2 - Heap out-of-bounds write due to miscalculation of space required for quoting

Component: F5OS-A

Symptoms:
A flaw was found in grub2 in versions prior to 2.06. The option parser allows a user to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
Grub2 has been updated to a non-vulnerable version.


1162341 : Front panel interface status is not reported in alarms or events

Links to More Info: BT1162341

Component: F5OS-A

Symptoms:
Front panel interface flap events are not displayed in alarms or events CLI/GUI.

Conditions:
Front panel interface is down or oper-status changes.

Impact:
Interface status is not shown in alarms or events.

Workaround:
View interface with "show interfaces interface state oper-status".


1154733 : LLDP error on management interface

Links to More Info: BT1154733

Component: F5OS-A

Symptoms:
LLDP on mgmt interface is not supported. When enabled, show lldp command in ConfD CLI will not show any info related to mgmt interface.
Also, when enabled, below log will be displayed:

lldpd[8]: priority="Err" version=1.0 msgid=0x7302000000000021 msg="Failed to get did from interface name." ifname="mgmt"

Conditions:
When LLDP is enabled using ConfD CLI.

Impact:
The system logs an error message every 30 seconds:

lldpd[8]: priority="Err" version=1.0 msgid=0x7302000000000021 msg="Failed to get did from interface name." ifname="mgmt"

Workaround:
None

Fix:
NA


1147673 : Downloading QKViews directly from the System Reports screen.

Component: F5OS-A

Symptoms:
The F5OS-A webUI lacks the ability to download QKView files directly from the System Reports screen. You must navigate to the File Utilities screen to perform the action.

Conditions:
Download QKView files.

Impact:
No functional impact, you need to navigate to a different webUI screen to download QKView files.

Workaround:
Navigate to the File Utilities screen to download QKView files.

Fix:
From F5OS-A v1.8.0, QKView files can be downloaded from System Reports screen.


1145049 : K3s cluster deployment sequence is modified to avoid pods entering into UNKNOWN state

Links to More Info: BT1145049

Component: F5OS-A

Symptoms:
CNI pods enter into UNKNOWN state.

Conditions:
Multus is installed before Flannel installation is successful.

Impact:
K3s cluster deployment fails.

Workaround:
Restart K3s cluster deployment.

Fix:
K3s cluster deployment sequence is modified to avoid pods entering into UNKNOWN state.


1140577 : config-restore will cause a reboot if the portgroup configuration changes

Component: F5OS-A

Symptoms:
If config-restore causes the portgroup configuration to change, the system will reboot automatically, but no warning prompt is given.

Conditions:
Restoring a saved configuration with a different portgroup configuration than the current configuration.

Impact:
System reboots unexpectedly.

Workaround:
N/A

Fix:
N/A


1136557 : F5OS config restore fails if .iso or components vary between two devices.

Component: F5OS-A

Symptoms:
If the .iso or components in the backup file do not match the ones in the restore file, the restore operation fails with admin access denied error:

Error: Database config-restore failed.

Conditions:
Take a config backup from one device and restore it on another device on where .iso or components vary.

Impact:
Configuration restore fails.

Workaround:
Ensure that .iso and components match when performing backup and restore between devices.


1135021 : F5OS config-restore with an incorrect primary-key does not produce a warning

Component: F5OS-A

Symptoms:
'system database config-restore' does not verify that the backup file is encrypted with the same database primary-key that is currently active on the device.

Conditions:
Restoring a config-backup on a device with a different primary-key than when the backup was produced.

Impact:
System will not operate properly because it will not be able to decode encrypted secrets that control certificates, private keys, and other items. Tenants will not operate properly.

Workaround:
Ensure that a new config-backup is created after executing the "system aaa authentication primary-key set" command.

Fix:
Config-restore fails is the database primary key does not match the config backup file, and reports the primary-key hash. Reset the primary-key to match the backup file in order to restore the backup file.


1128633-3 : Failed upload entries displayed under CLI file transfer-operations

Links to More Info: BT1128633

Component: F5OS-A

Symptoms:
Old, failed uploads continue to display in the file transfer-operations list for an unknown period of time both in CLI and GUI.

Conditions:
If the image upload operation fails for some unknown reason, then the failed entries are listed under both the transfer-status list and the transfer-operations list. The list under transfer-status is cleared every 24 hours, but the list under transfer-operations remains.

Impact:
- As old, failed uploads continue to display in the list for an unknown period of time, the list under transfer-operations is more cluttered.
- There is no functional impact.

Workaround:
None

Fix:
All operation entries are cleared if their transfer time exceeds 24 hrs making the file transfer-operations list clutter free.


1126865-2 : F5OS HAL lock up if the LCD module is not responding.

Links to More Info: BT1126865

Component: F5OS-A

Symptoms:
There are rare cases where the LCD module is present, enabled, and its network link is up; however, it does not respond to requests made by the HAL. Ultimately this causes a the HAL services to become unresponsive.

Conditions:
There are rare cases where the LCD does not respond to requests from the HAL services. When this happens, the HAL service can get locked up.

Impact:
When this rare event occurs, the HAL becomes unresponsive for other devices in the system, like the AOM for example.

Workaround:
If this occurs, a restart of the HAL services or a reset of the system is required to clear the condition.


1124953-2 : Intel microcode updates: CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21166

Links to More Info: K04808933


1124853-1 : Backup and restore fails when port-profile is mismatched

Links to More Info: BT1124853

Component: F5OS-A

Symptoms:
Because there will be some configuration changes between two different port-profiles, database backup and restore between two appliances with different port-profiles will fail.

Conditions:
Make sure both source and target appliances have the same port-profile configurations before performing a database
restore.

Impact:
A database restore will fail when port-profile configuration is mismatched.

Workaround:
The target appliance where the restore is being performed should have the same port-profile as the backup database.

Fix:
Fix is that the target appliance where we are performing restore should have same port-profile as backup database.


1124809 : Add or improve the reporting status of imported images

Component: F5OS-A

Symptoms:
There are no correct error messages or status is shown in the log files and in the CLI, when the non-compatible images, corrupted images, or zero-sized images are copied to the imported directories.

It is difficult to determine the exact problem, as they had to examine the import directory and mount status of the ISO file being copied.

Conditions:
Coping zero-length, file name having special characters, corrupted or incompatible ISO files to the import directory /var/import/staging.

Impact:
No status is displayed in the CLI and in the log files.

Workaround:
None

Fix:
The log files will display the exact error messages. System events will show the cause of the error and SNMP traps are generated in the event of the error.


1121921 : Common name for setup-wizard tool across platforms

Links to More Info: BT1121921

Component: F5OS-A

Symptoms:
The setup-wizard tool command is named differently in F5OS-A and F5OS-C, which can be confusing for administrators of both systems.

Conditions:
'appliance-setup-wizard' is used to run tool in F5OS-A bash prompt whereas 'velos-setup-wizard' is used in F5OS-C.

Impact:
Increases complexity and creates confusion in running the tool on device.

Workaround:
None

Fix:
'setup-wizard' is made as a common command name to run the tool on both F5OS-A and F5OS-C


1099069-3 : Issues with pulling files from F5OS device using SCP

Links to More Info: BT1099069

Component: F5OS-A

Symptoms:
Unable to pull packet capture files off of the F5OS device using SCP from admin.

Conditions:
Download packet capture files using SCP from the admin account.

Impact:
Unable to download packet capture files through SCP from admin.

Workaround:
N/A

Fix:
Added support to download files from more directories.


1057401 : CVE-2018-16402 libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service or possibly have unspecified other impact

Component: F5OS-A

Symptoms:
libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.

Conditions:
N/A

Impact:
Although vulnerable code is present, this vulnerability does not impact R2R4 or R5R10 in any default, standard, or recommended configuration.

Workaround:
N/A

Fix:
elfutils has been updated to a non-vulnerable version.


1008701-1 : Using curl to access 'scp:' URIs on the partition management IP does not work

Links to More Info: BT1008701

Component: F5OS-A

Symptoms:
Attempting to upload a tenant image via

"curl filename scp:IMAGES"

would fail, even though

"scp filename admin@mgmt-ip:IMAGES"

works.

Conditions:
Accessing ssh/scp via curl rather that the scp application.

Impact:
Cannot use curl to copy files.

Workaround:
Use scp directly rather than curl.

Fix:
The ssh/scp server has been fixed to correctly interpret the file/directory names supplied by the 'curl' command.



Known Issues in F5OS-A v1.8.x


F5OS-A Issues

ID Number Severity Links to More Info Description
1585373-2 1-Blocking   Outdated or old Service-Instances for Tenant
1576345-1 1-Blocking BT1576345 Port mode mismatch on QSFP ports can cause interface flaps on other ports
1273013-3 1-Blocking   Five percent (5%) deviation can be observed in TPS performance on R10920 and R5920 tenant
1083061-2 1-Blocking   Loading saved config to BIG-IP fails if host modifications are made after "tmsh save sys config"
1622869-2 2-Critical   Might see TPOB core after HA disassembly
1621449-1 2-Critical   Error related to removal of orphan pod related subpaths in /var/log/messages
1620077 2-Critical BT1620077 FDB entry port motion not working if new interface is a trunk/LAG
1614333 2-Critical BT1614333 OPT-0054-01, Innolight (TR-PY13L-NF5, Rev ‘R1A’) optic experiencing intermittent link problems when connected to r2000/r4000 port 5.0
1594149 2-Critical   Next Tenant Management interface is turned down/unreachable
1591961-1 2-Critical   Observing "Failed to send restarting msg to VF" errors during reboot
1589161 2-Critical   Observing kube-dns service error log flood in /var/log/messages after appliance downgrade
1575953-1 2-Critical   BIG-IP NEXT tenant stuck at provisioning state with live upgrade when tenant bring-up is in progress
1574773-1 2-Critical   On rSeries system, operations which involve reboot, might result in Tenant failure state
1568485-2 2-Critical BT1568485 GRE V1 packets are being dropped before even reaching BIG-IP on F5 r2xxx/r4xxx
1380705 2-Critical   BIG-IP tenant is stuck during boot up after doing tenant upgrade from 15.1.x to 17.1.x
1378917-2 2-Critical   FIPS partition details are not seen in the tenant console when it is configured without waiting until its status is 'Running'
1341701 2-Critical BT1341701 Unable to launch tenant, as VF interface is getting incorrect name while attaching to tenant.
1224113-2 2-Critical   IPV6 packets are fragmented on R2x00/R4x00 platforms.
1660961-2 3-Major   Active Directory LDAP integration without uidNumber/gidNumber does not work with LDAP over TLS
1624665-2 3-Major   ConfD state data shows key and certificate configured for secure (mTLS) even after deleting from config
1623345-1 3-Major   On rSeries system, power cycle reboot might result in QAT device failure
1623101-1 3-Major   External OTEL server receives log data for both the platform and event logs, even if only one of them has been configured
1621917 3-Major   Stale VFIO devices entries upon BIG-IP Next Tenant deletion
1621785-1 3-Major   Mstp topology convergence after changing the priority of instance is not taking place.
1621769-1 3-Major   Observing FPGA errors when VLAN cannot configured for the interface and VLAN state is not set up
1621757-1 3-Major   Observing "Stp Maapi request to readPortFlushes failed" errors while enabling MSTP port
1612429 3-Major   License installation is not working with HTTPS Proxy server
1612101-1 3-Major   When vCPU cores configuration changed for BIG-IP Next tenant, RRD stats shows both the old and new CPU data stats
1603685-1 3-Major   ISO import status is stuck at verifying and ISO removal does not remove the ISO from /var/import/staging
1600949 3-Major   Tenant status is not accurate when the F5OS upgrade is in progress
1587569-1 3-Major   Every tenant receives the traffic of all other tenants if VLAN is shared across
1585609-1 3-Major   rSeries tenant silent reboot; Tenant liveness probes failed
1585237 3-Major   When telemetry exporter is not reachable, logs to enable send_queue or retry will be printed in platform.log
1575433-2 3-Major   "ReadyRequest failed for 'system_fpga' @ 'tcp://127.0.0.1:1060', Inner -> 'receive timeout'" logs are being seen couple of times a day
1566917-2 3-Major   The ha-1-deployment pod may get restarted after HA setup and system upgrades
1552921 3-Major BT1552921 Password policy option reject-username set to false has no effect
1505497-3 3-Major   During remote logging server configuration, selectors help menu does not display when using Tab key.
1491209-1 3-Major BT1491209 Non-root, local authentication fails when LDAP is configured with chase referrals and an invalid DNS server is configured
1469485-1 3-Major BT1469485 "show components component state memory full" does not have any meaningful output
1399129 3-Major BT1399129 Duplicate platform agent log entries when tenant starts
1381237-2 3-Major   Messages like "Failed to set up mount unit" may flood in /var/log/messages file
1381053 3-Major BT1381053 Cluster IP is unavailable for some time during tenant reboot
1377629-2 3-Major   Failed to ping tenant mgmt-ip
1377257 3-Major BT1377257 Qkview can crash collecting telemetry database
1338557 3-Major BT1338557 VM events are not captured inside the log file
1327229-2 3-Major   Some nuisance messages are sent to the platform log after every authentication configuration change
1326021-2 3-Major BT1326021 Corrupted state of data plane in r5600 can result in egress packet corruption
1321429-3 3-Major BT1321429 F5-PLATFORM-STATS-MIB::diskPercentageUsed not available.
1320853 3-Major BT1320853 Config restore fails on system with lower size if the tenant is deployed with max size on original system
1285997 3-Major   LLDP is allowed to configure on interfaces when virtual wire is enabled
1253717 3-Major BT1253717 iavf driver crashes intermittently on r2000 or r4000 systems during system reboot
1250901-4 3-Major BT1250901 On rSeries FIPS system live upgrade, cavium_n3fips (liquidsec_pf_vf driver) may fail to come into operational state
1222721 3-Major BT1222721 Deletion of STP configuration using "no stp" is failing
1195201-3 3-Major BT1195201 Missing/defective DIMM not reported sufficiently to end user
1083921-2 3-Major   VLAN name change is not allowed once a tenant is launched
1080437-2 3-Major   VerifyDmesg test failure
1063649-2 3-Major   Changing the system date to be older than the installation date is not supported.
1490621-1 4-Minor BT1490621 Snmpv1 traps have a agent-addr set to 0.0.0.0 instead of a management IP
1390485 4-Minor   Calendar navigator skips one month
1112317-1 4-Minor BT1112317 Null bytes or non-ascii characters are present in velos.log

 

Known Issue details for F5OS-A v1.8.x

1660961-2 : Active Directory LDAP integration without uidNumber/gidNumber does not work with LDAP over TLS

Component: F5OS-A

Symptoms:
Configuring an F5OS device to integrate with Active Directory using group names to map to roles rather than requiring unix attributes (uidNumber/gidNumber) in the directory will not work if the LDAP servers are configured to use encryption (TLS/SSL).

Log messages similar to the following in platform.log / velos.log:

authd[8]: priority="Err" version=1.0 msgid=0x3901000000000101 msg="LDAP API error during : -" oper="bind" code=-1 msg="Can't contact LDAP server".
authd[8]: priority="Warn" version=1.0 msgid=0x3901000000000098 msg="Unable to retrieve domain Sid for supplied servers and domains; server will be treated as if it has unix attributes present.".

Conditions:
- LDAP system authentication configured to authenticate against an Active Directory Server
- Under the system Authentication Settings configuration in the Common LDAP Configuration section, "Authenticate with Active Directory" set to True and "Unix Attributes" set to False
- LDAP group filters specified for one or more roles

Impact:
LDAP authentication functions based on unix attributes in the directory (uidNumber/gidNumber)

Workaround:
None


1624665-2 : ConfD state data shows key and certificate configured for secure (mTLS) even after deleting from config

Component: F5OS-A

Symptoms:
ConfD operational state data shows key and certificate configured for mutual transport layer security (mTLS) even after deleting them from configuration.

Conditions:
When the exporter is configured with mutual TLS. And then the key and certificate are deleted from the configuration. ConfD operational state data displays the deleted key and certificate for the exporter.

Impact:
No functional impact.

Workaround:
Delete the exporter and reconfigure it again.

Command to delete the exporter from ConfD CLI:

no system telemetry exporters exporter <exporter-name>


1623345-1 : On rSeries system, power cycle reboot might result in QAT device failure

Component: F5OS-A

Symptoms:
If you enable rate limiting and perform a power cycle reboot,it is possible that some or all of the QAT devices may not be operational. This is because of the sudden power shutdown. To check the rate-limiting status, use the following command.

[root@appliance-1:Active] ~ # su admin <<< "show cluster nodes node node-1 state rate-limiting"
state rate-limiting enabled
[root@appliance-1:Active] ~ #

For the problem occurred QAT devices the SLA allocation commands fail with below console messages when the hardware is coming up from power off/on reboot. You can also check these logs with dmesg command.

[ 134.814182] c6xx 0000:55:00.0: Service is not enabled 0
[ 134.820603] c6xx 0000:55:00.0: Service is not enabled 0
[ 134.826998] c6xx 0000:55:00.0: Service is not enabled 0
[ 134.833369] c6xx 0000:55:00.0: Service is not enabled 0
[ 134.839754] c6xx 0000:55:00.0: Service is not enabled 0
[ 134.846134] c6xx 0000:55:00.0: Service is not enabled 0
[ 134.852479] c6xx 0000:55:00.0: Service is not enabled 0
[ 134.858886] c6xx 0000:55:00.0: Service is not enabled 0


And console is flood with below du_mgr query logs.

[ 5996.156402] c6xx 0000:54:00.0: Failed to query du VF: -22
[ 6001.748492] c6xx 0000:54:00.0: Service is not enabled 0
[ 6001.753717] c6xx 0000:54:00.0: Failed to query du VF: -22
[ 6007.351849] c6xx 0000:54:00.0: Service is not enabled 0
[ 6007.357079] c6xx 0000:54:00.0: Failed to query du VF: -22
[ 6012.965789] c6xx 0000:54:00.0: Service is not enabled 0
[ 6012.971001] c6xx 0000:54:00.0: Failed to query du VF: -22
[ 6018.853868] c6xx 0000:54:00.0: Service is not enabled 0
[ 6018.859096] c6xx 0000:54:00.0: Failed to query du VF: -22
[ 6024.585181] c6xx 0000:54:00.0: Service is not enabled 0
[ 6024.590401] c6xx 0000:54:00.0: Failed to query du VF: -22
[ 6030.197135] c6xx 0000:54:00.0: Service is not enabled 0
[ 6030.202348] c6xx 0000:54:00.0: Failed to query du VF: -22

And the confd table is not populated with rate limiting stats for the tenants deployed.

[root@appliance-1:Active] ~ # su admin <<< " show cluster nodes node node-1 state cryptos "
TENANT ASLA ASLA ASLA SLA SLA SLA
NAME QAT DEVICE NAME BDF MIN USED UTIL MIN USED UTIL
-----------------------------------------------------------------------
orange5 qat_dev_vf08pf04 c6:02.0 - - - - - -
         qat_dev_vf08pf05 c7:02.0 - - - - - -
         qat_dev_vf09pf00 53:02.1 - - - - - -
         qat_dev_vf09pf01 54:02.1 - - - - - -
         qat_dev_vf09pf02 55:02.1 - - - - - -
         qat_dev_vf09pf03 c5:02.1 - - - - - -
         qat_dev_vf09pf04 c6:02.1 - - - - - -
         qat_dev_vf09pf05 c7:02.1 - - - - - -
         qat_dev_vf10pf00 53:02.2 - - - - - -
         qat_dev_vf10pf01 54:02.2 - - - - - -

[root@appliance-1:Active] ~ #

Conditions:
The issue might occur in a power cycle reboot of the rSeries F5OS-A system with multiple tenants deployed. The below logs are observed on the console when this occurred. To check the logs, use the dmesg command.

[ 134.814182] c6xx 0000:55:00.0: Service is not enabled 0
[ 134.820603] c6xx 0000:55:00.0: Service is not enabled 0
[ 134.826998] c6xx 0000:55:00.0: Service is not enabled 0
[ 134.833369] c6xx 0000:55:00.0: Service is not enabled 0
[ 134.839754] c6xx 0000:55:00.0: Service is not enabled 0
[ 134.846134] c6xx 0000:55:00.0: Service is not enabled 0
[ 134.852479] c6xx 0000:55:00.0: Service is not enabled 0
[ 134.858886] c6xx 0000:55:00.0: Service is not enabled 0

Impact:
QAT devices may encounter an issue where Rate Limiting does not function properly for tenants deployed on the rSeries host. The Rate Limiting stats do not get updated in the ConfD and results in the console being flooded with error logs.

The logs can also be viewed using the dmesg command.

[ 5996.156402] c6xx 0000:54:00.0: Failed to query du VF: -22
[ 6001.748492] c6xx 0000:54:00.0: Service is not enabled 0
[ 6001.753717] c6xx 0000:54:00.0: Failed to query du VF: -22
[ 6007.351849] c6xx 0000:54:00.0: Service is not enabled 0

Workaround:
Rebooting the appliance will solve the issue caused by the malfunctioning QAT devices.


1623101-1 : External OTEL server receives log data for both the platform and event logs, even if only one of them has been configured

Component: F5OS-A

Symptoms:
The configured OTEL exporter receives log data from both platform-log and event log, even when only one of them is configured.

Conditions:
This occurs when you configure one telemetry exporter with only either of “platform-log” or “event-log” instruments and another telemetry exporter with “all” or “logs” or both “[platform-log event-log]” instruments.

Impact:
The telemetry exporter configured to receive only platform-log or event-log instrument data will receive data from both log instruments.

Workaround:
None


1622869-2 : Might see TPOB core after HA disassembly

Component: F5OS-A

Symptoms:
TPOB container might crash after performing BIG-IP Next-HA disassembly operation.

Conditions:
-- BIG-IP Next in a HA pair
-- The HA pair is disassembled and factory reset

Impact:
No impact, as the container gets re-created

Workaround:
None


1621917 : Stale VFIO devices entries upon BIG-IP Next Tenant deletion

Component: F5OS-A

Symptoms:
On several occasions, when deleting a BIG-IP Next Tenant, the system did not properly clean up and left behind outdated entries in the /var/F5/system/tenants/ folder, which includes symlinks to the VFIO devices.

Conditions:
During BIG-IP Next tenant deletion

Impact:
System downgrades to versions less than 1.8.0 will not be allowed.

Workaround:
Login to the system with root credentials and manually delete the stale entries in /var/F5/system/tenants/.


1621785-1 : Mstp topology convergence after changing the priority of instance is not taking place.

Component: F5OS-A

Symptoms:
Modifying port priorities after configuring the MSTI instances, is not changing the bridge port roles.

Conditions:
Configure MSTI
1. Create VLANs.
2. Attach VLANs to the interfaces.
3. Enable MSTP using webUI. Select Network Settings > STP configuration and select MSTP.
4. Create an instance(1) and attach a VLAN to it (created VLANs).
5. Add the interfaces to instance 1.
5. Once MSTP is converged, modify the bridge priority to make the F5OS device the root.
6. Observe that F5OS device failed to become root.

Impact:
MSTP convergence not happening after updating port roles.

Workaround:
Restarting the container from confD using the command

“system diagnostics, os-utils docker restart node platform service system_stpd “, resolves the issue by revising topology changes and assigning proper port roles.


1621769-1 : Observing FPGA errors when VLAN cannot configured for the interface and VLAN state is not set up

Component: F5OS-A

Symptoms:
FPGA error logs are observed for interfaces that are not configured in the MSTP instance.

Conditions:
1. Create VLANs.
2. Attach VLANs to the interfaces.
3. Enable MSTP using webUI. Select Network Settings > STP configuration and select MSTP.
4. Create an instance(1) and attach a VLAN to it (created VLANs).
5. Add the interfaces to instance 1.
6. You will observe errors under platform.log.

Impact:
There is no impact on MSTP behaviour and convergence.

Workaround:
None


1621757-1 : Observing "Stp Maapi request to readPortFlushes failed" errors while enabling MSTP port

Component: F5OS-A

Symptoms:
MSTP port flush failed when configuring instance.

Conditions:
1. Create VLANs.
2. Attach VLANs to interfaces.
3. Enable MSTP using GUI. Network settings > STP Configuration - MSTP
4. Create an instance and attach a VLAN to it (created VLANs).
5. Observed errors under platform.log and /var/log/messages.

Impact:
No major impact on MSTP topology.

Workaround:
None


1621449-1 : Error related to removal of orphan pod related subpaths in /var/log/messages

Component: F5OS-A

Symptoms:
No functionality issue
log dump with error device or resource busy in /var/log/messages

Conditions:
Upgrading from F5OS-A 1.8.0 or lower version to later versions

Impact:
No functional impact

Workaround:
"umount <path>", here the path refers to the one which failed to get removed.

For example

2024-07-29T11:02:24.876704+00:00 appliance-1.chassis.local k3s: E0729 11:02:24.875805 19711 kubelet_volumes.go:180] "There were many similar errors. Turn up verbosity to see them." err="orphaned pod \"7023f856-efff-4f17-8b2d-c794627021e8\" found, but failed to remove subpath at path /var/lib/kubelet/pods/7023f856-efff-4f17-8b2d-c794627021e8/volume-subpaths/sdag-volume/f5-fsm-tmm/11: remove /var/lib/kubelet/pods/7023f856-efff-4f17-8b2d-c794627021e8/volume-subpaths/sdag-volume/f5-fsm-tmm/11: device or resource busy" numErrs=1

Here is the workaround for the above error:

umount /var/lib/kubelet/pods/7023f856-efff-4f17-8b2d-c794627021e8/volume-subpaths/sdag-volume/f5-fsm-tmm/11


For non-root user, system reboot is another workaround, however it impacts the tenants functionality, so it is important to exercise it cautiously.


1620077 : FDB entry port motion not working if new interface is a trunk/LAG

Links to More Info: BT1620077

Component: F5OS-A

Symptoms:
Immediately after fail-over of traffic from one trunk/LAG to another, outbound traffic from the appliance or chassis to certain addresses may be interrupted for up to 5 minutes before recovering.

Conditions:
Switching traffic from one LAG to another on an appliance or chassis.

Impact:
Temporary disruption of tenant’s outbound traffic on an appliance or chassis system.

Workaround:
None


1614333 : OPT-0054-01, Innolight (TR-PY13L-NF5, Rev ‘R1A’) optic experiencing intermittent link problems when connected to r2000/r4000 port 5.0

Links to More Info: BT1614333

Component: F5OS-A

Symptoms:
OPT-0054-01, Innolight (TR-PY13L-NF5, Rev ‘R1A’) optic experiencing intermittent link problems when connected to r2000/r4000 Port 5.0.

Enter the following command in ConfD to display the optic on port 5.0:
show portgroups portgroup 5

Output of the following commands indicate the interface is down and not detected:
- show interfaces interface 5.0
- ethtool sfp_5

Conditions:
Inserting the Innolight “R1A” optic into port #5 of a r2000/r4000.

Impact:
Port #5 does not become active; speed & duplex are reported as unknown.

Workaround:
F5 recommends you use one of the following optics in place of the OPT-0054-01 Innolight rev R1A:
- OPT-0054-01 Finisar/IR-VI (FTLF1436P3BCL-F5, Rev ‘RA1’) optic.
- OPT-0054-01 Innolight rev R2C

To identify the OPT-0054-01 Innolight (TR-PY13L-NF5, Rev ‘R1A’) optic, use the revision number. For more information, refer to the example in K000140617 at https://my.f5.com/manage/s/article/K000140617: Verify the right optics module to install on your F5OS system.


1612429 : License installation is not working with HTTPS Proxy server

Component: F5OS-A

Symptoms:
License installation is not working with SSL-enabled proxy server.

Conditions:
The SSL-enabled proxy server is unable to perform an SSL handshake when installing a license through a proxy server.

Impact:
License installation will fail with proxy server.

Workaround:
Install the license manually or use an HTTP proxy.


1612101-1 : When vCPU cores configuration changed for BIG-IP Next tenant, RRD stats shows both the old and new CPU data stats

Component: F5OS-A

Symptoms:
The RRD stats display the data for old and new CPU cores. You can match the new CPU cores and validate the data. The old CPU cores data is invalid and should not be displayed.

Conditions:
When user configures BIG-IP Next tenant and changes the vCPU cores.

Impact:
No Functional Impact. Both old and new data stats appear for cpu-stats in RRD. However, data streaming works as expected.

Workaround:
None


1603685-1 : ISO import status is stuck at verifying and ISO removal does not remove the ISO from /var/import/staging

Component: F5OS-A

Symptoms:
ISO import status will be stuck at verifying. When attempting to remove an ISO from the CLI/GUI, the ISO will be deleted from ConfD, but will remain in the system’s /var/import/staging directory.

Conditions:
No specific condition.

Impact:
The ISO is stuck at verifying. Hence, an upgrade to the ISO can not be done.

Workaround:
1. Restart sw-mgmt.service.
   systemctl restart sw-mgmt.service
2. Restart system-image-agent container.
   docker restart system_image_agent

OR

Reboot the device.


1600949 : Tenant status is not accurate when the F5OS upgrade is in progress

Component: F5OS-A

Symptoms:
The “show tenants” data is not updated properly when the firmware upgrade is in progress.

Conditions:
During upgrade, if “show system install status” shows in progress, the data is not updated as k3s is not turned up completely.

Impact:
No functional impact. Users should get accurate data once the firmware installation is complete. You can refer to “show tenants” data post system upgrade is completed.

Workaround:
Wait until the upgrade activity is completed.


1594149 : Next Tenant Management interface is turned down/unreachable

Component: F5OS-A

Symptoms:
A BIG-IP Next Tenant Management Interface remains down.

Conditions:
-- VELOS or rSeries is the host
-- The maximum number BIG-IP tenants are deployed
-- Some tenants are deleted
-- Some BIG-IP Next tenants are simultaneously deployed

This can cause the new tenant to have the same MAC address as the tenant that is still shutting down, and the interface will not be marked up.

Impact:
1. BIG-IP Next tenant's management interface will remain down.
2. Tenant will be unreachable.

Workaround:
1. Move the affected tenant from Configured to Deployed
2. Rebooting the system Also fixes the as it will Delete and create the interface again.


1591961-1 : Observing "Failed to send restarting msg to VF" errors during reboot

Component: F5OS-A

Symptoms:
This error “Failed to send restarting msg to VF” appears during reboot and causes a delay in reboot.

Conditions:
When two or more BIG-IP tenants are deployed.

Impact:
Delay in reboot time.

Workaround:
None


1589161 : Observing kube-dns service error log flood in /var/log/messages after appliance downgrade

Component: F5OS-A

Symptoms:
By performing appliance downgrade from F5OS-A 1.7.0/F5OS-A 1.8.0 to any lower versions than F5OS-A 1.7.0, a log flood with below error is seen in /var/log/messages.

level=error msg="Failed to process config: failed to process /var/lib/rancher/k3s/server/manifests/corednsfile.yaml: failed to update kube-system/kube-dns /v1, Kind=Service for kube-system/corednsfile: Service \"kube-dns\" is invalid: spec.clusterIPs[0]: Invalid value: []string(nil): primary clusterIP can not be unset"

Conditions:
When downgrade is performed from F5OS-A 1.7.0/F5OS-A 1.8.0 to any lower versions than F5OS-A 1.7.0, an error log flood related to kube-dns service is seen in /var/log/messages.

Impact:
No functional impact, expect the log flood for once in every 15 seconds.

Workaround:
Execute the below command on the appliance:
“kubectl delete svc kube-dns -n kube-system”.


1587569-1 : Every tenant receives the traffic of all other tenants if VLAN is shared across

Component: F5OS-A

Symptoms:
This is a product limitation in F5OS-A on r2000 and r4000 based systems.

Conditions:
Assigning an identical VLAN to two different tenants.

Impact:
Every tenant receives the traffic of all other tenants.

Workaround:
None.


1585609-1 : rSeries tenant silent reboot; Tenant liveness probes failed

Component: F5OS-A

Symptoms:
Tenant pod is restarted with following error - ‘Liveness probe failed’.

Conditions:
K3s failed to perform successful liveness probes for four times consecutively.

Impact:
As a recovery mechanism, K3s will restart the pod and lower downtime of the tenant is expected.

Workaround:
K3s will automatically restart the pod and no action is expected from the user.


1585373-2 : Outdated or old Service-Instances for Tenant

Component: F5OS-A

Symptoms:
The service-instances table contains a large number of outdated or old entries.

Conditions:
This issue can occur if a Tenant pod has been repeatedly restarted.

Impact:
Datapath connectivity to Tenant can be impacted.

Workaround:
Reboot the appliance to clear the issue.


1585237 : When telemetry exporter is not reachable, logs to enable send_queue or retry will be printed in platform.log

Component: F5OS-A

Symptoms:
When telemetry exporter is not reachable, logs to enable send_queue or retry will be printed in platform.log.

Conditions:
Logs will be printed only when configured telemetry exporter is not reachable.

Impact:
No functional impact.

Workaround:
Ensure the exporter is reachable.


1576345-1 : Port mode mismatch on QSFP ports can cause interface flaps on other ports

Links to More Info: BT1576345

Component: F5OS-A

Symptoms:
When the port mode is mismatched on a Front Panel QSFP port, it can cause port interface flapping on other ports.

Conditions:
A port mode mismatch, such as a 100GE optic installed when the port is configured for 40GE operating mode.

Impact:
The status on other interfaces may incorrectly show ‘down’ when the interface is ‘up’.

Workaround:
Do not operate in a mismatched mode.


1575953-1 : BIG-IP NEXT tenant stuck at provisioning state with live upgrade when tenant bring-up is in progress

Component: F5OS-A

Symptoms:
During the BIG-IP NEXT tenant bring-up process, performing a live upgrade will result in the BIG-IP Next tenant being unable to complete the provisioning state.

Conditions:
1. PXE install version v1.8.0.
2. Configure appliance network, DNS, and install license.
3. Downgrade to version v1.7.0 (validate, if you observe rollback-related commands)
4. Upgrade the device to version v1.8.0 and deploy BIG-IP tenant
5. Validate datapath on BIG-IP tenant and deploy BIG-IP NEXT tenant with image (BIG-IP-Next-20.2.1-2.389.6.tar.bundle)
6. While the BIG-IP NEXT tenant bring-up is in progress, live upgrade the box to v1.8.0 build.
7. Observe the next tenant status.

Impact:
BIG-IP NEXT tenant is stuck at provisioning state after live upgrade, while tenant bring-up is in progress.

Workaround:
Restart the tenant. For example, toggling the tenant states (Move tenant to configure state and again deployed state).


1575433-2 : "ReadyRequest failed for 'system_fpga' @ 'tcp://127.0.0.1:1060', Inner -> 'receive timeout'" logs are being seen couple of times a day

Component: F5OS-A

Symptoms:
Observe "ReadyRequest failed for 'system_fpga' @ 'tcp://127.0.0.1:1060', Inner -> 'receive timeout'" logs couple of times a day in platform.log

Conditions:
ReadyRequest for the service ‘system_fpga’ times out

Impact:
Alarming log messages are repeatedly displayed. These logs can be ignored.

Workaround:
None


1574773-1 : On rSeries system, operations which involve reboot, might result in Tenant failure state

Component: F5OS-A

Symptoms:
After reboot of the F5OS-A rSeries system in any operations (for example, live upgrade, reboot) with multiple tenants deployed, some or all of the tenants might not come to operational. This is due to the vfio device problem. With this the tenant pods get into restarting loop and never comes up.

The tenant pod state can be checked with the below command on the host system.

[root@appliance-1:Active] vfio # kubectl get pods
NAME READY STATUS RESTARTS AGE
f5-resource-manager-bpnrr 1/1 Running 0 3h
virt-launcher-bigip-14-1-kz56l 1/1 Running 0 3h4m
virt-launcher-bigip-19-1-5m72j 1/1 Running 0 3h4m
virt-launcher-bigip-3-1-pn6c2 1/1 Running 0 3h4m
virt-launcher-bigip-4-1-8x4cc 1/1 Running 0 3h4m
virt-launcher-bigip-20-1-q99b7 1/1 Running 0 3h4m
virt-launcher-bigip-5-1-vr4cf 1/1 Running 0 3h4m
virt-launcher-bigip-18-1-zfrns 1/1 Running 0 162m
virt-launcher-bigip-1-1-qhjd5 1/1 Terminating 0 4m8s
virt-launcher-bigip-13-1-vjwwd 1/1 Terminating 0 3m19s
virt-launcher-bigip-12-1-7swfq 0/1 Completed 0 87s
virt-launcher-bigip-16-1-pqjx6 1/1 Running 0 43s
virt-launcher-bigip-15-1-56x2g 0/1 PodInitializing 0 5s
[root@appliance-1:Active] vfio #

Conditions:
WThe issue might occur in a live software upgrade or any situation that involves a reboot of the rSeries F5OS-A system with multiple tenants deployed.

The below logs will be observed in issue occurring pod logs repeatedly for every retry of the vfio device access by qemu-kvm.

[root@appliance-1:Active] # kubectl get pods, this command shows the pod name. You can use the following command to see the log in the problem pod. Hash in the pod name changes for every restart of the pod.

[root@appliance-1:Active] # kubectl logs <<Problem Pod name displayed in above command>> | grep busy

qemu-kvm: -device vfio-pci,host=0000:54:02.1,id=hostdev0,bus=pci.10,addr=0x0: vfio 0000:54:02.1: failed to open /dev/vfio/130: Device or resource busy

Impact:
Some or all of the vfio devices are the problem, which results in some or all tenants deployed on the rSeries host do not work as expected. They do not change to a RUNNING state.

Workaround:
As the vfio devices are in problem state, a reboot of appliance will resolve the issue.


1568485-2 : GRE V1 packets are being dropped before even reaching BIG-IP on F5 r2xxx/r4xxx

Links to More Info: BT1568485

Component: F5OS-A

Symptoms:
GRE V1 packets are dropped at the Inter E810 Firmware before reaching BIG-IP tenant on F5 r2xxx/r4xxx platforms.

Conditions:
When GRE V1 packets are received to BIG-IP tenants running on F5 r2xxx/r4xxx platforms.

Impact:
GRE V1 traffic will not be reaching BIG-IP tenants on F5 r2xxx/r4xxx platforms.

Workaround:
None


1566917-2 : The ha-1-deployment pod may get restarted after HA setup and system upgrades

Component: F5OS-A

Symptoms:
When HA is configured on the BIG-IP Next tenants, a new pod name <tenant-name>ha-1-deployment-<replica-set-hash>-<pod-id> will be created in the tenant namespace.

In some cases, the pod restart count may be 1 or 5.

Conditions:
When HA is set up on BIG-IP Next tenants on rSeries and after upgrading F5OS 1.7.0 to F5OS 1.8.0 version.

Impact:
No functional impact. The pod will automatically transition to a running state.

Workaround:
NoneThe


1552921 : Password policy option reject-username set to false has no effect

Links to More Info: BT1552921

Component: F5OS-A

Symptoms:
When the administrator configures 'system aaa password-policy config reject-username false', F5OS will still reject passwords that contain the username.

Conditions:
System aaa password-policy config reject-username is set to false

Impact:
When a user tries to set or change a password containing their username in any part of the password, F5OS will reject that password.

Workaround:
Do not use passwords that contain the username.


1505497-3 : During remote logging server configuration, selectors help menu does not display when using Tab key.

Component: F5OS-A

Symptoms:
While configuring the remote logging server, using the Tab key does not display selector help menu.

Conditions:
While configuring the remote logging server, using the Tab key does not display selector help menu.

Impact:
No help menu is displayed

Workaround:
Use ? key to get help in selectors menu, while configuring remote server.


1491209-1 : Non-root, local authentication fails when LDAP is configured with chase referrals and an invalid DNS server is configured

Links to More Info: BT1491209

Component: F5OS-A

Symptoms:
Local and remote authentication to F5OS will timeout and fail. Running commands as root may take 60 seconds before each command returns.

Conditions:
LDAP authentication is configured with chase-referrals set to true and an invalid or non-responsive DNS server is also configured.

Impact:
Users cannot successfully authenticate via the GUI. Local admin users cannot successfully authenticate. Logging in as root takes 2 minutes and many system commands will take at least 60 seconds to complete.

Workaround:
Set 'system aaa authentication ldap chase-referrals false' or ensure a working DNS server is always configured.


1490621-1 : Snmpv1 traps have a agent-addr set to 0.0.0.0 instead of a management IP

Links to More Info: BT1490621

Component: F5OS-A

Symptoms:
When SNMP V1 version is configured for SNMP Traps monitoring, the received traps will have the agent-address as 0.0.0.0 instead of system's mgmt ip. This is issue with only SNMP v1 version traps.

Conditions:
SNMP V1 version traps will have the agent-address as 0.0.0.0 and the remaining trap oid values are proper.

Impact:
User can't see the system's mgmt ip address in SNMP V1 version trap's agent-address field.

Workaround:
F5OS suggest to use SNMP V2 version for monitoring SNMP Traps which will populate the IP address correctly with system's mgmt IP.


1469485-1 : "show components component state memory full" does not have any meaningful output

Links to More Info: BT1469485

Component: F5OS-A

Symptoms:
The 'full' command displayed under 'show components component state memory' does not have any meaningful output.

Conditions:
When the user runs the command 'show components component state memory full', there is no output generated.

Impact:
No functional impact.

Workaround:
None


1399129 : Duplicate platform agent log entries when tenant starts

Links to More Info: BT1399129

Component: F5OS-A

Symptoms:
Multiple f5-platform-agent.log messages may be seen for cluster subscribe: API client already subscribed.

Conditions:
The BIG-IP Next tenant is starting on rSeries hardware.

Impact:
No functional issue, tenant starts as expected.

Workaround:
None


1390485 : Calendar navigator skips one month

Component: F5OS-A

Symptoms:
On the "Time Settings" screen, when using the calendar navigator to "Set Time & Date", the navigation arrows for the next month skips one month.

Conditions:
Using the navigation arrow when the currently selected date is the 31st of a month and the next month has only 30 days.

Impact:
If the user wants to make a selection in the next month while the current selection is the 31st of a month, they will not be able to do that in the first go with the navigation arrow.

Workaround:
Users will be able to navigate to the desired month by using the back arrow.


1381237-2 : Messages like "Failed to set up mount unit" may flood in /var/log/messages file

Component: F5OS-A

Symptoms:
This occurs when a BIG-IP Next tenant is deployed on rSeries platforms while generating QKView files on the host (F5OS-A). Messages like "Failed to set up mount unit: Invalid argument" may flood in /var/log/messages file.

Conditions:
When a BIG-IP Next tenant is deployed and QKView files on the host (F5OS-A) are generated.

Impact:
Log messages with pattern "systemd: Failed to set up mount unit: Invalid argument" in /var/log/messages are flooded for 10-20 seconds.

Workaround:
Log messages are flooded while QKView files are generating for 10-20 seconds. After this, the flooding stops.


1381053 : Cluster IP is unavailable for some time during tenant reboot

Links to More Info: BT1381053

Component: F5OS-A

Symptoms:
Cluster IP/Floating IP becomes inactive, causing API calls failure temporarily.

Conditions:
Intermittently when the system/tenant is rebooted.
When tenant running-state is toggled (deployed->configured->deployed).

Impact:
API calls are failing temporarily. CM will not be able to get the status of the HA.

Workaround:
1. Login to the rSeries device on which the current ACTIVE HA node is running.
2. execute the below command with appropriate changes,
docker exec -it node-agent arping -q -c 5 -W 0.01 -U -P -I <tenant mgmt interface> -S <tenant mgmt VIP> <tenant mgmt VIP>
tenant-mgmt interface can be found using 'ip a s | grep mgmt' on the root.


1380705 : BIG-IP tenant is stuck during boot up after doing tenant upgrade from 15.1.x to 17.1.x

Component: F5OS-A

Symptoms:
When F5OS reboots followed by a tenant upgrade from 15.1.x to 17.1.x, the tenants are getting stuck in boot up. This is applicable for both FIPS and normal license.

Symptoms:
[ 183.888473] [ OK ] Started dracut initqueue hook.
[ OK ] Reached target Remote File Systems (Pre).
[ OK ] Reached target Remote File Systems.
dracut-initqueue[251]: Warning: dracut-initqueue timeout - starting timeout scripts
[* ] A start job is running for dev-disk...54e.device (3min 36s / no limit)

The problem does not occur in all the deployed tenants. The main cause is that the BIG-IP tenant fails to boot when its LVM cache/metadata is not synced or is corrupted.

Conditions:
Host reboots followed by guest upgrade.
Tenants get rebooted and retain LVM info, the host gets rebooted, and tenants lose LVM info. There is a timing issue for LVM caching.

Impact:
Datapath and tenant configuration will be lost.

Workaround:
No workaround except recovery of the tenant. To recover the tenant we need manual intervention. We need to enter Maintenance mode, recover the LVMs, and reboot.

Booting into TMOS Maintenance:

Easiest way to do this is
in one window
  while [ 1 ];do virtctl console cbip-tenant1-1 -n default;done
 
in another window
 ps auxww|grep cbip-tenant1-1
 kill that qemu pid
 
Then go back to the console window in the grub menu and select maintenance and execute vgcfgrestore

Please note this is not full proof.


1378917-2 : FIPS partition details are not seen in the tenant console when it is configured without waiting until its status is 'Running'

Component: F5OS-A

Symptoms:
FIPS partition details are not seen after connecting to the tenant console when it is configured without waiting until its status is 'Running.'

Conditions:
Ensure the tenant is deployed and the running-state is changed to 'configured.' Then, change the running-state to 'deployed' along with the FIPS partition details without waiting for tenant to start.

Impact:
The tenant does not show the FIPS partition details.

Workaround:
Wait until the tenant comes up and either change the configuration or redeploy the tenant with the required configuration.


1377629-2 : Failed to ping tenant mgmt-ip

Component: F5OS-A

Symptoms:
Failed to ping tenant mgmt-ip.

Existing and deployed tenant config mismatch.

Conditions:
When the user modifies tenant config and moves the tenant to Deployed state before the old tenant instance gets cleaned up completely.

Impact:
Tenant will be running with old config and will not be able to ping tenant mgmt-ip.

Workaround:
Move the tenant to configured state and once tenant is terminated completely, move it to deployed state.


1377257 : Qkview can crash collecting telemetry database

Links to More Info: BT1377257

Component: F5OS-A

Symptoms:
If there is activity in the telemetry database while qkview is collecting it, the collection of the platform monitoring container will be incomplete, due to the qkview collection executable crashing.

Conditions:
Telemetry database is in flux during a qkview collection

Impact:
1. A qkview core file will be created.
2. platform monitor container debug data is not collected

Workaround:
Re-run qkview


1341701 : Unable to launch tenant, as VF interface is getting incorrect name while attaching to tenant.

Links to More Info: BT1341701

Component: F5OS-A

Symptoms:
On r2x00/r4x00 related systems, tenant launch fails with an error in ConfD tenant status leaf:

"[default/virt-launcher-bip1-1-9sblf:sriov-net3-bip1]: error adding container to network "sriov-net3-bip1": failed to set up pod interface "net7" from the device "x557_4": failed to set netlink MAC address to 00:94:a1:db:bd:0c: resource temporarily unavailable"

Linux network manager udev rules and sriov cni try to
access the VF and change the interface name of VF. During this process, VFs fail and unable to retrieve. Thus, resource temporarily unavailable error occurs.

Conditions:
On r4x00 or r2x00 based systems:

1. In kubectl get pods -A output, the tenant pod goes into Init:0/1 state.
default virt-launcher-bip1-1-t6rkh 0/1 Init:0/1 0 36s
2. And in kubectl events, "resource temporarily unavailable" occurs on one of the VFs.
3. In /sys/class/net folder unable to see the below VF interfaces. Instead, some interfaces point to ensp* names which are wrong.

Actual result should be as follows:
[root@appliance-1 ~]# ls /sys/class/net
apigw-dummy-1 lcd sfp_7 sfp_p6v0503 veth0c09f23b veth6cec172f vethea3619d5 x557_p1v1100 x557_p3v1902
br_appliancenet lcd-intf sfp_8 sfp_p7v0900 veth2765115 veth80370796 vetheccdd5fb x557_p1v1101 x557_p3v1903
cni0 lo sfp_p5v0100 sfp_p7v0901 veth3f32fd86 veth82a8440b vethf4081a48 x557_p1v1103 x557_p4v1d00
default-intf mgmt sfp_p5v0101 sfp_p7v0903 veth4ab82fc6 veth8cda0b4d x557_1 x557_p2v1500 x557_p4v1d01
docker0 mgmt0-system sfp_p5v0102 sfp_p8v0d01 veth50d18b0 veth9e8b2e8c x557_2 x557_p2v1502 x557_p4v1d02
dummy0 sfp_5 sfp_p6v0500 sfp_p8v0d02 veth5fe12ffd vethac6590f8 x557_3 x557_p2v1503
flannel.1 sfp_6 sfp_p6v0502 sfp_p8v0d03 veth64783052 vethb688f03e x557_4 x557_p3v1901

Impact:
Tenant launch is unsuccessful and unable to connect to the tenant console or tenants' management connection.

Workaround:
1. Move tenants to configured state

2. Remove ice, iavf drivers using the following commands,
a. "rmmod /lib/modules/3.10.0-1160.71.1.F5.el7_8.x86_64/updates/drivers/net/ethernet/intel/ice/ice.ko"

b. "rmmod /lib/modules/3.10.0-1160.71.1.F5.el7_8.x86_64/updates/drivers/net/ethernet/intel/iavf/iavf.ko"

4. Load ice and iavf drivers using the following commands
a. "insmod /lib/modules/3.10.0-1160.71.1.F5.1.el7_8.x86_64/updates/drivers/net/ethernet/intel/ice/ice.ko"

b. "insmod /lib/modules/3.10.0-1160.71.1.F5.1.el7_8.x86_64/updates/drivers/net/ethernet/intel/iavf/iavf.ko"

5. Run config_ice_vfs.sh script present in /usr/omd/scripts/ folder using - "sh /usr/omd/scripts/config_ice_vfs.sh"

6. Wait until script is completed and VFs are created correctly.

6. Move tenants to running state and check the running state of tenant, after some time.


1338557 : VM events are not captured inside the log file

Links to More Info: BT1338557

Component: F5OS-A

Symptoms:
The VM logs seen on kubernetes events will not be recorded in the log file. The log file k3s_events is helpful in identifying the life cycle of the VM.

Conditions:
K3s events related to BIG-IP VM are not captured in k3s_events log.

Impact:
No functional impact.

Workaround:
None


1327229-2 : Some nuisance messages are sent to the platform log after every authentication configuration change

Component: F5OS-A

Symptoms:
Messages similar to the following may be added to the platform log after every authentication configuration change:

2023-08-03T09:43:49.150901+00:00 appliance-1 authd[8]: priority="Info" version=1.0 msgid=0x3901000000000149 msg="System's IPv6 management address isn't configured.".
2023-08-03T09:43:49.157934+00:00 appliance-1 authd[8]: priority="Info" version=1.0 msgid=0x3901000000000092 msg="LDAP server:" server="ldap://ldapserver.example.com:389".
2023-08-03T09:43:49.157951+00:00 appliance-1 authd[8]: priority="Info" version=1.0 msgid=0x3901000000000096 msg="LDAP SSL:" ssl="off".

Conditions:
The user makes a change in system aaa authentication.

Impact:
There are nuisance messages in the platform log.

Workaround:
N/A


1326021-2 : Corrupted state of data plane in r5600 can result in egress packet corruption

Links to More Info: BT1326021

Component: F5OS-A

Symptoms:
Networking connectivity issues, such as ARP resolution issues, high availability (HA) failures, health monitor instability, etc. Packet captures with Wireshark or tshark can be used to show bit-errors/corruption in the network packet for traffic passing through the data plane. This corruption can occur in various parts of the packet such as the MAC address, EtherType, packet checksums, etc. Corresponding spike in bad_ifh_crc_drop counter value.

Conditions:
Rare condition that can affect r5600 platform.

Impact:
Network connectivity problems on some traffic passing through the affected data plane. Could be reflected in the status of Config Sync or more health monitors down on one member of HA pair.

Workaround:
Reboot the r5600 to reload the bitfile. If the bitfile reload does not resolve the issue, then its most likely a hardware issue. Please work with Support on a RMA.


1321429-3 : F5-PLATFORM-STATS-MIB::diskPercentageUsed not available.

Links to More Info: BT1321429

Component: F5OS-A

Symptoms:
The diskPercentageUsed OID is not available.

snmpwalks/getnext of diskUtilizationStatsTable will not return diskPercentageUsed.

snmpget of diskPercentageUsed will fail with a no Such instance error.

Conditions:
snmpget of diskPercentageUsed

Impact:
The disk percentage used statistic is not available via SNMP.

Workaround:
None


1320853 : Config restore fails on system with lower size if the tenant is deployed with max size on original system

Links to More Info: BT1320853

Component: F5OS-A

Symptoms:
If a tenant is deployed with maximum storage size on a system, and the same configuration is tried to restore on another system with lesser disk space compared to the original device, the configuration restore fails.

Conditions:
* Tenant deployed with maximum storage size.
* Restoring the configuration across the devices with different disk sizes.

Impact:
Configuration restore fails.

Workaround:
Edit the configuration backup file and adjust the tenant size as per the target system.

Note: There could be other workarounds.


1285997 : LLDP is allowed to configure on interfaces when virtual wire is enabled

Component: F5OS-A

Symptoms:
LLDP is allowed to configure on interfaces although virtual wire is enabled.

Conditions:
1) Enable virtual wire on interface.
2) Attach interfaces to a lag.
3) Enabled LLDP on the interfaces.

Impact:
When virtual wire is enabled, BIG-IP will function in transparent mode and is not expected to see interfaces on either side.
With this issue, F5 interfaces will be visible when LLDP is enabled.

Workaround:
Do not configure LLDP on the interfaces when virtual wire is enabled.


1273013-3 : Five percent (5%) deviation can be observed in TPS performance on R10920 and R5920 tenant

Component: F5OS-A

Symptoms:
On R10920 and R5920 tenants, the TPS performance degradation may be observed up to 5%.

Conditions:
When the R10920 and R5920 tenant is deployed.

Impact:
TPS performance may be degraded by 5%.

Workaround:
N/A


1253717 : iavf driver crashes intermittently on r2000 or r4000 systems during system reboot

Links to More Info: BT1253717

Component: F5OS-A

Symptoms:
When the r2000/r4000 system goes down during reboot, a crash of iavf driver is seen on the system console intermittently. This crash occurs due to multiple calls to the same function that releases the network devices inside iavf driver code.

Conditions:
Occurs intermittently on r2000/r4000 systems that use iavf drivers to manage datapath network devices/ports when the system is rebooting.

Impact:
No functional impact.

Workaround:
N/A


1250901-4 : On rSeries FIPS system live upgrade, cavium_n3fips (liquidsec_pf_vf driver) may fail to come into operational state

Links to More Info: BT1250901

Component: F5OS-A

Symptoms:
After a reboot of the system in live upgrade, tenants that were running earlier might not change to a running state. This is due to the HSM board driver stuck in SAFE_STATE instead of OPERATIONAL_STATE.

In some cases, the driver changes to an operational state after some amount of time (approximately 10 minutes). But this time might vary upon detection of reset/link failure in the hardware. In some other systems, the driver becomes stuck in SAFE_STATE indefinitely.

Conditions:
Live upgrade/reboot of the rSeries FIPS system with F5OS-A.

You may observe the below logs in dmesg-
[ 964.105021] liquidsec_pf_vf_driver 0000:ca:00.0: We might have a link issue... resetting
[ 964.113688] liquidsec_pf_vf_driver 0000:ca:00.0: RESETTING FIRMWARE... CAUTION

Impact:
Running tenants goes to pending state when this issue occurs in a live upgrade.

Workaround:
Check contents of cavium_n3fips file as shown below.
[appliance]# cat /proc/cavium_n3fips/driver_state
HSM 0:OPERATIONAL_STATE

If the driver changes to an operational state, perform
"docker restart fips-support-pod" to help in recovering.

But if the driver state is still "HSM 0:SAFE_STATE", you may need to perform a power cycle reboot (but this will not guarantee recovery).


1224113-2 : IPV6 packets are fragmented on R2x00/R4x00 platforms.

Component: F5OS-A

Symptoms:
IPv6 packets are fragmented on R2x00/R4x00 platforms, which causes a slight performance degrade.

Conditions:
Fragmentation is seen for IPv6 packets.

Impact:
Performance is degraded when passing IPv6 traffic. There is not any functionality impact because of this issue other than the performance impact.

Workaround:
N/A


1222721 : Deletion of STP configuration using "no stp" is failing

Links to More Info: BT1222721

Component: F5OS-A

Symptoms:
"no stp" is failing with below error
Aborted: 'stp rstp config' : IEEE Std 802.1Q-2018: A Bridge shall enforce the following relationships:

Due to this, user cannot delete/disable STP with a single comamnd.

Conditions:
In case of VELOS paltforms, "no stp" will fail with error.

Impact:
User will not be able to delete/disable STP configuration with single command "no stp".

Workaround:
Except below configurations, all other configurations can be deleted.
1)no stp rstp config
2)no stp stp config
3)no stp mstp config


1195201-3 : Missing/defective DIMM not reported sufficiently to end user

Links to More Info: BT1195201

Component: F5OS-A

Symptoms:
If a memory DIMM is missing or defective, the system does not report the situation sufficiently to the user through the "show system health" API.

Conditions:
A memory DIMM becomes missing or defective.

Impact:
The platform is operating at less than the shipped memory configuration, which could impact the number of tenants deployed on a system.

Workaround:
Refer to the AOM PEL log for details of the missing and/or defective DIMM.


1112317-1 : Null bytes or non-ascii characters are present in velos.log

Links to More Info: BT1112317

Component: F5OS-A

Symptoms:
Null bytes are created in the log files.

Conditions:
Abrupt restarts may cause this issue.

Impact:
Grep considers the log file as a binary file.

Workaround:
Use ‘-a’ option in grep command.


1083921-2 : VLAN name change is not allowed once a tenant is launched

Component: F5OS-A

Symptoms:
When you change the VLAN name on a rseries (R2x00 or R4x00) Appliance, the BIG-IP tenant does not honor the name change.

Conditions:
-- One or more tenants are running on a rSeries (R4x00 or R2x00) platform.
-- A VLAN name is changed for a VLAN that is in use by a running tenant.

Impact:
Changing the VLAN name after a tenant is launched and reassigning that VLAN removes the interface in TMM.

Workaround:
Set the VLAN name to the initial name that the tenant used when it was launched. Or, if you need to change the name of the VLAN, delete the tenant and redeploy.


1083061-2 : Loading saved config to BIG-IP fails if host modifications are made after "tmsh save sys config"

Component: F5OS-A

Symptoms:
The configuration load fails with an error similar to the following:

01070257:3: Requested VLAN member (1.5) is currently a trunk member
Unexpected Error: Loading configuration process failed.

Conditions:
-- rSeries 4x00 or R2x00 platform
-- Configuration is backed up using tmsh
-- A change is made to one or more VLANs, interfaces, trunks, or type of VLANs on the host
-- The BIG-IP system loads the configuration

Impact:
Configuration load fails.

Workaround:
On a failure while loading sys config, open the affected configuration file, fix the object that was changed manually, and retry loading the sys config.

For example, if the load sys config at mcpd complains about "vlan member 1.x" is not found on vlan-xyz then open /config/bigip_xxx.conf file and update the vlan-xyz with vlan-member 1.x and retry the config load.


1080437-2 : VerifyDmesg test failure

Component: F5OS-A

Symptoms:
An error message is seen as dmesg output:

Failed to allocate irq -2147483648: -107

Conditions:
The error message is seen sometimes when restarting/rebooting device is complete.

Impact:
The error message does not impact any functionality as after the allocation of irq for SMBUS is failed, it would switch to polling mode.

Workaround:
NA


1063649-2 : Changing the system date to be older than the installation date is not supported.

Component: F5OS-A

Symptoms:
All system self-signed certificates are generated using the installation system date. Changing the date to an older date than the installation date can cause instability.

Conditions:
Setting the system date to be older than the installation date on an rSeries appliance.

Impact:
System goes to unstable state.

Workaround:
N/A




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************