1671517 : WebUI Dashboard Memory & Storage Statistics are inaccurate and misleading

Component: F5OS-A

Symptoms:
The webUI Dashboard for rSeries and VELOS devices provides inaccurate details about memory and storage utilization for the device.

Conditions:
Any device that is running a F5OS version older than v1.8.0.

Impact:
Graphical representation on the webUI Dashboard for memory and storage utilization for the device is inaccurate.

Workaround:
Upgrading a device to F5OS v1.8 or greater resolves the issues.

Fix:
ID1233865 and ID1211233-4 both address the underlying issues of inaccurate storage and memory utilization reporting for the platforms. They have both been fixed for F5OS v1.8.0 in addition to ID1671517 that corresponds to the associated webUI changes and improvements.

1637529 : RSeries ATSE v72.41.5.00 firmware

Component: F5OS-A

Symptoms:
RSeries ATSE v72.41.5.00 firmware

Conditions:
RSeries r5000, r10000, or r12000-series appliance.

This update is not applicable to r2000 or r4000-series appliances.

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes ATSE/BE2 interface stability issues. See ID1596625 for more information.

1637525 : RSeries ATSE v72.5.5.00 firmware

Component: F5OS-A

Symptoms:
RSeries ATSE v72.5.5.00 firmware

Conditions:
RSeries r5000, r10000, or r12000-series appliance.

This update is not applicable to r2000 or r4000-series appliances.

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes ATSE/BE2 interface stability issues. See ID1596625 for more information.

1624629 : F5OS A-1.8.0 upgrade takes up to 10 additional minutes to complete

Component: F5OS-A

Symptoms:
F5OS-A implemented the controlled way of upgrading the firmware, and while the firmware upgrade is in progress, the services bring-up has been kept on hold. This mechanism helps in stabilizing the upgrade process. As a result of this, the upgrade time increases by up to 10 minutes when the firmware versions are changed. The time varies depending on the platform and type of firmware versions that got changed.

Conditions:
New firmware versions packaged in ISO that is being upgraded to.

Impact:
No functional impact. Upgrade takes more time but improves the upgrade experience.

Workaround:
None

1620513 : CVE-2024-38477 httpd: NULL pointer dereference in mod_proxy

Links to More Info: K000140784

1617125 : Production license manual activation failed on F5OS-A 1.7.0

Links to More Info: BT1617125

Component: F5OS-A

Symptoms:
A new EVAL/PROD license manual activation attempt will fail in F5OS-A 1.7.0. This issue only applies to F5OS-A 1.7.0.

Conditions:
The manual license activation with a new EVAL/PROD license key.

Impact:
License activation using manual install process will not work.

Workaround:
None

Fix:
Fixed the dossier locking fields used in EVAL/PROD license keys in F5 License server. There is no software changes associated to this fix.

This issue was fixed in F5 License server in F5OS-A 1.7.0 and is not applicable to F5OS-A 1.8.0.

1615969-1 : Tenant operational data is not getting updated properly after upgrade

Component: F5OS-A

Symptoms:
Tenant pods are up and running but not all details are updated.
Intermittently after upgrade to F5OS-A 1.8.0 version, Tenant operation data in confD not getting updated

Conditions:
Occasionally, the tenant's operational data is not completely updated.

Impact:
Operational data for tenant is not updated properly after system upgrades to F5OS-A 1.8.0 intermittently.

Workaround:
Toggle tenant running-state to configured and deployed, then verify the tenant details again.

Fix:
Handled tenant operational map data updates properly.

1615917-4 : L2_agent crashed due to SNMP★

Component: F5OS-A

Symptoms:
After upgrading system to 1.8.0, L2-agent crashes.

Conditions:
1. Create system with older version (earlier then 1.8.0)
2. Configure SNMP
3. Upgrade system to 1.8.0 version
4. L2-agent will start crashing.

Impact:
L2-agent crashes and you are unable to do get/set operations for interfaces using ConfD interfaces.

Workaround:
None

Fix:
Fixed an issue causing l2-agent to crash after upgrade.

1614821-5 : CVE-2024-3596 - Blast-RADIUS

Links to More Info: K000141008

1614429 : iHealth upload is failing with error "certificate signed by unknown authority"

Links to More Info: K000140362, BT1614429

Component: F5OS-A

Symptoms:
When attempting to use the QKView upload feature, the upload may fail with the message "certificate signed by unknown authority". This is due to a recent change in certificate authority that is inconsistent between F5OS and iHealth.

Conditions:
Always, after mid-July 2024.

Impact:
Unable to upload QKView files to iHealth with a single click.

Workaround:
You can use the File Export feature to download QKView files, and then upload these files to iHealth.

You can find the QKView files in the GUI at System Settings > File Utilities, then choose "diags/shared" as the base directory, then select "qkview".

Fix:
Certificate authorities used by the iHealth upload feature in F5OS will be updated.

1612405-1 : LACP status shows UP in BIG-IP tenant even if its down on F5OS.

Links to More Info: BT1612405

Component: F5OS-A

Symptoms:
LACP Trunk is UP in BIG-IP tenant even when it’s DOWN on F5OS.

Conditions:
Condition 1:
1. Setup a rSeries or VELOS system.
2. Configure LACP LAG with interfaces operationally down.
3. Make sure LACP Trunk is DOWN on F5OS.
4. Upgrade the software.
5. Launch a BIG-IP tenant.
6. Check LACP trunk status inside tenant.

Condition 2:
1. Setup a rSeries or VELOS system.
2. Configure STATIC LAG with interfaces operationally down.
3. Ensure STATIC Trunk is DOWN on F5OS.
4. Launch a BIG-IP tenant.
5. Check the Trunk status inside the tenant. It will be DOWN.
6. Convert LAG type to LACP
7. Check the Trunk status inside the tenant. It will be UP even though it is down on F5OS.

Impact:
LACP Trunk members are shown as working members even though they are DOWN.

Workaround:
Check the interface config. If the admin is disabled, enable it.

Fix:
The status of LACP members is read whenever an LACP member is added as an operational member.

1612217 : A large amount of SPVA DoS allow list entries can overload DMA-Agent causing a tenant to fail to pass traffic

Links to More Info: BT1612217

Component: F5OS-A

Symptoms:
If the DMA-Agent receives a high volume of SPVA allow list entries at once, it may become overwhelmed and stop working. As a result, no traffic will be able to exit the tenant. This can be identified by observing the DMA-Agent using 100% of the cpu.

Conditions:
This is usually seen in configurations where there are many virtual servers configured with a dos profile that contains an IP-based allow list.

The problem does not arise when VIPs are added individually, but it often happens after TMM is restarted following a tenant reboot.

Impact:
Tenant will fail to pass any traffic on the data-plane.

The TMSTAT sep_stats.tx_send_drops3 will be incremented.

Workaround:
Perform the following on the tenant:
tmsh modify sys db dos.forceswdos value true
tmsh save sys conf

To recover the DMA-Agent in F5OS, set the tenant state to “configured” and then set it back to “deployed.

Fix:
The DMA-Agent now handles a high volume of SPVA allow list entries.

1603661-1 : SysDescr value returns empty string under SNMPwalk, after performing backup/restore configuration

Component: F5OS-A

Symptoms:
System config backup/restore resets the system database to default. Due to this, the sysDescr in SNMP will also reset to default.

Conditions:
This occurs after performing F5OS system config backup and restore.

Impact:
The sysDescr in SNMPwalk displays the default value.

Workaround:
Restart the snmpd docker service.

Fix:
The SNMP sysDescr is updated to the correct value after F5OS system config backup and restore operation.

1596625-2 : BE2 GCI interface training failures during runtime results in failure to process networking traffic

Links to More Info: BT1596625

Component: F5OS-A

Symptoms:
On particular rSeries appliances, one or more symptoms could occur during normal operation:
-- High availability stops working
-- Inbound traffic stops
-- Platform.log contains 'DM Tx Action ring hung'

This is similar to the symptoms in https://cdn.f5.com/product/bugtracker/ID1580489.html, except that this can be triggered during system operation.

Conditions:
-- rSeries r5000, r10000, or r12000-series appliance

This issue does not affect r2000 or r4000-series appliances.

Impact:
The system stops delivering traffic from front-panel ports to the host, although egress traffic may continue to work. If a LACP LAG is configured, ports will be unable to join the LAG.

Workaround:
There is no workaround for this issue.

If an appliance has already locked up, rebooting it might restore network connectivity.

If your system is running F5OS-A version 1.5.x, F5OS-A-1.5.2-29198.R5R10.EHF-4.iso is an Engineering Hot Fix (EHF) that contains a software fix, and is available at

https://my.f5.com/manage/s/downloads?productFamily=F5OS&productLine=F5OS_Appliance_Software&version=1.5.2&container=1.5.2-EHF

Fix:
New FPGA bitstreams stabilize the interface between the ATSE and BE2 chip.

1596149 : Monitor rSeries ATSE to BE2 links and Raise Alarms in the Event of Failures

Component: F5OS-A

Symptoms:
Monitor rSeries ATSE to BE2 links and Raise Alarms in the Event of Failures

Conditions:
F5 rSeries r5000, r10000, or r12000-series appliance.

This update is not applicable to r2000 or r4000-series appliances.

Impact:
In cases where errors are detected between the ATSE and BE2 links, alarms and events will be reported.

Workaround:
Not applicable.

Fix:
Monitor ATSE to BE2 links and raise alarms and report events when errors are detected.

1593385-3 : F5OS Tenant Throughput (bits/packets) and TMM CPU usage higher than expected until VLAN is added or removed

Links to More Info: BT1593385

Component: F5OS-A

Symptoms:
Higher CPU usage and throughput from the tenant than expected. Traffic being directed to a single blade in a multi-blade system.

Conditions:
Repeated deletes/adds of a VLAN from/to a tenant. After approximately 130 deletes, the issue occurs.

Impact:
Traffic imbalance, higher than normal CPU usage.

Workaround:
Re-add the recently deleted VLAN to the tenant.

Fix:
Properly clean up internal storage when a VLAN is deleted from a tenant.

1591645-1 : EPVA related dma-agent crash

Links to More Info: BT1591645

Component: F5OS-A

Symptoms:
A dma-agent seg_fault occurs when there is a conflict between special EPVA allow-list entries.

Conditions:
A conflict between two entries on the allow-list triggers a code path in the dma-agent and resulting in a seg_fault.

Impact:
Traffic loss as the dma-agent needs to be restarted by its watchdog/start up script. Tenants need to re-register with the datapath.

Workaround:
None

Fix:
This issue has been fixed by setting a THREAD local variable in the epva_tbl_mgmt thread, preventing a seg_fault when the edge case method is triggered.

1591553-1 : Including /etc/resolv.conf and /etc/hosts files in QKView capture

Links to More Info: BT1591553

Component: F5OS-A

Symptoms:
The /etc/resolv.conf and /etc/hosts files are included to check the configured parameters in host QKView from the affected device.

Conditions:
F5OS-A 1.7.0 and lower versions QKView capture does not include the /etc/resolv.conf and /etc/hosts files.

Impact:
The /etc/resolv.conf and /etc/hosts files are not captured in F5OS-A 1.7.0 and lower versions.

Workaround:
None

Fix:
The /etc/resolv.conf and /etc/hosts files are included in QKView capture as part of F5OS-A 1.8.0 release.

1590173 : K3s server crashes and restarts due to high CPU activity

Component: F5OS-A

Symptoms:
K3s crashes and restarts due to high CPU load on r2000 platform.

Conditions:
On the r2000 platform, both F5OS and Tenants utilize the same CPUs. However, if the Tenants use a higher percentage of the CPU share, it impacts the K3s server.

Impact:
Tenants will restart when the K3s server restarts.

Workaround:
None

Fix:
It is not advisable to use the r2000 platform with a CPU usage of 90% or higher.

1588961 : Observing "Failed to find the service account - robottpobdefault" or "Creating SA robottpobdefaultfailed" log messages in platform.log

Component: F5OS-A

Symptoms:
Intermittently you may see log messages saying "Failed to find the service account - robottpobdefault" or "Creating SA robottpobdefaultfailed" in platform.log, this is due to either K3S is down/unreachable or API-Server slow/busy or SSH to host is failed.

Conditions:
When K3S is down/unreachable or API-Server slow/busy or SSH to host is failed, you may see log messages like "Failed to find the service account - robottpobdefault" or "Creating SA robottpobdefaultfailed" in platform.log

Impact:
There won't be any functional impact as the service-account is already present but you are unable to check the status of the service account.

Workaround:
None

Fix:
Removed an excessive log message that occurs while k3s is restarting.

1588093 : Forwarding host log files to remote targets

Links to More Info: BT1588093

Component: F5OS-A

Symptoms:
/var/log/messages growing quickly, consuming the disk space, making the box unusable.

Conditions:
Having /var/log/messages as a host-logs files entry to forward the file lines to a remote destination.

Impact:
When syslog generated files are configured to be forwarded as files, forwarding efficiency can be affected compared to utilizing selectors.

The /var/log/messages being in this list can lead to a cyclical logging issue, where the disk space is consumed faster than the logs can be rotated out, potentially resulting in a full disk.

Workaround:
Use selectors instead for any file that is syslog generated.

The host-logs files configuration is meant for text files that cannot be forwarded through selectors configuration.

Fix:
To prevent filling the disk, files that are forwarded out line by line would not be processed locally. This will prevent having entries in /var/log/messages.

1587925 : Modifying a RADIUS server from the web UI requires the Secret to be configured or re-entered

Component: F5OS-A

Symptoms:
Modifying a RADIUS server from the webUI always requires the Secret to be configured or re-entered.

Conditions:
Modifying a RADIUS server from the webUI.

Impact:
It requires the Secret to be entered, even if it is already configured.

Workaround:
If secret configuration is not required, edit the RADIUS server from the CLI.

Fix:
Create a Radius server and edit it. Editing the port or timeout fields no longer requires the Secret to enable saving.

1585853-2 : Telemetry streaming pauses if mgmt-ip gets updated

Links to More Info: BT1585853

Component: F5OS-A

Symptoms:
Telemetry streaming to an external OTEL server is paused for some time if mgmt-ip of the F5OS device is updated.

Conditions:
There should be a telemetry exporter configured to receive data and the mgmt-ip of the F5OS device will be updated at a later time..

Impact:
The external server won’t receive the telemetry data for some time after updating mgmt-ip.

Workaround:
Disable and enable the exporters from ConfD using below commands to re-establish the connection after updating mgmt-ip.

system telemetry exporters exporter <exporter-name> config disabled

system telemetry exporters exporter <exporter-name> config enabled

Fix:
Updated the otel-collector service in F5OS to re-establish the connection with the external server in the event of a lost connection caused by mgmt-ip updates.

1585765 : Error message IDs for appliance-orchestration-manager are incorrect

Links to More Info: BT1585765

Component: F5OS-A

Symptoms:
The error message IDs found on a running system differ from the error message IDs found in the F5OS error catalog.

Conditions:
No specific conditions in the configuration of the system caused this issue.

Impact:
Makes it difficult to find the right information in the F5OS error catalog.

Workaround:
None

Fix:
This issue has been fixed and the error IDs now have the correct values in both the running system and the F5OS error catalog.

1585749 : Including lspci commands in QKView capture

Links to More Info: BT1585749

Component: F5OS-A

Symptoms:
The lspci command helps in analyzing the system's faults by evaluating PCI busses. This command is not captured in the QKView file.

Conditions:
Running QKView.

Impact:
The lspci command output is not included in the QKView.

Workaround:
None

Fix:
The lspci command is added in QKView capture.

1585001-1 : Radius authentication does not work when the shared secret key in the radius configuration is more than or equal to 32 characters

Links to More Info: BT1585001

Component: F5OS-A

Symptoms:
The remote radius users authentication fails when the radius shared secret has more than 31 characters.

Conditions:
The radius shared secret having more than 31 characters

Impact:
The remote radius users will not access to the system.

Workaround:
Log in as an admin into the system and change the radius 'secret' field to have characters less than or equal to 31.

system aaa server-groups server-group <server-group-name>servers server <server-address> radius config secret-key <number-of-characters-should-be<=31>

Then commit the changes.

Fix:
When the radius secret key is longer than 31, the radius users will not have access to the system.

1583233 : The 'show portgroups' command may not display DDM statistics, or may display stale/out-of-date DDM statistics

Links to More Info: BT1583233

Component: F5OS-A

Symptoms:
An F5OS system (rSeries appliance or VELOS partition) may display stale/out-of-date DDM statistics or no DDM statistics if there are interface in the system that do not have SFP modules inserted.

Conditions:
- r5000, r10000, or r12000-series appliance
- VELOS partition
- Previous interfaces in the system that do not have an SFP module inserted.

Impact:
System does not report correct DDM statistics in 'show portgroups' command output.

Workaround:
Run the ‘show portgroups’ command for each interface that has an SFP module inserted, that is, ‘show portgroups portgroup 5’.

Fix:
Fixed the display issue in ‘show portgroups portgroup state ddm data’.

1582817-1 : Unable to add rSeries device IP to 'known-hosts' file

Component: F5OS-A

Symptoms:
Trying to add a rSeries device's IP to a 'known-hosts' file using the CLI command 'file known-hosts known-host' fails.

Conditions:
If the remote host is running F5OS-A-1.8.0, then adding that device's IP to 'known-hosts' file using the CLI command 'file known-hosts known-host' fails.

Impact:
File export/import to remote rSeries device from a local rSeries device using secure mode will fail.

Workaround:
File export/import to remote rSeries device from a local rSeries device can be done using other supported protocol such as https.

1582553 : The 'components component state' data is not displayed in ConfD.

Links to More Info: BT1582553

Component: F5OS-A

Symptoms:
- No data will be displayed as part of “show components component” in ConfD.
- In the absence of component platform information, GUI features default to r5xxx platform, leading to some functional issues for other platforms.

Conditions:
Intermittently occurs when initializing the state data.

Impact:
You cannot view the hardware information, which is updated under “show components component”.

GUI functional issues for other platform:
For r10xxx - Raid Configuration will not be visible.
For r4xxx/r2xxx - Port Groups may not function as expected. STP screens and Port Mappings will show up, which are not applicable to the platform and will be non-functional.

Workaround:
Log into the appliance as root and restart the platform-mgr docker container:

docker restart platform-mgr

Fix:
The functionalities disrupted on the GUI can be accessed via the CLI.

1580489 : BE2 GCI interface training issue results in failure to process networking traffic

Links to More Info: BT1580489

Component: F5OS-A

Symptoms:
Some particular rSeries systems fail to process networking traffic due to the BE2 GCI interfaces not training properly, resulting in an FPGA datapath lockup.

One potential indication of this is the DMA agent detecting a DM Tx Action ring hang, which can be observed in velos.log / platform.log:

dma-agent[13]: priority="Alert" version=1.0 msgid=0x4201000000000130 msg="Health monitor detected DM Tx Action ring hung." ATSE=0 DM=0 OQS=3

Conditions:
RSeries r5000, r10000, or r12000-series appliance

This issue does not affect r2000 or r4000 series appliances.

Impact:
The system stops delivering traffic from front-panel ports to the host, although egress traffic may continue to work. If an LACP LAG is configured, ports will be unable to join the LAG.

Workaround:
None, and F5 continues tracking the BE2 issue via ID1596625.

Fix:
During system startup, FPGA manager now ensures that the BE2 GCI interfaces are brought up and trained properly.

1580165 : Removing a failed patch ISO can remove base services imported from a different ISO★

Component: F5OS-A

Symptoms:
Removing a failed patch ISO also removes the base services ISO imported by another ISO. Further upgrade will fail even though importing the patch version is successful. You may observe the below log.

appliance-1(config)# system image check-version iso-version 1.5.2-21056
response Compatibility verification succeeded.

Conditions:
-- Base services are already imported by another ISO.
-- Same version patch ISO import failed.
-- Delete the failed patch ISO.

Impact:
Upgrade to a new successful import of patch ISO of the same version will fail.

Workaround:
Rebooting the device will resolve the issue.

Fix:
While removing the failed patch ISO, added a check that if the base services are imported by another ISO, do not delete the base services ISO.

1579289 : Empty log message when interface changes state

Links to More Info: BT1579289

Component: F5OS-A

Symptoms:
An empty log message is logged:
appliance-1 nic-manager[1]: priority="Info" version=1.0 <msgid=> msg="Updating interface link state" <ifname=> <state=>. >>>>

The empty log message is reported after an interface oper-status changes from either UP/DOWN or DOWN/UP state

Conditions:
An interface is enabled or disabled in F5OS

Impact:
The log message does not report which interface's state changed.

Workaround:
None

Fix:
With the appropriate fix, the empty log is no longer reported

1577049 : CVE-2024-1086 - Linux kernel vulnerability

Links to More Info: K000139430

1576141 : K3S installation fails if /var/log/appliance.log is not present★

Links to More Info: BT1576141

Component: F5OS-A

Symptoms:
K3S cluster installation fails.

Conditions:
/var/log/appliance.log is deleted and recreated as directory.

Impact:
K3s cluster installation fails.

Workaround:
Delete /var/log/appliance.log and create it as a file.

Fix:
Added code to verify if the /var/log/applaince.log presents, during K3s installation.

1575925-1 : Running 'show system aaa primary-key state status' while a key migration is in progress can cause key migration errors

Component: F5OS-A

Symptoms:
If a key migration is in progress (initiated via the ConfD action 'system aaa primary-key set'), and while it is in progress the status of the key migration is checked ('show system aaa primary-key state status'), this can intermittently cause the key migration to fail. Under these conditions, future attempts to 'show' this area of state will also return 'application communication failure'.

Conditions:
1. A ConfD primary key migration is initiated on a VELOS Controller or Appliance system.
2. While the key migration is in progress, the status of the migration is checked.

Impact:
Key migration fails, leaving encrypted ConfD elements in a corrupted state. Furthermore, all operational data callbacks for the 'system aaa primary-key' schema tree will fail indefinitely with 'application communication error'.

Workaround:
To workaround this issue, reboot the affected controller(s) or appliance. After the reboot, the user may re-attempt the key migration.

Fix:
Fixed issue where checking status of key migration could cause the migration to fail.

1575417 : Platform-diag-agent memory leak

Component: F5OS-A

Symptoms:
Memory usage for the "platform-diag-agent" process may steadily increase over time.

Conditions:
This can happen when frequently requesting “system health components” from ConfD.

Impact:
The system may eventually run out of memory and affect all services on the system.

Workaround:
None

Fix:
Memory leak fixed. Consider reducing the request frequency. The system can also be rebooted to temporarily restore memory usage to normal levels.

1573493 : Qkview does not collect the files gid-map.txt, /etc/libnss-udr/passwd, or /etc/libnss-udr/group

Component: F5OS-A

Symptoms:
When a QKView is collected, the files gid-map.txt, /etc/libnss-udr/passwd, and /etc/libnss-udr/group are not present in the QKView.

Conditions:
A qkview is collected.

Impact:
It may not be possible to troubleshoot certain issues related to authentication.

Workaround:
None

Fix:
The files gid-map.txt, /etc/libnss-udr/passwd, and /etc/libnss-udr/group have been added to QKView collection. Whenever a QKView is collected, these files are present.

1572929 : Changing remote authentication methods from RADIUS/TACACS to LDAP may break remote-gid functionality.

Links to More Info: BT1572929

Component: F5OS-A

Symptoms:
If RADIUS or TACACS are utilized for authentication, the user’s ‘passwd’ details will be saved in /etc/libnss-udr/passwd. However, if the user switches to LDAP authentication and disables the previous method, their entry may not be removed from /etc/libnss-udr/passwd.

If a user is using GID remapping (by configuring remote-gid), the authentication will fail, at least when logging into the CLI.

Conditions:
- Enable RADIUS authentication and log into the system as a remote RADIUS-defined user.
- Change the authentication method to LDAP and disable RADIUS authentication.
- Configure remote-gid functionality for an LDAP-defined user. This LDAP-defined user should have the same name as the RADIUS-defined user.
- Log into the system as that remote LDAP-defined user.

Impact:
The authentication will fail for the LDAP-defined user. An error message will appear such as: “No valid role group found in user groups: 9002 123 5340”.

Workaround:
Log into the system as a ‘root’ user and clear the information in /etc/libnss-udr/passwd.

Fix:
The remote-gid functionality will no longer be affected by changing authentication methods from RADIUS/TACACS to LDAP. LDAP users with valid credentials will be allowed in.

1572597 : System loses its mgmt-ip address after switching between static and dynamic allocation (DHCP) of IP and rebooting

Component: F5OS-A

Symptoms:
Device not reachable on static IP when DHCP is disabled.

Conditions:
1. Configure static IP and enable DHCP.
2. Disable DHCP and reboot the device.
3. Device is not reachable on static IP.

Impact:
Device connectivity.

Workaround:
Static IP needs to be configured through console.

Fix:
Fixed code to persist static IP.

1572493 : LAG Trunk Configuration is Missing Inside of Tenant

Links to More Info: BT1572493

Component: F5OS-A

Symptoms:
When creating a LACP LAG or Static LAG, the lag and its members will show as up on the F5OS and switch side (Arista and Cisco). However, on the tenant, tmsh will show that neither the trunk nor trunk members are present:
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net trunk
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)#

Conditions:
BIG-IP tenant on F5OS system

Impact:
The trunk information will not be visible in the tenant.

- On high-end rSeries appliances (r5000, r10000, and r12000-series systems) and VELOS tenants, traffic will still work.

- On low-end rSeries appliances (r2000 and r4000-series systems), traffic will not flow.

Workaround:
NA

1572489 : Allowed valid usernames on F5OS.

Component: F5OS-A

Symptoms:
User accounts can be created using usernames that are entirely numeric. However, usernames that start with a dash ‘-’, contain “.”, “..”, or any other invalid or illegal characters will not function properly or are non-functional.

Conditions:
While creating a new user on the system with an invalid or illegal usernames.

Impact:
Non-functional user entries will be created and user functionalities like set-password, change-password, and so on won’t be working as expected.

Workaround:
None

Fix:
Fix is provided to prevent using invalid usernames during the creation of user accounts. This ensures that usernames that are considered illegal or unacceptable by the system cannot be used.

1572137-2 : Upload/Download API should work with '/api' and '/restconf'

Links to More Info: BT1572137

Component: F5OS-A

Symptoms:
Upload/Download is not working with '/api' endpoint.

Conditions:
Use '/api' endpoint to upload/download a file.

Impact:
Fails to Upload/Download a file.

Workaround:
None

Fix:
Fixed an issue occurring with the Upload/Download API.

1572041 : AOM SSH password requirements are not working

Component: F5OS-A

Symptoms:
AOM SSH user password requirements are not consistent.

Conditions:
Setting up AOM SSH user and password.

Impact:
Password requirements may not be clear or consistent.

Workaround:
None

Fix:
AOM SSH password requirements have been updated to match documentation. Now, when trying to enter a password, requirements are clearly shown. Ex: Value for 'password' (<string, min: 8 chars, max: 16 chars>):

1566925 : Remove unhelpful troubleshooting files from QKView

Links to More Info: BT1566925

Component: F5OS-A

Symptoms:
Creating a QKView on an F5OS host appears to make a non-sparse copy of /var/log/lastlog
This file is a sparse file and depending on factors, can have a really large file size, though actual consumed disk blocks remain quite low.

Conditions:
Creating a QKView file on F5OS.

Impact:
Exhausted disk space and caused K3s to reap pods to free up ephemeral storage - including killing running tenant (BAD).

Workaround:
Remove the files.

Fix:
None

1566569-1 : Unable to access rSeries system from 172.17.0.0/16 IP subnet

Links to More Info: BT1566569

Component: F5OS-A

Symptoms:
Unable to access the rSeries system from client or server systems in the 172.17.0.0/16 IP subnet

Conditions:
-- r5000-series, r10000-series, or r12000-series appliance

Impact:
Unable to access the rSeries system from client or server systems in the 172.17.0.0/16 IP subnet

Workaround:
To work around this issue, do the following:

1. Log into the system as root
2. If running F5OS-A 1.7.0, edit /var/docker/config/platform.yml. If running F5OS-A 1.5.2, edit /var/docker/config/platform.patch.yml.
3. In the specified file, locate the section for "selinux_labeler", and add a line under it that reads 'network_mode: "none"'. The indentation of this line must match exactly the indentation of the "container_name" and "image" lines.

For example:
  selinux_labeler:
    container_name: selinux_labeler
    network_mode: "none"
    image: ${...
    ...

4. Reboot the system.
5. Once the system is rebooted, log into the system as root, and run "docker network rm config_default"

1560533-1 : Inconsistent case values (upper and lower case) for different F5OS-C SNMP OIDs

Links to More Info: BT1560533

Component: F5OS-A

Symptoms:
AlertSource in SNMP alert contains text as Controller starting with uppercase C instead of lower case in core alert events.
Similarly, for core alert events generated in blade, comes with Blade instead of blade.

Conditions:
Process crash generating core file and SNMP alerts are enabled.

Impact:
Tools processing SNMP alerts might get affected if tooling is case-sensitive.

Workaround:
None

Fix:
Fixed alertSource text for SNMP core alert events to send lower case.
Tools modified to read alertSource of SNMP core alert events require to update as per the correction.

1558797 : BMC self health test falsely logged as failed

Links to More Info: BT1558797

Component: F5OS-A

Symptoms:
The BMC self health test is randomly logged as having failed:

appliance-1 alert-service[8]: priority="Notice" version=1.0 msgid=0x2201000000000029 msg="Received event." event="65543 appliance aom-fault EVENT NA "Bmc Health Self test failed: Device-specific 'internal' failure." "2024-03-01 14:00:00.918553424 UTC"".

Conditions:
Checking the platform log

Impact:
BMC self health test is falsely logged as failed.

Workaround:
None

Fix:
This issue has been fixed and the BMC self health test no longer falsely logs a failure.

1552945 : Tenant images renamed with bracket are not supported★

Links to More Info: BT1552945

Component: F5OS-A

Symptoms:
Live upgrades with prior releases with tenants that use images with brackets in their name will fail when going to a version that restricts the tenant image name character set.

Conditions:
Tenants using image filename with brackets won't allow upgrades to releases that validate the image filename character set.

Impact:
The tenant will have to be recreated or upgrade to a version that does not have the validation.

Workaround:
Tenant has to be recreated with the original image that didn't contain brackets.

Fix:
Brackets were included in accepted character set for tenant image filename.

1550413-1 : System events visible in the CLI may not be visible in the GUI

Links to More Info: BT1550413

Component: F5OS-A

Symptoms:
Running "show system events" on the F5OS CLI typically reveals many events that are not visible in the GUI under System Settings > Alarms & Events.

The GUI filters the display of events according to their assigned severity. But since many events are not assigned a severity, such events will be hidden from view.

Conditions:
Events that are not assigned a severity are instead marked "NA". Such events are not visible in the GUI and can only be seen via the CLI or API.

Impact:
The omission of events displayed in the GUI can be misleading. Administrators using the GUI may not be aware of important events that have occurred on the platform.

Workaround:
All system events can be seen by running 'show system events' on the F5OS CLI or by retrieving them via the REST API.

Fix:
On fixed versions, a new option called 'All' has been added to the Severity drop-down selector in the GUI. This displays all events, including ones without a severity assigned.

1549753 : System telemetry exporter send queue and retry settings are causing memory issues

Component: F5OS-A

Symptoms:
Memory issues are seen in system when telemetry exporter is not reachable for a long time.

Conditions:
When exporter is not reachable for a long time.

Impact:
System can go out of memory.

Workaround:
User can disable the send queue and retry setting using ConfD. For example:

appliance-1(config)# system telemetry exporters exporter <<exporter name>> config options send-queue-enabled false

appliance-1(config)# system telemetry exporters exporter <<exporter name>> config options state options retry-enabled false

Fix:
Send queue and retry settings are removed for telemetry exporters.

1536413 : Allowed-ips allowed-ip <name> is not accepting the '-' in the names

Component: F5OS-A

Symptoms:
Allowed IP profile got deleted while upgrading to 1.7.0 from lower versions. allowed-ip profile names with '-' got erased out. which got fixed in 1.8.0

Conditions:
While upgrading to 1.8.0 from lower versions other than 1.7.0, all allowed IP profile names should have atleast one alphanumeric and it should have not have any other special character other than ('-', '_' and '.')

Impact:
Allowed IP profile gets deleted if it is not matching the pattern.

Workaround:
Re-apply the allowed-IP profile configuration without eiphen '-' in the name

Fix:
Fixed the schema such that allowed IP profile name accepts the '-' in profile name.

1519869 : BIG-IP tenant reports blank interface

Links to More Info: BT1519869

Component: F5OS-A

Symptoms:
BIG-IP tenant reports a blank ("") interface member in the trunk when removing one or more interfaces from an aggregation.

Conditions:
BIG-IP tenant reports a blank ("") interface member in the trunk when removing one or more interfaces from an aggregation.

Impact:
BIG-IP tenant has an empty member in the trunk.

Workaround:
No workaround.

Fix:
BIG-IP tenant does not reports a blank ("") interface member in the trunk when removing one or more interfaces from an aggregation.

1505589-1 : Subject-Alternative-Name (SAN) feature now supports client-side SSL Validation

Links to More Info: K000139300

Component: F5OS-A

Symptoms:
Since no SAN was allowed to be inserted into the http-server’s self-signed certificate, client-side SSL validation was not supported.

This impacts Central Manager's VELOS/rSeries provider. The missing SAN field causes the certificate to be rejected.

Conditions:
Using the default self-signed certificate.

Impact:
Client-side SSL validation is not supported.

Workaround:
To add an SAN, you need to edit the /etc/pki/tls/openssl.cnf file and add it. However, this may not be effective for certain software that does not accurately read the configuration file.

Fix:
A new SAN field has been implemented, which is mandatory, and allows users to enter a value in the field. However, if the value “none” is used, the field can be omitted. Additionally, to allow entry of the SAN, a default tls certificate is created in /etc/auth-config/default/f5os.cert that has the SAN populated with the hostname and management-ip values. In the absence of a user-provided self-signed certificate, the http-server will automatically use the default certificate.

1505293-1 : Partition image removal message is truncated

Links to More Info: BT1505293

Component: F5OS-A

Symptoms:
If a partition is enabled and then disabled while running version A, and then upgraded to version "B", attempting to deport partition image "A" fails, the CLI throws truncated error messages.

Conditions:
The partition is upgraded with the state is disabled.

Impact:
Incomplete error messages for the failure reason. The error that is reported is:

"Error: Failed to remove software: 1.5.1-14085, error message: Standby removal failed for following reason: OS version".

Workaround:
None

1498009-1 : Learned L2 entries in data-plane L2 forwarding table may disrupt some traffic flows between tenants

Component: F5OS-A

Symptoms:
While a tenant transitions from active to standby, an egress packet in flight may trigger a L2 learn event in the FPGA data-plane. This can occur for tenants that transmit using a different MAC address while active, such as when MAC masquerading is enabled. If so, a dynamic L2 entry is created from the source MAC address of the egress packet. These dynamic entries also enable the service DAG without setting a service ID, which causes matching packets to be dropped in the VOQ system due to an invalid service DAG lookup result.

This can disrupt egress traffic for another tenant on the same device, attempting to transmit to the destination MAC address that was recently relinquished by the standby tenant. These drops increment the 'ic_voq_drops' counter in the tmctl vqf_global table.

These L2 entries will not be corrected by subsequent L2 learn events for the same MAC address from a different location. Thus, traffic disruption may persist until entries age out.

Conditions:
- MAC masquerade configured on the traffic-group of an HA pair of tenants.

- A failover from tenant A to tenant B.

- Another tenant running alongside tenant 'A' attempts to transmit to the MAC masquerade address that is now owned by tenant 'B'.

Impact:
Traffic disruption from one tenant to another in specific directions.

Workaround:
None

Fix:
L2 entries that are created from host generated L2 learn events, no longer enable the service DAG for matching packets.

1497657 : First SSH login after editing remote RADIUS or TACACS+ user privileges will still apply old privileges

Component: F5OS-A

Symptoms:
The first SSH login after editing role-based privileges for a remote RADIUS or TACACS+ user will still give the user their prior privileges (or, if the user is newly created, login will be rejected with a message saying "This account is currently not available"). Subsequent logins will apply the updated user privileges.

Conditions:
1. RADIUS or TACACS+ Authentication is enabled.
2. A new user is created in one of the above auth systems, or an existing user’s role-based access is modified.
3. The affected user SSHs into F5OS for the first time after the change in step #2.

Impact:
First login to system after creation fails, or first login after modification of user privileges gives the user incorrect privileges.

Workaround:
None

Fix:
Fix issue where first SSH login after editing remote RADIUS or TACACS+ user privileges will still apply old privileges.

1496977 : Remote GID mappings to F5OS roles are disconnected for TACACS+/RADIUS authentication methods.

Links to More Info: BT1496977

Component: F5OS-A

Symptoms:
Remote GID mappings (on a TACACS+ or RADIUS server) to F5OS GIDs/roles are not working correctly. When attempting to configure a remote mapping, it results in the access rejection with a message similar to below:

[root@system ~]# ssh radius_or_tacacs_user@<F5OS system mgmt IP>
Password:
Last login: <date> from <source IP>
No valid role group found in user groups: '9000'
Connection to <mgmt IP> closed.

Conditions:
A remote GID mapping is configured for a role in F5OS and the authentication method used for remote users is RADIUS or TACACS+.

Impact:
Remote users cannot log in to the system.

Workaround:
Configure remote user's GIDs in a way that they correspond to the GIDs in F5OS for the desired role(s). Then, remove any remote GID mappings in the F5OS configuration.

Fix:
Fixed remote GID mapping to F5OS roles for TACACS+/RADIUS authentication methods.

1496837-1 : User-manager's ConfD socket getting closed.

Links to More Info: BT1496837

Component: F5OS-A

Symptoms:
After repeating the change of network type and device reboot, the device goes into a state where the user-manager is not interacting with ConfD.

Conditions:
- Change remote GID role and check '/etc/gid-map.txt' file if the value is reflected.
- Switch network type and reboot the device.

Repeat the above process until '/etc/gid-map.txt' file is not been updated correctly.

Impact:
Any ConfD configuration change that goes through user-manager fails. This includes any of the user’s password changes, or remote GID changes.

Workaround:
Rebooting the system will get the correct GID value from the ConfD and update the '/etc/gid-map.txt' file.

Fix:
The user-manager has no reason to use NSS to lookup any PW/group info, as it deals exclusively with the local user database.

Additionally, there is a ZMQ service that belongs in authentication-mgr (which understands remote authentication) that is in the user-manager container. It forces user-manager to use an ‘/etc/resolv.conf’ that can reference remote sources.

If the user-manager trips over a lookup that goes to LDAP (usually a local-db miss), it can be very slow and time out. The ConfD->user-manager channel is sensitive of slow responses, and shuts down subscriber/callpoint handler/daemon that takes over 15 to 30 seconds to respond. When this happens, the user-manager is going to see an EOF on its ConfD sockets.

This fix forces the user-manager to only lookup on local databases.

1496397-1 : Allowing entry of a Subject-Alternative-Name (SAN) for certificate and CSR creation

Component: F5OS-A

Symptoms:
There is no method available for inputting the SAN field during the creation of certificates or CSR.

Conditions:
While creating a CSR through system aaa tls create-csr in ConfD.

Impact:
The option to include the SAN field in certificates and/or certificate request is not available.

Workaround:
To add an SAN, you need to edit the /etc/pki/tls/openssl.cnf file and add it. However, this may not be effective for certain software that does not accurately read the configuration file.

Fix:
A new SAN field has been implemented, which is mandatory, and allows users to enter a value in the field. However, if the value “none” is used, the field can be omitted. Additionally, to allow entry of the SAN, a default tls certificate is created in /etc/auth-config/default/f5os.cert that has the SAN populated with the hostname and management-ip values. In the absence of a user-provided self-signed certificate, the http-server will automatically use the default certificate.

As this is a new feature, back-porting to older versions has not been implemented and would be difficult and complex.

1496393 : A key can be created rather using a stored key for CSR creation

Component: F5OS-A

Symptoms:
When creating a Certificate Request (CSR), a key must be provided. Since a key was provided by the 'store-tls' option for the TLS key, it was assumed that the CSR was intended to be used with that specific key.

Conditions:
Generating a CSR request via system aaa tls create-csr in confd

Impact:
The certificate request (CSR) functionality is not as flexible as it could be (similar to the self-signed certificate, which allows a key to be created). It is complex to create certificate requests where a new key is required.
Additionally, the absence of a stored key meant that no CSR could be produced.

Workaround:
Create a new key, store it in TLS, and run the create-certificate-request.

Fix:
The create-certificate request now allows a key to be created, or, if none exists, it creates one. If no key is requested and one exists, the process will continue as usual, generating a CSR using the pre-existing key. However, if a key is requested (or does not exist), a new one will be created and both the key and CSR will be shown. It is important to note that a CSR without knowing the key is of no use.

1494945 : ConfD Application Error when tenant interface stats are not available

Component: F5OS-A

Symptoms:
When attempting to get tenant interface stats, the system displays "Error: application error".

Conditions:
The creation or modification of tenants may result in inaccurate handling of historical data by the tenant interface-stats logic. This could lead to the display of an “Error: application error” message when queried.

For example:
appliance-1# tenants tenant cbip-tenant-b state interface-stats down-sample-to 10 average 10s-avg
Error: application error

Impact:
Confd reports the error on the command line and logs the error in platform logs.

2024-01-24T20:12:37.123437567Z: [Error]: confd: msg="Action Point reply error" error="confd error: 'Unknown error', last='Invalid confd_vtype value: 0', errno=5"

Workaround:
None

Fix:
The problem has been resolved in more recent versions of F5OS-A. To resolve it, upgrade to a more recent version of F5OS-A. It will resolve once all interfaces are enabled.

1494809 : Allowing user to configure HostKeyAlgorithms parameters

Component: F5OS-A

Symptoms:
A new config CLI (system security services service sshd config host-key-algorithm) is implemented to allow HostKeyAlgorithms configuration.

Conditions:
In non FIPS mode, to enable or disable ssh-rsa HostKeyAlgorithm, this newly implemented CLI can be used.

Impact:
HostKeyAlgorithm usage was not configurable.

Workaround:
None

Fix:
This is a new CLI that can be used to enable or disable ssh-rsa HostKeyAlgorithm

1492621-2 : Config-restore fails when backup file has expiry-status field for admin or root user

Links to More Info: BT1492621

Component: F5OS-A

Symptoms:
For a root or admin user, if the value for Expiry-status in the backup file is not set to enabled, then config-restore fails.

Conditions:
During backup, if the "Expiry-status" value for admin or root user is not set to enabled, then restore fails with the backup.

Impact:
Database config-restore fails.

Workaround:
For admin and root user, comment expiry-status, expiry-date in the backup file and try to restore.

Fix:
Added NACM rules in ConfD for successful config-restore.

1492401 : User with operator role is not having read-access to all pages

Component: F5OS-A

Symptoms:
- User experiences unauthorized error when trying to access "Tenant Images", "Software Management", "File
Utilities", "Configuration Backup", and "System Report"

- User sees no items when trying to access "File Utilities", "Configuration Backup", and "System Report" pages

Conditions:
User has operator role.

Impact:
User is not able to view certain pages.

1490753 : A linkUp and linkDown traps are sent when an up interface is disabled, and vice versa

Links to More Info: BT1490753

Component: F5OS-A

Symptoms:
When F5OS system is configured with SNMP Targets for managing the Trap notifications, linkUp and linkDown traps will be sent when interface state is toggled.

Conditions:
Always two traps (linkUp and linkDown) will be sent even when the interface state is toggled from UP to DOWN or DOWN to UP.

Impact:
No functional impact, but when two traps are sent, the interface state over SNMP can be misleading.

Workaround:
None

Fix:
The appropriate trap, that is, linkDown trap when F5OS interface state is down and linkUp trap when F5OS interface state is up, will be sent.

1486697 : Configuring Expiry-status of root and admin users should not be allowed

Links to More Info: BT1486697

Component: F5OS-A

Symptoms:
Expiry-status of root and admin users are allowed to be configured and there is a chance of locking out these users.

Conditions:
If Expiry-status of any root or admin user is marked as Locked, that root or admin user cannot log in to the system.

Impact:
There is a chance that default users, such as root and admin, become locked out.

Workaround:
None

Fix:
You cannot edit the ‘Expiry-status’ field in webUI for admin and root users. Thus, it cannot be configured. The 'Expiry-status' field for root and admin users will now always display the default value as 'Enabled'.

1481797 : Voltage sensor limits incorrect, causing notice messages on r2000 & r4000 appliances

Links to More Info: BT1481797

Component: F5OS-A

Symptoms:
The rSeries 2000 and 4000 appliances can incorrectly report voltage sensor errors when the values are within the allowed range.

platform 2023-10-16 19:00:01.263 Z Error appliance-1 diag-agent[8] msgid=0x098200000000001a msg="Component Attribute Changed" component="appliance/hardware/bmc" attribute="p5a:sensor:voltage:p1v05nac" severity="Notice" value="1.03" interface="diag-controller"

platform 2023-10-15 19:00:01.322 Z Error appliance-1 diag-agent[8] msgid=0x098200000000001a msg="Component Attribute Changed" component="appliance/hardware/bmc" attribute="p5a:sensor:voltage:p0v83x557" severity="Notice" value="0.81" interface="diag-controller"

The 2 sensor limits above should be:

- P1V05_NAC == 1.05V +/- 30mV
- P0V83_X557 == 0.83 (0.76V - 0.85V)

This means log messages that report voltage values within the limits can be safely ignored.

Conditions:
RSeries appliances r2x00 or r4x000

Impact:
This is a cosmetic issue.

Workaround:
Review the warning to ensure it is within the defines ranges stated above.

Fix:
The system will not log errors when P1V05_NAC and P0V83_X557 are within the accepted limits.

1472917 : LDAP authenticated admins logging in via the serial console may have trouble disabing appliance mode during system instability

Component: F5OS-A

Symptoms:
If ConfD is not running, F5OS offers an emergency option to disable appliance mode when an administrator logs in successfully via the serial console.

Conditions:
The admin role has been configured with a remote-gid that is not 9000 and the admin successfully authenticates via LDAP on the serial console while ConfD is not running.

Impact:
Remotely-authenticated admin users cannot disable appliance mode if ConfD is offline.

Workaround:
None

Fix:
Remotely-authenticated admin users can disable appliance mode if ConfD is offline.

1470917 : LAG aggregated speed is not updated

Links to More Info: BT1470917

Component: F5OS-A

Symptoms:
LAG's aggregation state lag-speed value is not the aggregate of the member port's actual speed.

Conditions:
Individual port auto-negotiates to a value lower than its initial port speed configuration.

Impact:
The actual speed of the LAG is not displayed when running the show interfaces interface aggregate command. This is just a display issue, with no impact on the actual bandwidth of the LAG.

Workaround:
None

Fix:
The LAG speed reflects accurately the sum of the operational speed of members.

1469401 : ARP request for mgmt interface IP resolving to mgmt0-system inferface's mac

Component: F5OS-A

Symptoms:
1. Configure IP on mgmt0-system from ConfD.
2. Configure IP on mgmt using linux command.
3. ARP request to mgmt-ip resolves to MAC of mgmt0-system.

Conditions:
Configuring IP on mgmt interface using linux and nmcli/ip commands.

Impact:
No impact

Workaround:
None

Fix:
Added code changes to make F5OS to resolve to the correct MAC for mgmt-ip.

1469385 : GUI freezes during LDAP user authentication if no remote GID mapped locally.

Links to More Info: BT1469385

Component: F5OS-A

Symptoms:
The LDAP remote user authentication freezes for a long time (more than a minute).

Conditions:
When trying to authenticate a remote LDAP user through the GUI without mapping any of the remote user GIDs to the F5OS local roles.

Impact:
Authentication freezes for a long period before rejecting the user.

Workaround:
One of the remote GIDs should be mapped to the local F5OS roles.

Fix:
Map the remote GID(s) to the F5OS role(s) to authenticate remote LDAP users successfully.

1468545 : Inconsistency with time zones displayed in log files

Links to More Info: BT1468545

Component: F5OS-A

Symptoms:
PEL logs in F5OS systems are logged in a different time zone, but not in the configured time zone.

Conditions:
If the configured time zone is different from UTC, then the PEL logs can display different time for log messages.

Impact:
Troubleshooting and tracing issues can be difficult, as the time zones used in different logs do not match.

Workaround:
None

Fix:
PEL logs in F5OS systems are logged in the applicable time zone.

1467273 : LCD restarting internal services periodically due to memory allocation error.

Component: F5OS-A

Symptoms:
On a r2000/r4000 system, the LCD may experience an issue causing it to repeatedly restart the ‘platform_monitor’ or ‘bmcservice’ service due to a memory allocation problem.

The lcd.log file displays recurring patterns of log messages such as:

2023-12-13T23:53:37.264375+07:00 -- 2023-12-13T23:53:37.264375+07:00 lcd platform_monitor[1581] Traceback (most recent call last):#012 File "/usr/sbin/platform_monitor.py", line 540, in <module>#012 raise e#012OSError: [Errno 12] Cannot allocate memory
2023-12-13T23:53:39.477464+07:00 -- 2023-06-24T03:11:45+07:00 lcd /etc/watchdog.d/platform_monitor_watchdog.sh: found platform_monitor is not running
<snip>
2023-12-13T23:53:40.025297+07:00 -- 2023-06-24T03:11:46+07:00 lcd watchdog[1424]: test binary /etc/watchdog.d/platform_monitor_watchdog.sh returned 255
2023-12-13T23:53:40.025524+07:00 -- 2023-06-24T03:11:46+07:00 lcd /etc/watchdog.d/platform_monitor_watchdog.sh: Trying to repair platform_monitor ...
<snip>
2023-12-13T23:53:41.667967+07:00 -- 2023-06-24T03:11:48+07:00 lcd /etc/watchdog.d/platform_monitor_watchdog.sh: platform_monitor successfully repaired, pid = 27676

A similar condition may occur for the 'bmcservice' service.

2024-02-22T04:36:38.648864+00:00 -- 2024-03-17T21:05:37+00:00 lcd /etc/watchdog.d/bmcservice_watchdog.sh: found bmcservice is not running
2024-02-22T04:36:39.249053+00:00 -- 2024-03-17T21:05:37+00:00 lcd watchdog[1436]: test binary /etc/watchdog.d/bmcservice_watchdog.sh returned 255
2024-02-22T04:36:39.249787+00:00 -- 2024-03-17T21:05:37+00:00 lcd /etc/watchdog.d/bmcservice_watchdog.sh: Trying to repair bmcservice ...
2024-02-22T04:36:41.140343+00:00 -- 2024-03-17T21:05:39+00:00 lcd /etc/watchdog.d/bmcservice_watchdog.sh: bmcservice successfully repaired, pid = 26226

Conditions:
Excessive LCD memory consumption may occur if the appliance is turned off while external power is still connected. This excess memory usage will not be resolved when the appliance is turned on again.

Impact:
While the LCD is operating in this state, it may not be able to obtain the PSU status from the BMC and update the PSU status LEDs accordingly.

Furthermore, the LCD may not be able to ascertain the system’s current power state from the BMC.

Workaround:
The excessive LCD memory consumption can be recovered by rebooting the LCD.

1) Log into the appliance as a root user.
2) Issue `docker exec -it platform-hal psf call POST:lcd/reboot waitForBootup=true` at the Linux prompt.
3) Wait 60–90 seconds for the LCD to complete a reboot.

Example:

[root@appliance-1:Active] ~ # docker exec -it platform-hal psf call POST:lcd/reboot waitForBootup=true
  field | value
----------+--------
  success | true

Fix:
The excessive LCD memory consumption is fixed in LCD firmware v1.01.069.00.1 and later.

1466397-1 : LDAP authentication is consuming several minutes to authenticate via GUI and SSH.

Links to More Info: BT1466397

Component: F5OS-A

Symptoms:
LDAP authentication is working fine. However, authentication takes several minutes, which lacks a user-friendly experience.

Conditions:
- Configure LDAP server-group.
- Configure LDAP_ALL as an authentication-method.
- Log in using LDAP user via GUI or SSH.

Impact:
The user is forced to wait for several minutes to get the result of LDAP authentication.

Workaround:
None

Fix:
Removed unnecessary GID lookup to speed up LDAP authentication.

1461289-1 : On a rSeries appliance, config-backup proceed is broken

Links to More Info: BT1461289

Component: F5OS-A

Symptoms:
On a rSeries appliance, system database config-backup 'proceed' is broken. It is about overwriting an existing backup file, but it prompts you to proceed even if a file does not exist.

Conditions:
System database config-backup always prompts for the user to proceed even if a file does not exist.

Impact:
No functional impact. When you provide input 'yes', the backup file will be generated.

Workaround:
When prompted to 'proceed', you must respond with 'yes'.

Fix:
The system database config-backup prompts the user with ‘proceed’ option only when the file exists and the user is not provided ‘proceed yes’ in the input CLI command.

1461109 : GUI error "Unable to get data from stream streams/platform-stats/json"

Component: F5OS-A

Symptoms:
When viewing usage visualizations on screens that support them (Tenant details, Dashboard cpu Tab etc.), sometimes when switching between browser tabs an error in notification stream occurs.

Conditions:
-- Viewing a screen that shows data visualizations using notification streams
-- Switching between different browser tabs.

Impact:
An error message is dislayed in place of the visualzation charts.

Workaround:
Refreshing the page will start the notification stream again and user should start seeing data visualisations

Fix:
This issue is happening because GUI is trying to disconnect and reconnect to stream when switching between tabs. This behaviour is prevented now the stream will stay connected even when user switched to different tab.

1455913 : Tcpdump on F5OS does not honor the -c flag

Component: F5OS-A

Symptoms:
When using Tcpdump on F5OS with the -c flag, Tcpdump will not stop after receiving the given number of packets.

Conditions:
A Tcpdump session is started with the -c or --count flag.

Impact:
The Tcpdump session will not terminate after receiving the requested number of packets and will continue until manually terminated.

Workaround:
N/A

Fix:
Tcpdump now honors the -c flag and will terminate after receiving the given number of packets.

1451181 : The Rest API call to list core files returns 500 error when no core files found.

Component: F5OS-A

Symptoms:
The ConfD List Core Files Rest API call request returns a 500 ERROR when no core files are found rather than returning an empty list.

Example:
https://10.10.10.1:8888/restconf/data/openconfig-system:system/f5-system-diagnostics-qkview:diagnostics/f5-system-diagnostics-qkview:core-files/f5-system-diagnostics-qkview:list

Conditions:
1. No core files exist on the system.
2. The Rest API for querying the list of core files is made.

Impact:
Limited, but may affect automation.

Workaround:
Automation can respond to 500 error.

Fix:
Instead of responding with a 500 error, the response is now "none" when no core files exist.

1441425 : The rSeries appliance log shows "PSU voltage out value < lower limit, value=0".

Links to More Info: BT1441425

Component: F5OS-A

Symptoms:
The following message appears in the logs:
66305 psu-1 psu-fault EVENT Network Access "PSU voltage out value < lower limit, value=0" "2023-12-08 09:00:00.900082135 UTC".

Conditions:
The conditions that trigger this issue are unknown at this time.

Impact:
Users see several "PSU voltage out value < lower limit, value=0" logged messages, which could be falsely reported.

Workaround:
None

Fix:
None

1441333 : Rasdaemon memory leak

Links to More Info: BT1441333

Component: F5OS-A

Symptoms:
Rasdaemon will increase in size when excessive (>10000) MCE memory error events occur and may lead to system instability.

Conditions:
Likely due to memory hardware resulting in MCE errors

Impact:
System instability

Workaround:
Rebooting could be a temporary work-around if MCE rate is excessive.

Fix:
Rasdaemon version is upgraded in the current F5OS release.

1437765-2 : Restoration of system configuration database may fail if admin user was previously modified

Links to More Info: BT1437765

Component: F5OS-A

Symptoms:
The restoration of the System Configuration Database fails with this error:
appliance-1(config)# system database config-restore name config_database1 proceed yes
Error: access denied
Database config-restore failed.

Conditions:
In F5OS-A 1.5.1, the expiry status of the ‘admin’ user has been modified even before the System Configuration Database is saved and restored on the device that is currently installed after RMA/factory or F5OS clean install.

Impact:
Unable to restore the System Configuration Database.

Workaround:
1. In F5OS-A 1.5.1, it is recommended not to lock or modify the expiry status of the ‘admin’ user on the RMA/factory or clean installed appliance. If modified, enable the user before taking the backup.
2. Edit the System Configuration Database backup file. For the admin and root user, remove the next line which is highlighted by the arrow, then restore the configuration using the modified file:
           <username>admin</username>
           <config>
             <username>admin</username>
             <password><REMOVED></password>
             <last-change>0</last-change>
             <expiry-date>-1</expiry-date>
             <role>admin</role>
             <expiry-status>enabled</expiry-status> <---

1436153 : F5OS upgrades fail when SNMP configuration contains special characters.

Links to More Info: BT1436153

Component: F5OS-A

Symptoms:
As part of some security fixes, added a special character restriction in SNMP configuration in F5OS-A 1.5.1. This resulted in an upgrade failure to 1.5.1. If an upgrade to 1.5.1 is successful, the SNMP configuration will get deleted implicitly.

Conditions:
Upgrade to 1.5.1 fails when the SNMP configuration contains any special characters. The restricted special characters are: /*!<>^,/

Impact:
If the user encounters this issue, the system will go to an inaccessible state and require a forced downgrade.

Workaround:
Delete the SNMP configuration (community, target, or user) containing special characters before performing an upgrade to 1.5.1.

Fix:
The special characters in the SNMP configuration do not inject any security issues and can have special characters. Hence, the special characters restriction is removed in F5OS-A 1.5.2 and F5OS-A 1.8.0.

1429741 : Appliance management plane egress traffic from F5OS-A host going via BIG-IP Next tenant management interface instead of host management when both are in same subnet

Links to More Info: BT1429741

Component: F5OS-A

Symptoms:
When BIG-IP Next tenant is installed, a default route rule is added on host. If tenant management and host management IPs are on same subnet, then two similar rules are created with destination as same subnet.

The tenant route rule is created with higher priority (metric 0) resulting any management egress traffic destination belonging to same subnet is going through tenant management interface instead of host management interface.

Conditions:
BIG-IP Next tenant is deployed on appliance.

Impact:
End users receiving traffic from appliance, will observe sender IP as tenant management interface instead of host management interface.
    Note:
        a. This issue will be observed only when host management & tenant management subnet is same and also destination to which data is sent is on same subnet.
        b. This impacts management plane traffic within the appliance's management subnets.

Workaround:
N/A

Fix:
N/A

1429721 : SCP as non-root user does not report errors correctly for bad/non-existent files.

Links to More Info: BT1429721

Component: F5OS-A

Symptoms:
Using SCP to retrieve files from F5OS as "admin" or other non-root users should report a proper error when attempting to access an invalid directory or non-existent file.

Instead, the SCP command does nothing, reports no error, and exits with an on-zero exit status.

Conditions:
Attempt to read a non-existent/inaccessible file via SCP.

Impact:
The user is not informed about the failed SCP operation and the reason for the failure.

Fix:
SCP server software now reports errors the invalid/inaccessible filenames.

1411137 : Audit log entries are missing when creating or deleting objects via UI or API

Links to More Info: BT1411137

Component: F5OS-A

Symptoms:
When creating or deleting multiple remote-server related objects via UI or API, multiple restart happens causing log message drop.

Conditions:
While creating or deleting multiple objects related to remote-server, rsyslog restart everytime to apply new configuration. Due to the restart, some log messages are dropped.

Impact:
Log messages are dropped due to multiple restarts of the rsyslog.

Workaround:
None

1411101 : "Error pf_nic_get_media" failed error for ports with or without SFP connected

Links to More Info: BT1411101

Component: F5OS-A

Symptoms:
Error pf_nic_get_media failed for connected or not connected ports coming intermittently.

Conditions:
One or more ports are not connected on R2k/R4K devices.

Impact:
The error is confusing because the port does not have an SFP connected.

Workaround:
None

1410445 : The system's power state may be incorrectly indicated by the Status LED

Links to More Info: BT1410445

Component: F5OS-A

Symptoms:
The power state on an r2000/r4000 system may be incorrectly indicated by the Status LED when the system is in standby.

When an r2000/r4000 system is in the standby power state, the Status LED should be solid amber. Instead, the Status LED may be blinking amber which indicates that communication between the LCD and host CPU has been lost.

Conditions:
An r2000/r4000 system in standby power state.

Impact:
No functional impact.

Workaround:
None

Fix:
Fixed in LCD firmware v1.01.068.00.1 and later.

1408477 : When more than one PCIe AER error has occurred, diag-agent reports this as a "RAS AER 'unknown' error" instead of the individual AER errors.

Component: F5OS-A

Symptoms:
When more than one PCIe AER errors are occurred simultaneously, diagnostics will not report the events.

Conditions:
This occurs when more than one PCIe AER errors occur simultaneously.

Impact:
You are unable to see the individual PCIe errors.

Workaround:
None

Fix:
Updated diagnostics to consider and report more than one PCIe AER errors when occurred simultaneously.

1403817-1 : SNMP IF-MIB misreport the status and speed of LACP LAGs

Links to More Info: BT1403817

Component: F5OS-A

Symptoms:
SNMP polling on IF-MIB provides incorrect status and speed of LACP Lag interfaces.

Conditions:
The issue is seen only on SNMP interface. The correct status and speed display on CLI or GUI.

Impact:
The user will see inappropriate status and speed details when polled for IF-MIB details on SNMP for LACP LAG interfaces.

Workaround:
None

Fix:
Fixed the issue to display the correct values of LACP LAG interfaces in IF-MIB SNMP polling.

1403781 : Modifying mgmt interface's description will trigger interface flapping

Links to More Info: BT1403781

Component: F5OS-A

Symptoms:
Management interface description commit may cause an interface flap.

Conditions:
Change the mgmt interface description for first time and commit.

Impact:
There is a mgmt interface flap.

Workaround:
None

1401965-1 : Copying BIG-IP ISO to /var/import/staging/, leaves ISO loopback mounted

Links to More Info: BT1401965

Component: F5OS-A

Symptoms:
An error occurs:
ERROR: sw-mgmt: priority=error msgid=0x3501000000000154 msg=Unexpected error processing "import /var/export/chassis/import/iso/<image>.iso": [Errno 30] Read-only file system: 'ace-1.1.7-0.0.3.i686.rpm'

Conditions:
Copying a BIG-IP ISO to /var/import/staging/ (rather than /var/F5/system/IMAGES or /var/F5/partition<num>/images)

Impact:
An error occurs and the ISO loopback remains mounted

Workaround:
None

Fix:
Fixed in F5OS-A/C 1.8.0

1401841 : Out of memory issues are seen when multiple telemetry exporters are configured

Component: F5OS-A

Symptoms:
Out of memory issues are seen when too many telemetry exporters are enabled.

Conditions:
When the system is configured with too many exporters with exporter options as "retry-enabled" as "true" and "send-queue-enabled" as "true", and exporter end points are not reachable from device.

Impact:
This will increase memory utilization of the system and could cause the restart of random processes/services to free up the memory.

Workaround:
Disable the unreachable telemetry exporters from ConfD
"system telemetry exporters exporter <name> config disabled"

If there are too many exporters configured, disable some of the exporters.

Fix:
N/A

1401621 : Modifying a remote server with multiple selectors from the web UI removes the AUTHPRIV configuration.

Component: F5OS-A

Symptoms:
The AUTHPRIV option is not available on the webUI. Modifying a remote log server, which has multiple servers, from the webUI removes the AUTHPRIV configuration

Conditions:
Modifying a remote server with multiple selectors from the webUI.

Impact:
The AUTHPRIV selector has been removed from the configuration.

Workaround:
To modify the configuration of a remote server with more than one selector, use the CLI.

Fix:
Added AUTHPRIV option to the webUI. Modifying the configuration of a remote server with more than one selector from the web UI will not remove AUTHPRIV from the configuration

1400221 : OpenTelemetry exporters may not produce data upon first tenant being added to system

Component: F5OS-A

Symptoms:
Telemetry streaming stops when the first tenant is configured.

Conditions:
When OpenTelemetry exporters are configured before the first tenant is configured within F5OS, this can lead to a condition where the exporters stop streaming metrics and logs.

Impact:
OpenTelemetry exporters stop producing metrics and logs.

Workaround:
The work-around is to disable and re-enable all exporters from the ConfD CLI.

system telemetry exporters exporter <name> config disabled

system telemetry exporters exporter <name> config enabled

Fix:
N/A

1399929-1 : F5OS permits user to configure non-existent ethernet interface

Links to More Info: BT1399929

Component: F5OS-A

Symptoms:
Despite the fact that the type "ethernetCsmacd" is NOT shown as "Possible completion" for the type value, the user can type it in when adding an interface component.
The system prohibits you from deleting this non-existent interface while the type is ethernetCsmacd.

Conditions:
User-triggered command for non-exposed type.

Impact:
The configuration contains a non-existent ethernet interface with no actual activity.

Workaround:
Delete the non-existent interface. You can change the interface's type to ieee8023adLag, commit and then you can delete the interface.

Fix:
With this fix, F5OS will reject the creation of ethernetCsmacd.

1398889 : rSeries r5000: assertion in qat-device-plugin FilteringResourceEventHandler.OnDelete causing k8s panic

Component: F5OS-A

Symptoms:
Crash log gets printed in run_plugin.log

Conditions:
The application internally crashes some time during tenant deletion.

Impact:
No functional impact. The log keeps increasing with crash log when it happens.

Workaround:
It automatically recovers by restarting the application.

Fix:
N/A

1398341 : The affinity script crash seen in /var/log/cron logs

Component: F5OS-A

Symptoms:
Affinity script crashes due to unhandled exceptions.

Conditions:
Due to an unhandled null reference, sys-affinity crash is seen.

Impact:
No impact. system-affinity will restart within 1 minute.

Workaround:
N/A

Fix:
N/A

1398145 : The 'file list' command takes a long time and the webUI is stuck in loading

Links to More Info: BT1398145

Component: F5OS-A

Symptoms:
When the 'file list' command is used, it takes a lot of time to get the results for the log/host path. This causes the webUI to be stuck in loading.

Conditions:
Using 'file list' command for log/host.

Impact:
The webUI will not be able to load the files in the log/host.

Workaround:
N/A

Fix:
Optimized the code to achieve faster performance when handling file lists.

1397145 : Unable to add blade to Openshift cluster if VELOS partition root password is expired or locked

Links to More Info: BT1397145

Component: F5OS-A

Symptoms:
If a VELOS partition root password is expired or locked, the system may be unable to add the blade to the Openshift cluster (or manage the cluster).

The "show cluster" command output will report that a blade is reachable ("able to ping"), but will not be able to connect to it ("able to SSH"):

                                                          ABLE ABLE
                                        IN READY TO TO PARTITION
INDEX NAME INSERTED CLUSTER CLUSTER PING SSH STATE LABEL
--------------------------------------------------------------------------------------------------
1 blade-1.chassis.local true false false true false Not In Cluster
2 blade-2.chassis.local true false false true false Not In Cluster
3 blade-3.chassis.local true false false true false Not In Cluster

Conditions:
-- VELOS partition
-- root account in partition is expired or locked

Impact:
- Blade will not join Openshift cluster.
- Unable to deploy Tenants to blade.

Workaround:
Re-enable the root user account for the partition:

system aaa authentication users user root config expiry-status enabled

1394993-1 : Upon configuration changes, the l2-agent container restarts with a core.

Links to More Info: BT1394993

Component: F5OS-A

Symptoms:
On systems running F5OS-A or F5OS-C, wen the owner field of the fdb entry is updated by the system, for L2_LISTENER entries, l2_agent crashes.

Conditions:
Configuration changes triggered by system for L2_LISTENER fdb entries. Note that this field is not used by STATIC fdb entries, but the problem can be reproduced easily with STATIC entries.

Impact:
When l2_agent crashes there is a potential disruption to configuration processing.

Workaround:
None

Fix:
The fix will avoid the crash, and the update of the owner leaf will be processed accordingly.

1394913-1 : Rare LACPD crash during process termination

Links to More Info: BT1394913

Component: F5OS-A

Symptoms:
LACPD crashes, generating a core file.

Conditions:
While the LACPD process terminates, it may crash. Operations such as a host reboot and software upgrade cause the process to terminate.

Impact:
A core file is generated. No functional impact to the system.

Workaround:
N/A

Fix:
LACPD no longer crashes during process termination.

1394905 : Unable to create AOM user

Component: F5OS-A

Symptoms:
When setting up another user in system AOM, a user gets the error "Unable to set AOM ssh username and password --------> failed".

Conditions:
- Creating a second username in AOM
- Using the same password as the first username

Impact:
User cannot create a second username and password.

Workaround:
When creating a new username and password, you must use a different password from the first password that was used.
If you wish to setup a new username using the same password, you must first run "system aom clear-data" to clear out the old username and password combination.

Fix:
Update: User can now set a new username with the existing password.

1394857 : Cannot retrieve AOM username after creating it

Component: F5OS-A

Symptoms:
There is no way to retrieve the AOM username after setting it.

Conditions:
Setting the AOM username and password in ConfD: "system aom set-ssh-user-info username password"

Impact:
If the user forgets their username, there is no way to retrieve it.

Workaround:
You can use "system aom clear-data" to reset all the information and set a new username and password.

Fix:
N/A

1394045 : Misleading "unable to read AOM SSH login banner" errors are found

Component: F5OS-A

Symptoms:
The AOM SSH login banner is an optional field, but a misleading error "unable to read AOM SSH login banner" is found in logs if you do not configure it.

Conditions:
Configure AOM SSH and check the AOM info. The errors will appear in the log.

Impact:
Benign errors "unable to read AOM SSH login banner" are found in the log.

Workaround:
N/A

Fix:
Fixed on F5OS-A 1.8.0. The "unable to read AOM SSH login banner" error does not appear if banner has not been configured.

1393669 : On adding a member to an existing LAG on webUI, the newly added member's speed does not add up to the LAG's "Current Speed" instantly and requires a reload to see the expected response

Links to More Info: BT1393669

Component: F5OS-A

Symptoms:
The status for the newly added member shows as "down" in the REST response and the newly added member's speed does not add up to the "Current Speed" of the LAG on the webUI/REST response.

Conditions:
Occurs on the webUI when adding a member to an existing LAG.

Impact:
"Current Speed" for the LAG appears stale as it does not reflect the newly added member's speed.

Workaround:
The issue only stays momentarily. If the user refreshes the screen, it shows the LAG's Current Speed appropriately.

Fix:
N/A

1393269 : Error log: "PINGLOOP Failed to ssh to 127.0.0.1"

Links to More Info: BT1393269

Component: F5OS-A

Symptoms:
"PINGLOOP Failed to ssh to 127.0.0.1" logged in platform.log by Appliance Orchestration Manager.

Conditions:
1. root user locked with expiry status set to "locked".
2. Appliance rebooted after locking root user.

Impact:
Internal processes relying on root user may malfunction.

Workaround:
Avoid locking the root user account by not setting the expiry status to "locked".
Use appliance mode for root user lockdown.

1391625 : Hugepages do not get de-allocated after BIGIP NEXT tenant HA disassembly

Component: F5OS-A

Symptoms:
After BIGIP NEXT tenant HA disassembly, the huge pages allocated for the HA-deployment pod do not get de-allocated. This can be checked in /proc/meminfo.

Conditions:
This bug can be observed after HA disassembly.

Impact:
No functional impact. 38 MB huge pages will not be available for other processes after the disassembly of HA. After the reassembly of HA, the same huge pages will be used.

Workaround:
N/A

Fix:
N/A

1390425-1 : Libvirt core is generated on downgrade from 1.7.0 -A to 1.6.0 -A

Component: F5OS-A

Symptoms:
A flawed core file is generated intermittently on downgrade from 1.7.0 -A to 1.6.0 -A. The tenant remains healthy and functional after reboot.

Conditions:
Occurs intermittently when a system downgrades from 1.7.0 -A to 1.6.0 -A.

Impact:
A libvirt core file is generated, but the tenant is actually healthy and functional.

Workaround:
N/A

Fix:
N/A

1388961 : A few SEL entries in /var/log/platform/sel have missing details

Links to More Info: BT1388961

Component: F5OS-A

Symptoms:
A few SEL entries in /var/log/platform/sel have missing details or might be blank.

Conditions:
For r2000 and r4000 systems, a few SEL entry types are not fully parsed and details will not be available, particularly those that typically appear during a system restart.

Impact:
No functional impact, but with missing SEL log entries it can be difficult to investigate other problems.

Workaround:
None

Fix:
Improved the logging of SEL entries.

1388945 : Fan speed randomly shows as '0'.

Links to More Info: BT1388945

Component: F5OS-A

Symptoms:
The fan speed is randomly and incorrectly reported as '0'.

Conditions:
Checking the sensors using GET:bmc/sensors.

Impact:
The fan speed is reported as '0'.

Workaround:
None

Fix:
This issue has been fixed, and the fan speed no longer randomly reports as '0'.

1388745 : Large numbers of platform-hal errors logged in platform.log: "Requested Sensor, data, or record not present."

Links to More Info: BT1388745

Component: F5OS-A

Symptoms:
The platform-hal service is intermittently logging a large number of messages similar to the following in platform.log:

appliance-1 platform-hal[8]: priority="Err" msg="Action Error" index=0 message="Requested Sensor, data, or record not present." interface="job-665402" actionKey="GET:lop/pel" jobId=665402

There may be tens of thousands of log messages in some cases.

Conditions:
The conditions that trigger this issue are unknown at this time.

Impact:
The platform.log file becomes filled up with many of these log messages, and they must be filtered out to review the logs effectively.

Workaround:
None

Fix:
None

1388477 : Default GID group mapping authorized even when GID mapped to different group ID

Component: F5OS-A

Symptoms:
When a role (group) is mapped to a custom remote group ID (GID), the default GID (e.g. 9000 for admin) is also authorized for the same group.

Conditions:
The admin role (GID 9000), operator role (GID 9001), user role (GID 9002), or the resource-admin role (GID 9003) are assigned non-default GID.

Impact:
Remote users with GIDs 9000, 9001, 9002, or 9003 maintain the default access for their user role.

Workaround:
Do not assign the F5's default admin, operator, and resource admin role IDs (GID) to the remote user groups. These GIDs are 9000, 9001, and 9003 respectively.

For a customer who uses the versions with the issue, if higher privilege user group IDs are anything different from 9000, 9001, and 9003, do not assign 9000, 9001, and 9003 GIDs to any other group in the external directory, and do not assign default F5 role GIDs to any user. The default GIDs 9000, 9001, and 9003 should be entirely unassigned in the directory, or assigned to placeholder groups that are prohibited from user assignment.

See the role GIDs in ConfD CLI with the following command:

show system aaa authentication roles role

See the 'GID' column in the command output and don't assign those GIDs to users.

Fix:
If a remote-GID is configured for a role, the default GID will no longer authenticate for that role.

1381661 : LDAP external authentication fails if there is no group definition for user's primary GID

Links to More Info: BT1381661

Component: F5OS-A

Symptoms:
LDAP external authentication (e.g. REST API or GUI; but not ssh) fails in the following scenario:
- User is defined in external auth system (e.g. LDAP)
- User has a primary GID assigned
- There is no group definition for user's primary GID

While this is legal, because the numeric GID should be sufficient, when we try to look up the group info and fail, this short circuits authentication resulting in an error.

Conditions:
- User is defined in external auth system (e.g. LDAP)
- User has a primary GID assigned
- There is no group definition for user's primary GID

Impact:
Externally defined users may not be able to log in.

Workaround:
Define a group for the user's primary group ID.

system aaa authentication roles role <group name> config remote-gid <group ID>

Fix:
LDAP external authentication no longer fails if there is no group definition for user's primary GID. The numeric GID is sufficient.

1381277 : Most recent login information is not displayed in F5OS webUI

Links to More Info: BT1381277

Component: F5OS-A

Symptoms:
The most recent login information is not available in the F5OS webUI. These details can only be accessed through the CLI.

Conditions:
When using F5OS webUI.

Impact:
To access the most recent login information, you must use the CLI.

Workaround:
Use CLI command 'show last-logins' to access the recent login information.

Fix:
From F5OS-A 1.8.0, the most recent login information can be found in the User & Roles screen of the F5OS webUI.

1381109 : WS-2022-0322 - d3-color 2.0.0 package

Component: F5OS-A

Symptoms:
Versions of d3-color prior to 3.1.0 are vulnerable to a Regular expression Denial of Service.

Conditions:
N/A

Impact:
F5OS-A 1.8.0 may be affected by WS-2022-0322

Workaround:
N/A

Fix:
d3-color has been upgraded to an unaffected version.

1381057 : Opening and closing preview pane is causing the page scrollbar to disappear on View Tenant Deployments screen

Links to More Info: BT1381057

Component: F5OS-A

Symptoms:
On the "View Tenant Deployments" screen, when there are a significant number of tenants on the tenant data table, there will be a page level scroll. Opening and closing the preview pane by clicking on any row makes the page level scroll bar disappear.

Conditions:
User should be on the "View Tenant Deployments" screen and there should be many tenants configured on the system so that user can see a page level scroll bar.

Impact:
Opening and closing preview pane is causing the page level scrollbar to disappear making it impossible for a user to scroll down and see the tenants that are out of scroll view.

Workaround:
N/A

Fix:
The issue is now fixed and opening and closing preview pane no longer hides the page level scrollbar. The user can scroll down to see the tenants that are hidden in scroll view.

1379845 : CVE-2023-3341:bind: stack exhaustion in control channel code may lead to DoS

Links to More Info: K000137582, BT1379845

1379625 : Changing the max-age attribute in password policy is not reflecting immediately

Links to More Info: BT1379625

Component: F5OS-A

Symptoms:
Even after setting max-age value (maximum age, in days, after which password will be expired) less than 7 days, the warning for password expiration is not displaying at the time of next login.

Conditions:
Set max-age attribute to less than 7 (days) and check if password expiration warning is prompted at the time of next login.

Impact:
Password expiration feature is not working as expected.

Workaround:
N/A

Fix:
Fix is provided to sync the max-age value, updated from ConfD CLI, with the user's password expiration attribute in the /etc/shadow on the system.

1379565-1 : Observing QKView start from 100% and then going back to 1%

Component: F5OS-A

Symptoms:
On a second execution of QKView, it is possible that the percent complete reported by the system diagnostics QKView status command will remain at the previous setting until the QKView collection set-up has been completed. This has no effect on the QKView collection, but it can be confusing.

Conditions:
QKView is executed two or more times.

Impact:
Confusing percent-complete number for a few moments.

Workaround:
Wait for a few moments until QKView capture set-up has finished (up to 30 seconds).

1378805 : Error occurs when changing LAG type for an existing LAG interface on webUI

Links to More Info: BT1378805

Component: F5OS-A

Symptoms:
On the webUI, if a LAG type changes from LACP, an error displays when that LAG type changes back to LACP.

Conditions:
The error occurs when attempting to change the LAG type on an existing LAG interface to a previously used type.

(i.e. Creating a LAG interface with type LACP, changing that type to Static, and then changing it back to LACP)

Impact:
This issue does not affect functionality; however, an unnecessary "Object Already Exist" error pop-up appears.

Workaround:
To avoid the pop-up, change the LAG type to LACP using the CLI in this scenario.

Fix:
Changing the LAG type on an existing LAG interface to a previously used type no longer triggers an error pop-up on the webUI.

1378313 : CVE-2020-22218: libssh2: use-of-uninitialized-value in _libssh2_transport_read

Links to More Info: K000138219, BT1378313

1375133 : K3S is getting reinstalled after live upgrade, even though there is no K3S version change★

Component: F5OS-A

Symptoms:
The CLI "show cluster install-status" shows K3S as installing, even though there is no version change. This happens just after live upgrade.

Conditions:
This issue is seen during reboot just after live upgrade.

Impact:
There is no functional impact.

Workaround:
N/A

Fix:
N/A

1366417-3 : Long BIG-IP tenant names will cause not having virtual console access

Component: F5OS-A

Symptoms:
No access to the BIG-IP tenant virtual console.

Conditions:
BIG-IP tenant name is longer than 32 characters.

Impact:
The creation of the tenant-console user fails, preventing access to the virtual console for that tenant.

Workaround:
Use tenant names that don't exceed 32 characters in length.

Fix:
Warn the user when using BIG-IP tenant names that exceed 32 character in length.

1366337 : Adding a system raid drive fails after successful removal

Links to More Info: BT1366337

Component: F5OS-A

Symptoms:
If the system is set up using bare-metal installation of F5OS-A 1.5.1, the user will not be able to add a SSD after removing an existing SSD from RAID.

Conditions:
The system must have been bare-metal installed using F5OS-A 1.5.1.

Impact:
User is unable to remove/add SSD into RAID.

Workaround:
N/A

Fix:
SSD can be added and removed from RAID.

1366157 : Warning needed about creating tenant with same name as existing user account name

Links to More Info: BT1366157

Component: F5OS-A

Symptoms:
When a tenant is created with the same name as an existing user account, the end user will not be able to log into the tenant console with that user account. A warning is not included.

Conditions:
Creating the tenant with the same name as an existing user account.

Impact:
The end user will not be able to connect to the tenant mgmt-ip with the user account.

Workaround:
Delete and re-deploy the tenant again with a different name.

Fix:
A warning that a console user won't be created if it matches the same name as a user account has been added.

1365985 : GID role mapping may not work with secondary GID

Links to More Info: BT1365985

Component: F5OS-A

Symptoms:
When a user in an external authentication system (LDAP, Radius, TACACS) is given a GID for an F5 role, and that GID is a secondary GID, the role assignment may not be discovered. This would result in the inability to access the system or be able to configure the system for that user.

Conditions:
- User in an external authentication system (LDAP, Radius, TACACS)
- GID corresponding to F5 role is a secondary GID (for example, it is not the user's default GID, rather a GID from a group to which the user belongs)

Impact:
Inability to log into the system, or inability to configure the system for the user in question.

Workaround:
The GID for the desired role should be the GID directly mapped to the user in the external authentication system (for example, in LDAP, the gidNumber on the user object should be the F5 role GID), rather than a secondary GID (for example, in LDAP, the gidNumber on a group of which the user is a member).

Fix:
All GID role mappings are properly considered when discovering role assignments for users in external authentication systems.

1365977 : Container daemons running as PID 1 cannot be cored on-demand

Links to More Info: BT1365977

Component: F5OS-A

Symptoms:
- kill -QUIT (or any other core-producing signal) to a container process running as PID 1 does not cause a core file.

- Actual runtime errors do generate cores as expected.

Conditions:
Containers that run their services directly as PID 1.

Impact:
Not possible to force a core file for diagnostic purposes.

Workaround:
None

Fix:
Containers that were running directly as PID 1 have been modified to use a minimal "init" process to catch and forward signals to the real service process.

The command:

"docker exec {containername} kill -QUIT 1"

can be used to core a daemon running as a child of /dev/init.

More complicated containers that have multiple processes running under 'bash' script may need to use

"docker exec {containername} kill -ABRT -1"

Note that if the "docker kill" or "docker stop" commands are used instead of "docker exec", the container will not restart, resulting in an inoperative system.

1365821 : Traffic loss of 5-10 seconds after disable/enable of LACP Lag member on r5000/r10000

Links to More Info: BT1365821

Component: F5OS-A

Symptoms:
Disabling and then re-enabling a LACP Lag member can result in traffic loss of up to 10 seconds on r5000/r10000 platforms.

Conditions:
Disable then re-enable LACP Lag member on r5000/r10000 platforms.

Impact:
Traffic loss lasting up to 10 seconds.

Workaround:
N/A

Fix:
Don't hold a mutex while processing the set of links to initialize. Make a copy of the links and release the mutex instead.

1361117 : ha-1-deployment pod may get restarted when tenant HA is configured

Component: F5OS-A

Symptoms:
When HA is configured on the BIG-IP Next tenants, a new pod of name <tenant-name>ha-1-deployment-<replica-set-hash>-<pod-id> will get created in the tenant namespace.

In some cases, the pod restart count may be 1.

Conditions:
When HA is set up on BIG-IP Next tenants on r-Series.

Impact:
No functional impact. The pod will come to running state automatically.

Workaround:
N/A

Fix:
N/A

1360905 : Unexpected log messages in /var/log/boot.log post-integrity recovery

Links to More Info: BT1360905

Component: F5OS-A

Symptoms:
Users may observe the following inappropriate log message in /var/log/boot.log after recovering from integrity failure:

Sep 28 08:45:08 appliance-1 journal: FIPS Integrity Check: This system has been placed in an error state. Try to recover the system using /usr/libexec/ostree_recover utility or reinstall the system. On many devices pressing the escape key followed by '(' key will bring up a menu that allows the system to be restarted.

Conditions:
The integrity failure occurs when the device is in FIPS mode, and a user alters or removes a file, subsequently executing an on-demand integrity test or a boot-up integrity test.

Impact:
There are no noticeable performance issues or anomalies associated with these log messages, and the issue does not affect the overall system performance or user experience. There are no potential risks or security concerns related to the inappropriate log messages.

Workaround:
N/A

Fix:
The code has been modified to provide more user-friendly log messages.

1359897 : rSeries link down events can be missed

Links to More Info: BT1359897

Component: F5OS-A

Symptoms:
The rSeries platform can occasionally fail to detect a link going down due to the removal of the cable.

Conditions:
Remove fiber optic cable.

Impact:
Links that are DOWN stay operationally UP. This can lead to erroneous LACP and/or LAG state.

1359277 : ConfD CLI timed out and subsequently sees Error: application communication failure

Links to More Info: BT1359277

Component: F5OS-A

Symptoms:
CLI times out if the respective action is not completed within the specified time interval.

Conditions:
The action to perform takes more time than the specified timeout interval.

Impact:
Unable to perform ConfD action.

Workaround:
The respective container can be restarted or a system reboot can be performed.

Fix:
When there is a timeout event, the CLI disconnects from handler and is not able to connect with handler again to perform subsequent actions.
A fix has been implemented to reconnect successfully in case of a timeout event. This prevents application communication failure error. You might still see a timeout when the system is busy but you will still be able to perform required actions a few minutes/seconds later.

1355277-2 : Incorrect Vlan Listeners when a Static FDB is configured

Links to More Info: BT1355277

Component: F5OS-A

Symptoms:
When a Static FDB is configured on an interface, Vlan Listeners associated with that interface will have an extra Service ID configured for Service ID 1.

Conditions:
A Static FDB is configured on an interface.

Impact:
Extra broadcast traffic will be generated on the system, which could affect performance.

Workaround:
N/A

Fix:
N/A

1355113-1 : VELOS software upgrade does not inform about KubeVirt component upgrade

Component: F5OS-A

Symptoms:
During F5OS software upgrades with VELOS chassis systems, there is a lack of visibility into which individual software components will be updated before the upgrade. This can lead to tenant degradation. In particular, when upgrading system controllers, the upgrade may include an update to the KubeVirt Kubernetes Extension, which will disrupt tenant operations.

Conditions:
VELOS F5OS system controller software upgrades include an update to the KubeVirt Kubernetes Extension.

Impact:
The traffic of all tenants that have been deployed will be disrupted.

Workaround:
None

Fix:
During an F5OS software upgrade on VELOS chassis systems, it is important to consider that the traffic of deployed tenants may experience temporary interruptions until the upgrade is finished.

1354373-1 : WebUI malfunctions when navigating to HSM Details with inactive FIPS drivers

Links to More Info: BT1354373

Component: F5OS-A

Symptoms:
If the FIPS card is not initialized properly due to inactive FIPS drivers, navigating to certain pages will break the webUI.

Conditions:
When the FIPS card is not initialized properly due to inactive FIPS drivers, the "HSM Details" and "Add FIPS Partition" screens on the webUI break.

Impact:
A blank screen appears, and users are unable to see the left navigation bar to switch to other screens.

Workaround:
To work around this issue, remove the screen name from the URL, which will navigate the user to the dashboard screen.

Fix:
On a system where the FIPS card is not initialized properly, navigating to the "HSM Details" and "Add FIPS Partition" screens no longer results in a break.

1354341 : Changing a VLAN from trunked (tagged) to native (untagged) on a LAG in a single transaction can cause traffic outage

Links to More Info: BT1354341

Component: F5OS-A

Symptoms:
Traffic outage after changing a VLAN assigned to a LAG from Trunk to Native in a single commit.

Conditions:
Changing a VLAN assigned to a LAG from Trunk to Native in a single commit.

Impact:
Traffic outage.

Workaround:
First remove the Trunk VLAN from the LAG, then commit the change. Then add the Native VLAN to the LAG and commit the change.

1354329 : It is possible to create a user with 'tenant-console' as its primary role (without creating a tenant) from the ConfD CLI

Component: F5OS-A

Symptoms:
Admin can create a user with 'tenant-console' as its primary role from the ConfD CLI. This may create tenant console access issues if a tenant gets created with the same name as the user. The 'tenant-console' role is reserved for tenants, so it shouldn't be possible to create a user with the 'tenant-console' role.

Conditions:
Admin has created a user with the 'tenant-console' role and is now trying to create a tenant with the same name as the user.

Impact:
Console access to the tenant won't be working.

Workaround:
N/A

Fix:
The issue will be fixed by providing a validation handler so that no user other than the 'tenant-console' user can have the 'tenant-console' role.

1354053 : Suppress LOP SEEPROM object did not find errors during re-licensing

Component: F5OS-A

Symptoms:
During licensing, F5OS can request data from platform SEEPROM that has not been programmed into the SEEPROM. In such cases, platform-hal logs an error message:

“appliance-1 platform-hal[8]: priority="Err" msg="Action Error" index=0 message="LOP Result Error: SeepromObjectNotFound (0x11)".

Conditions:
During licensing, platform-hal requests un-programmed values. Therefore, an error message is logged in the platform log.

Impact:
These log messages are not harmful and do not impact the operation of the system.

Workaround:
None

Fix:
To suppress these messages, upgrade to a newer version of F5OS. Updated F5OS has these messages suppressed and no longer present in the logs.

1353161 : Snmpd daemon stuck in loop deleting and recreating 'system snmp communities community' entry after recreating and deleting SNMP config a few times

Component: F5OS-A

Symptoms:
Snmpd daemon stuck in loop deleting and recreating 'system snmp communities community' entry after recreating and deleting SNMP config a few times.

Conditions:
1. Put an SNMP configuration, e.g.:

curl -sku admin:admin -H "content-type: application/yang-data+json" https://localhost/api/data/openconfig-system:system/f5-system-snmp:snmp -XPUT -d @put2.json

# jq -c . <put2.json
{"f5-system-snmp:snmp":{"targets":{"target":[{"name":"i10_2_108_100","config":{"name":"i10_2_108_100","community":"verynicecommunity","security-model":"v2c","ipv4":{"address":"10.2.108.100","port":162}}},{"name":"i10_2_108_101","config":{"name":"i10_2_108_101","community":"verynicecommunity","security-model":"v2c","ipv4":{"address":"10.2.108.101","port":162}}}]},"communities":{"community":[{"name":"verynicecommunity","config":{"name":"verynicecommunity","security-model":["v2c"]}}]},"engine-id":{"config":{"value":"mac"}}}}
#

2. Wait 10 seconds or so

3. Delete/clear the SNMP config, using one of the two methods:

a. curl -sku admin:admin -H "accept: application/yang-data+json" https://localhost/api/data/openconfig-system:system/f5-system-snmp:snmp -XDELETE
b. from the confd CLI in config mode:
no system snmp ; commit no-confirm

4. Wait 15 seconds, while monitoring /var/log/messages for repeating audit messages related to the SNMP config.

5. Repeat first three steps.

Impact:
High CPU and inconsistent state (SNMP community string comes and goes from 'show running-config system snmp' output while the user is watching it).

Workaround:
Restart snmpd container using docker command.

Fix:
We obsoleted old SNMP configuration commands.

Behavior Change:
In latest F5OS releases (from F50S-A-1.2.x and F5OS-C-1.6.x onwards) SNMP configuration commands have been simplified. For backward compatibility, the old style SNMP configuration works until F5OS 1.7.0 and keeping a confirmation warning in the CLI asking user to use new simplified snmp commands and the old style commands will be obsolete in future releases.

In latest release (from F50S-A-1.8.x and F50S-C-1.8.x), the old SNMP configuration commands are obsolete.

1353085 : Configure admin/operator roles in LDAP without uidNumber or gidNumber attributes

Component: F5OS-A

Symptoms:
In previous versions of F5OS, when using LDAP for third-party authentication, having uidNumber and gidNumber LDAP attribute mappings was required. These attributes are common on unix systems and unix-based directories, but are optional in Windows environments. In Windows environments (For example, Active Directory), admin may be required to manually add uidNumber attributes to users, and gidNumber attributes to admin/operator groups.

Conditions:
Third-party LDAP authentication using Active Directory or other LDAP directory where uidNumber and gidNumber attributes are not provided by default.

Impact:
In the above conditions, administrators are required to add uidNumber attributes to users in the directory, and gidNumber attributes to admin/operator groups.

Workaround:
Create uidNumbmer/gidNumber attributes if not present in directory.

Fix:
A feature was added to map LDAP groups to F5OS roles using LDAP filter (group names) instead of numeric IDs. Additionally, code was added to use objectSid mapping instead of uidNumber/gidNumber to eliminate the need to create missing attributes in Active Directory environments.

1352845 : Some internal log content may not appear in external log server

Links to More Info: BT1352845

Component: F5OS-A

Symptoms:
When a remote log server is configured, some internal log content may not appear in the logs on the remote server. Notable are logs related to audit login failures.

Conditions:
Remote logging server is configured. Log messages do not appear on remote server for user trying to log in with wrong password repeatedly, causing account lockout.

Impact:
Brute-force password attack indications may not be seen on external log server.

Workaround:
For logs of this type, consult the log files directly on the appliance.

1352449 : iHealth upload is failing with error "certificate signed by unknown authority"

Links to More Info: BT1352449

Component: F5OS-A

Symptoms:
When attempting to use the QKView upload feature, the upload may fail with the message "certificate signed by unknown authority". This is due to a recent change in certificate authority that is inconsistent between F5OS and iHealth.

Conditions:
Always, after mid-September 2023.

Impact:
Unable to upload QKView files to iHealth with a single click.

Workaround:
Users may use the File Export feature to download QKView files to their PCs, and then upload those files to iHealth.

You can find the qkview files in the GUI at System Settings :: File Utilities, then choose "diags/shared" as the base directory, then select "qkview".

Fix:
Certificate authorities used by the iHealth upload feature in F5OS will be updated.

1352421 : L2 services (LACP/LLDP) are down on r2000 and r4000 series appliances

Links to More Info: BT1352421

Component: F5OS-A

Symptoms:
LLDP and LACP will appear to be non-functional on the F5OS system.

LLDP/LACP PDUs reach the F5OS system, which can be verified with tcpdump.

Conditions:
-- r2000 and r4000 series appliances.
-- LLDP or LACP is configured.
-- Links are up.

Impact:
L2 protocols fail to negotiate or register inbound data.

Workaround:
Reboot.

1352353-3 : Remove integrity-check configurable option from CLI

Links to More Info: BT1352353

Component: F5OS-A

Symptoms:
In F5OS systems, root and admin users are allowed to toggle the integrity-check option from the CLI. When in FIPS mode, integrity-check should always execute on system startup and when demanded. Since the integrity-check option is configurable, users can disable it which puts the integrity of the system at risk.

Conditions:
The configurable integrity-check option is visible when the device is in FIPS mode.

Impact:
An admin or root user could access the CLI and disable integrity-check. This could replace files and packages which could impact the integrity of the system.

Workaround:
N/A

Fix:
We have removed the enable/disable integrity-check option from the CLI.

1352045 : Not able to connect to tenant console via virtctl after upgrade

Links to More Info: BT1352045

Component: F5OS-A

Symptoms:
Unable to connect to tenant console via virtctl after upgrading from an older version to 1.7.0. It will happen only if any virtctl console is active while doing upgrade. After upgrading, there will be stale kubectl process with older certificates present which will cause errors.

Conditions:
Virtctl console is active for tenant at the same time live upgrade is initiated.

Impact:
Not able to connect console to any tenant after upgrade to 1.7.0.

Workaround:
Kill kubectl process manually.

Fix:
User is able to connect to the tenant console via virtctl after upgrading.

1351981 : QAT count is not dynamically updated for active tenants after license upgrade

Component: F5OS-A

Symptoms:
The QAT count of BIG-IP Next tenants does not change for active tenants after license upgrade.
The QAT count does not match the expected value for the particular license.

Conditions:
The issue is seen only for BIG-IP Next tenants that are deployed with the old license.

Impact:
Incorrect QAT count for active (old) BIG-IP Next tenants.
No impact on new tenants after license upgrade.
No impact on BIG-IP tenants.

Workaround:
Deployed BIG-IP Next tenants need to be moved to configured and back to deployed for the right QAT value to be updated.

Fix:
N/A

1351893-2 : ConfD Logging 'Failed to change working directory' Error Message

Links to More Info: BT1351893

Component: F5OS-A

Symptoms:
When running the tcpdump client from the ConfD command line interface, ConfD logs 'failed to change working directory /var/roothome' error message in the devel.log file.

Conditions:
Running tcpdump client from the ConfD CLI.

Impact:
No known impact.

Workaround:
No work around.

Fix:
When ConfD executes external commands, the working directory is set to the user home directory by default. ConfD logs error if unable to find the user's home directory.

1351541-4 : Unable to remove the ISO images that share the same minor version with the running version

Component: F5OS-A

Symptoms:
Removal of ISO (controller/partition/appliance) fails when a same minor version is shared.

Example: Import 1.5.1 and upgraded the system to 1.6.1. Later import 1.6.2(1.6.*) and upgraded the system to 1.6.2. When the system is on 1.6.2 unable to delete 1.6.1.

Conditions:
The major and minor version of the current ISO must be same as the ISO version that is being removed/deleted.

Impact:
Unable to remove the unused ISO.

Workaround:
For controller/appliance, you must remove the ISO on a software version that includes different minor release. For example, you can remove 1.6.1-5555 while running ISO version 1.5.X or 1.7.X.
 
For partition, disable and unset the ISO versions of any partitions that use the same minor version of the ISO that needs to be removed. For example, you can remove 1.6.1-5555 by disabling all the partitions running on 1.6.X and de-configure the SW versions.

1351529 : Fixing the log issue stating "UNSUPPORTED STP state" when STP global is configured

Links to More Info: BT1351529

Component: F5OS-A

Symptoms:
A log message appears, stating "UNSUPPORTED STP state" when STP global is configured to RSTP.

Conditions:
Removing the global config (initially set to STP) and setting it to RSTP.

Impact:
Reliable and correct log messages.

Workaround:
NA

1349977 : Setup wizards fails and immediately exits if it is given incorrect credentials.

Links to More Info: BT1349977

Component: F5OS-A

Symptoms:
If incorrect credentials are entered while using the setup wizard tool, it fails and exits immediately without allowing the user to correct the given credentials.
The setup wizard utility should make it clear that only non-root admin accounts can be used.

Conditions:
Incorrect credentials are passed to the setup wizard tool.

Impact:
User is not given the chance to correct incorrect credentials.

1349953 : Setup wizard script gives an "All IP addresses must be unique" error when NTP and DNS servers match

Links to More Info: BT1349953

Component: F5OS-A

Symptoms:
When the given IP addresses of NTP and DNS servers match, the setup wizard script gives the error, "All IP addresses must be unique" even though it is a valid configuration.

Conditions:
The IP addresses of NTP and DNS servers given to the Setup wizard tool are the same.

Impact:
Through the setup wizard tool, the user is not able to provide the same IP address for NTP and DNS servers, which is a valid configuration.

Workaround:
The same IP address for NTP and DNS servers can be configured using the webUI or CLI instead of the setup wizard tool.

1349001 : F5OS VELOS is polled as Unix device by SNMP using BMC Discovery

Links to More Info: BT1349001

Component: F5OS-A

Symptoms:
Hostname polling via SNMP interface is not available.

Conditions:
Using SNMP

Impact:
You are unable to see the hostname using SNMP interface.

Workaround:
None

Fix:
User can get hostname via SNMP interface using below oid:

SNMPv2-MIB::sysName.0

1348989 : GUI virtual server CLI has different limitations for days-valid

Links to More Info: BT1348989

Component: F5OS-A

Symptoms:
The range of acceptable values for days-valid for a certificate had inconsistent range limits between the GUI and CLI.

Conditions:
Creating a self-signed certificate.

Impact:
Possible to enter a value that cannot be reflected in both the GUI and CLI.

Workaround:
Limit the number of days-valid to the smaller of the two limits (65535).

Fix:
Both the CLI and the GUI now have the same range limits.

1348509 : Incorrect file path reported in the telemetry log records

Links to More Info: BT1348509

Component: F5OS-A

Symptoms:
Incorrect file path reported in the telemetry log records.

Conditions:
N/A

Impact:
The log file data being collected for telemetry is:
/var/F5/system/log/platform.log.

However, the file location value in the telemetry log records is shown as /var/F5/partition/log/platform.log.

Workaround:
N/A

Fix:
N/A

1348145 : Observing 'Failed to send restarting msg to VF' during reboot with tenants deployed causing reboot time to increase

Links to More Info: BT1348145

Component: F5OS-A

Symptoms:
While rebooting with tenants deployed, the reboot time increased by 2-3 minutes. A "Failed to send restarting msg to VF" message also appears.

Conditions:
Occurs when rebooting a system where tenants are deployed.

Impact:
No functional impact.

Workaround:
N/A

Fix:
Rebooting time is no longer negatively impacted by tenants being deployed.

1348093 : Appliance-setup-wizard traceback on invalid NTP input

Component: F5OS-A

Symptoms:
Appliance setup wizards throw an uncaught Python traceback if you enter non-numeric input for the NTP port

[root@appliance-1 ~]# appliance-setup-wizard
Traceback (most recent call last):
  File "/usr/bin/appliance-setup-wizard", line 1355, in <module>
    curses.wrapper(main)
  File "/usr/lib64/python2.7/curses/wrapper.py", line 43, in wrapper
    return func(stdscr, *args, **kwds)
  File "/usr/bin/appliance-setup-wizard", line 1329, in main
    if scene.setting.is_valid(input_string) is not True:
  File "/usr/bin/appliance-setup-wizard", line 282, in is_valid_ntp_port
    int(input_string) < MIN_NTP_PORT or
ValueError: invalid literal for int() with base 10: 'abc'

Conditions:
Giving non-numeric value as NTP port configuring via wizard-setup

Impact:
Throws an uncaught Python traceback.

Workaround:
None

Fix:
Fixed in F5OS-A 1.8.0

1341909 : Command 'show component' does not show psu-power-in and psu-power-out in CLI and API

Component: F5OS-A

Symptoms:
The command does not show psu-power-in and psu-power-out in CLI and API.

Conditions:
Running show components component <psu> in confd

Impact:
PSU power details are not retrieved using ‘show component' command.

Workaround:
PSU power details can be retrieved through the following HAL APIs:

docker exec -it platform-hal psf run GET:lop/object/sensor-psu-power-in

docker exec -it platform-hal psf run GET:lop/object/sensor-psu-power-out

Fix:
The ‘show component’ command shows psu-power-in and psu-power-out in CLI and API.

1341869-1 : Failed to delete tenant pods

Component: F5OS-A

Symptoms:
Stale tenant pods will persist in Kubernetes.

kubectl get pods will list the tenant pods, although tenants are deleted.

Conditions:
When user deploys 10 to 15 tenants and deletes all of them at the same time.

Impact:
Deleted tenant resources will still be running in Kubernetes and consuming resources.

Workaround:
Create a tenant with the same name and delete.

Fix:
N/A

1341521 : Incorrect subnet mask returned for GET call for /systems

Links to More Info: BT1341521

Component: F5OS-A

Symptoms:
Subnet mask returned from Get call for /systems returns the wrong netmask for the management IP on VELOS and rSeries.

Conditions:
BIG-IP Next instances on VELOS and rSeries.

Impact:
Does not impact any functionality. GET API call for /systems returns the wrong subnet mask for the management IP.

Workaround:
Log in to the machine/tenant and check the management IP address by using the ip addr show command.

Fix:
N/A

1338601-1 : On multi tenants cases on system reboots tenant goes to INOPERATIVE state

Component: F5OS-A

Symptoms:
- Tenant state shows running ConfD.
- Tenant management IP is not reachable.
- Inside tenant VM, prompt shows INOPERATIVE.

Conditions:
Issues observed on system reboots when a higher number of tenants (>36) is deployed on r12k.

Impact:
Tenant goes to inoperative state.

Workaround:
Move tenant to configured and deployed state with little delay.

Fix:
N/A

1338521 : Unable to login when accessing F5OS GUI through a network proxy on a port other than 443.

Links to More Info: BT1338521

Component: F5OS-A

Symptoms:
Users are not able to log in to the UI when trying to access F5OS GUI through a network proxy running on a port other than 443.

Conditions:
GUI should be accessed via a network proxy running on a port other than 443.

Impact:
Users are not able to log in to the GUI.

Workaround:
None

Fix:
After the fix, GUI now reads the port along with the hostname from the URL and can use the port in making API calls (including login API calls).

1338505 : Qkview is not collecting log data from kubernetes pods

Component: F5OS-A

Symptoms:
Qkview does not collect log data from kubernetes pods found on an F5OS Appliance

Conditions:
-- F5OS-A
-- Qkview

Impact:
Limited ability to diagnose kubernetes pod issues

Workaround:
Collect log files for kubernetes pods manually.

Use the command:
kubectl logs <pod-name>

Fix:
Qkview will now collect kubernetes pod logs.

1332997 : Device stuck at "unmounting containers" after performing reboot

Links to More Info: BT1332997

Component: F5OS-A

Symptoms:
When we open the console session of any tenant on F5OS-A using virtctl console <tenant_name>.

when you reboot the system, during reboot sometimes the system might end up in "unmounting containers"

Conditions:
Open the console session to any of the tenants using virtctl utility and reboot the system.

Impact:
After rebooting, system takes time to fully start up.

Workaround:
Power off and on the system whenever the issue is hit.

Fix:
Fixed the issue related to device stuck at unmounting containers after the reboot.

1332781 : A remote user with the same username as the local F5OS user will be granted the local user's roles

Links to More Info: BT1332781

Component: F5OS-A

Symptoms:
If you create a remote user on the RADIUS, TACACS+, or LDAP servers with the same username as a local F5OS user, the remote user will be granted the local user's roles upon authentication.

Conditions:
A remote user is created with the same username as a local user and remote authentication is enabled.

Impact:
Remote user will take the local user's privileges.

Workaround:
Do not create a remote user with the same username as the local user. If you have created already, change the username for either the local user or the remote user.

Fix:
If a remote user is created with the same username as a local user, the remote user's authentication will be rejected. Only the local user will have access to the F5OS system.

1332293 : Tcpdump performed with an interface filter on VELOS or rSeries will show broadcast traffic from all interfaces

Links to More Info: BT1332293

Component: F5OS-A

Symptoms:
When performing a tcpdump in VELOS or an rSeries appliance, a traffic capture limited to a specific interface will show broadcast traffic hitting other interfaces.

Conditions:
- VELOS platform or r5000 / r10000 / r12000 series appliance
- Running a packet capture on a specific interface (e.g. 1/1.0 or 1.0)

Impact:
This can cause confusion or impede troubleshooting when unexpected broadcast traffic is seen in a capture such as ARP or Miscabling Protocol traffic.

Workaround:
None

Fix:
This issue is now corrected.

1330429 : Port Mappings screen on webUI displays "GB" for bandwidth instead of "Gb"

Links to More Info: BT1330429

Component: F5OS-A

Symptoms:
When a user navigates to the "Port Mappings" screen on the webUI, Capacity Bandwidth and Allocated Bandwidth incorrectly display "GB" as the units. It should be "Gb" [gigabit].

Conditions:
Going to the "Port Mappings" screen on the webUI.

Impact:
This does not affect the functionality. Capacity Bandwidth and Allocated Bandwidth values are correct except for the units.

Workaround:
N/A

Fix:
The "Port Mappings" screen now displays appropriate units for Capacity Bandwidth and Allocated Bandwidth, correcting the representation to "Gb."

1329797 : RADIUS user logs in through the WebUI without configuring the F5-F5OS-UID, will be disconnected after 10 minutes

Links to More Info: BT1329797

Component: F5OS-A

Symptoms:
When a RADIUS user is configured without F5-F5OS-UID and then logged in through the WebUI, they will be disconnected after 10 minutes. This problem has also been observed with other remote authentication methods where the UID and GID are configured.

Conditions:
1) Create a RADIUS user without F5-F5OS-UID configured
2) Logged in as the RADIUS user through WebUI

Impact:
If logged in as the RADIUS user through the WebUI, they will be disconnected after 10 minutes. This problem has also been observed with other remote authentication methods where the UID and GID are configured.

Workaround:
To avoid encountering this problem, the F5-F5OS-UID should be provided. Additionally, the UID for every user (which spans across all remote users as well as local users) should be unique (or have the same GID).

Fix:
UID is not defaulting to 1001 for RADIUS and TACACS+ users anymore. UID is assigned from the range 40,000 - 65,000 for remote users.

1329449-1 : Missing days-valid, store, and key type logging items of a certificate

Component: F5OS-A

Symptoms:
Logging most of the certificate request fields but not logging days-valid, store, and key type fields. This was because some fields were added for the creation of the certificate and the logging was done as part of the certificate request.

Conditions:
Always

Impact:
The user will still see logging of all items used in the creation of a self-signed certificate, except for a few that are not necessary for the certificate request.

Workaround:
Check the history and observe the values that were entered.

Fix:
The key type and days-valid will now be logged. The store-tls is a logic value and not loggged.

1329021-2 : Display order of interfaces/portgroups in ConfD CLI are not in numerical order

Links to More Info: BT1329021

Component: F5OS-A

Symptoms:
Interfaces/portgroups are not listed in numerical order when viewing from the ConfD CLI.

Conditions:
Occurs when running the following commands on the ConfD CLI:

show interfaces interface state oper-status

show running-config portgroups portgroup

Impact:
Affects readability.

Workaround:
N/A

Fix:
Interfaces/portgroups are now listed in numerical order when displayed from the CLI.

1328405 : F5OS system stopped generating tmstat snapshots

Links to More Info: BT1328405

Component: F5OS-A

Symptoms:
The F5OS system is not generating the tmstat snapshots, which helps us in diagnosing issues.

Conditions:
System is running an affected version of F5OS software (F5OS-A 1.2.0 and above, or F5OS-C 1.6.0 and above).

Impact:
Impacts the supportability of the device; the support teams usually rely on the snapshots while working on field issues.

1327689 : Manually remove root and user keys before entering Appliance Mode

Component: F5OS-A

Symptoms:
In order to enter appliance mode, the root and other user public keys must be removed from /root/.ssh/authorized keys.

Conditions:
Configuring appliance mode on an F5OS device.

Impact:
Misconfiguration within Appliance Mode.

Workaround:
If any keys were manually added prior to enabling Appliance Mode, remove them.
https://my.f5.com/manage/s/article/K000140791

As a best practice, deny network access to the control plane to trusted users.

Note: Users may disable Appliance Mode in order to perform the mitigations above.

Fix:
Appliance Mode is configured as expected.

1327137 : Interfaces take longer than expected to come up

Links to More Info: K000138753

Component: F5OS-A

Symptoms:
-- Interfaces take longer than expected to be marked UP (40+ seconds)
-- LACP status remains down until the interfaces are marked UP

Conditions:
-- rSeries appliance
-- F5OS-A
-- 100G interfaces

Impact:
For SFP/QSFP interfaces:
-- 25G/10G interfaces take over 10 seconds to be marked UP
-- 100G interfaces take 30+ seconds to be marked UP.

Workaround:
None

1326125 : RADIUS authentication fails if F5-F5OS-HOMEDIR attribute is not specified

Links to More Info: BT1326125

Component: F5OS-A

Symptoms:
Authenticating F5OS users against an external RADIUS server fails if the server does not specify an F5-F5OS-HOMEDIR attribute.

The F5-F5OS-HOMEDIR attribute is supposed to be optional.

Conditions:
F5OS system authenticating against a RADIUS server

Impact:
F5OS authentication fails even if the server sends back the required F5-F5OS-GID attribute.

Workaround:
Configure the RADIUS server to include an F5-F5OS-HOMEDIR attribute with a value of "/tmp"

1325893 : A vqf-dm system software core file is occasionally observed on system reboot

Component: F5OS-A

Symptoms:
The line-dma-agent or vqf-dm occasionally hits a cosmetic failure state as the entire system is rebooting, leading to absolutely zero effect of the state of the system.

Conditions:
Traffic is being sent to a tenant while rebooting, and the tcp-dump-daemon system software does not get shut down first before the line-dma-agent

Impact:
A core file is observed on the system after the system finishes rebooting.

Workaround:
N/A

Fix:
A decision has to be made about some older code in the line-dma-agent in order to avoid this cosmetic core file.

1324269 : LCD "System - Power On" option may not be available immediately after system is powered off

Component: F5OS-A

Symptoms:
The "System - Power On" option on the LCD may not be available immediately after the system is powered off.

It may take some time before the LCD recognizes the system has been powered off and provides access to the "Power On" option within the "System" menu.

Conditions:
System is powered off yet the "System - Power On" option is not available on the LCD.

Impact:
Power-on via the LCD will not be available until the LCD recognizes that the system is powered down and makes the "Power On" option available.

As an alternative, the system may be powered on via the AOM menu.

Workaround:
Use the AOM menu to power on the system instead of the LCD.

Fix:
Fixed in LCD UI v1.13.10 and later.

1324257 : 4600 does not boot up after a shutdown

Component: F5OS-A

Symptoms:
Powering on the system does not take you back to the "System" menu

Conditions:
Powering on the system via the LCD UI

You may briefly see a "Please wait" message which quickly disappears, after which you see the Power On menu again.

Impact:
The rSeries LCD power control options are unreliable and do not give adequate information about the state of powering on

Workaround:
None

Fix:
"System" page options with confirmation pop-ups now (correctly) navigate back to the "System" page after confirming via the pop-ups.

1322921 : FEC configuration support for 25G interfaces on r2000/r4000

Component: F5OS-A

Symptoms:
All previous releases of F5OS-A did not support manual FEC configuration.

Conditions:
The r2000/r4000 is using the 4x25G port-profile mode.

Impact:
Unable to manually configure forward error correction.

Workaround:
None

Fix:
This release adds support for manual FEC configuration for the 25G interfaces.

1322817 : BIND vulnerability CVE-2023-2828

Links to More Info: K000135312, BT1322817

1322685 : Tcpdump sessions are terminated when interfaces are enabled or disabled.

Links to More Info: BT1322685

Component: F5OS-A

Symptoms:
All tcpdump sessions terminates abruptly when an administrator enables or disables an interface on the system, even if the interface is not participating in the tcpdump session.

Conditions:
When an administrator enables or disables an interface on the system.

Impact:
All the current running tcpdump sessions are terminated and have to be restarted.

Workaround:
Do not make modifications to interfaces when the tcpdump sessions are active.

Fix:
None

1316097-4 : LAGs not programmed when adding VLAN to LAG

Links to More Info: BT1316097

Component: F5OS-A

Symptoms:
Traffic from a LAG is not reaching the tenant.

Conditions:
1) Add a VLAN to a LAG and add that VLAN to a tenant in the same commit.

2) Configuration read following blade reboot.

Impact:
LAGs are not programmed; traffic doesn't reach tenant.

Workaround:
Workaround for condition (1): Add the VLAN to the LAG, commit; then add the VLAN to the tenant.

Fix:
Fix usage of mutexes to prevent deadlock with LAG programming is happening in parallel with VLAN programming.

1307577-2 : Add more resilience to the file download API

Links to More Info: BT1307577

Component: F5OS-A

Symptoms:
If basic authentication is being used in place of the x-auth-token, then the system blocks the requests and eventually stales in the request queue.

Conditions:
Use of basic authentication instead of the x-auth-token causes this situation in file download.

Impact:
No new download requests can be made.

Workaround:
Restart the platform-services.

Fix:
N/A

1307565-2 : The file download API is not working with the x-auth-token header

Links to More Info: BT1307565

Component: F5OS-A

Symptoms:
The x-auth-token in the header of the request is not working for file download.

Conditions:
Try to download a file using the file download API with the x-auth-token header.

Impact:
The file download fails when using the file download API with the x-auth-token header.

Workaround:
Pass x-auth-token as part of the form-data of the API instead of in the header.

Fix:
N/A

1306233 : Low mixed IPv4/IPv6 performance

Component: F5OS-A

Symptoms:
Mixed IPv4/IPv6 performance does not increase after changing the ‘PVA Offload Initial Priority’ (fastl4 profile) to ‘High’.

Conditions:
Mixed IPv4 and IPv6 traffic with ‘PVA Offload Initial Priority’ (fastl4 profile) set to ‘High’.

Impact:
Lower than expected performance of mixed IPv4 and IPv6 traffic.

Workaround:
None

Fix:
Lower the allowable rate of incoming broadcast/DLF packets.

1305005 : Error handling in F5OS file-download API

Links to More Info: BT1305005

Component: F5OS-A

Symptoms:
Upon file download failure, API is returning an Apache error page that isn't an F5OS-specific error and isn't aligned with other F5OS API errors. This is a negative user experience.

Conditions:
Due to unhandled errors, when data not in the FormData format are passed through a Curl request, an Apache error page is thrown, misaligning from other F5OS APIs errors.

Impact:
There is no functional impact. It is a negative user experience.

Workaround:
N/A

Fix:
All errors are handled in the file-download API and aligned with other F5OS APIs errors with no more Apache error pages in error cases.

1304921 : F5OS file download API does not work with basic authentication

Component: F5OS-A

Symptoms:
File upload and download using basic auth is not supported.

Conditions:
When trying to upload or download the file from F5OS using basic auth.

Impact:
Upload/download failed with authentication error.

Workaround:
None

Fix:
File download API work with basic auth and x-auth-token.

1304765-3 : A remote LDAP user with an admin role is unable to make config changes through the F5 webUI

Links to More Info: BT1304765

Component: F5OS-A

Symptoms:
When a remote user's GID is mapped to the F5OS system's local GID, the GID mapping is not parsed correctly by the system. If the remote GID is known to the F5 system, there is no issue. For example, a mapping of the form 9000:9000 works fine. However, mapping of the form 5555:9000, 6666:9000 etc. will not work.

Conditions:
Local GID is being mapped to a remote GID.

Impact:
The admin user mapped to a remote GID cannot access the ConfD config mode.

Fix:
Update the system to the version with the fix.

1304085-1 : Unable to set local user's password if the same user exists on a remote LDAP server

Links to More Info: BT1304085

Component: F5OS-A

Symptoms:
If a user exists locally (in F5OS) as well as on a remote LDAP server, and LDAP-based authentication is configured as an accepted authentication method, attempting to set the user's local password in F5OS will fail. In the ConfD CLI, an error like the following will be observed:

syscon-1-active(config)# system aaa authentication users user ldap_user config set-password
Value for 'password' (<string>): ****************
Error: Rejected,
Configured password-policy:
min-length:6
required-differences:8
max-letter-repeat:3
policy applies to root:true

It should be emphasized that in the case of such duplicate user definitions locally/remotely, the local user's credentials will need to be used to login even if remote authentication is preferred.

Conditions:
A user exists locally (in F5OS) as well as on a remote LDAP server, and LDAP-based authentication is configured as an accepted authentication method.

Impact:
Unable to set the local user's password.

Workaround:
Temporarily remove LDAP as an authentication method, set the user's password, and then re-configure the preferred authentication method(s).

Fix:
Fixed issue with setting a local user's password when an identically named user exists on a remote LDAP server and LDAP is enabled as an authentication method

1300749 : Syslog target files do not use the hostname configured via system user interface.

Links to More Info: BT1300749

Component: F5OS-A

Symptoms:
Syslog target files, for example: /var/F5/system/log/platform.log, use a hardcoded nodename for every device as a hostname.

Conditions:
No special conditions.

Impact:
In a remote log collector, source IPs are the only way to differentiate among devices.

Workaround:
It is possible to do an irule workaround that replaces custom strings in syslog traffic depending on the client's IP address. This iRule is applied to the virtual server on another LTM that consumes the syslog traffic and load balances.


when CLIENT_DATA {
   switch [IP::client_addr] {
       "10.10.10.10" { UDP::payload replace 38 11 "ABCDC01F5OS01" }
       "10.10.10.20" { UDP::payload replace 38 11 "ABCDC01F5OS02" }
       }
}

Below is the example message after irule workaround.

Jul 31 03:33:50 10.10.10.10 2023-07-31T07:33:50.181136+00:00 appliance-1 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 0 (1:Enabled 2:Disabled ... )".

to this

Jul 31 06:00:01 10.10.10.10 2023-07-31T10:00:01.356324+00:00 ABCDC01F5OS01 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 1 (1:Enabled 2:Disabled ... )".
Jul 31 06:00:04 10.10.10.20 2023-07-31T10:00:04.983677+00:00 ABCDC01F5OS02 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 0 (1:Enabled 2:Disabled ... )".

Fix:
Infrastructure to use the system hostname user configuration in the syslog target logs has been added with a knob and it is enabled by default. It can be turned off if old behavior is preferred.

1297357-1 : WebUI authentication does not follow best practices in some situations

Component: F5OS-A

Symptoms:
Under certain circumstances, the WebUI interface and RestConf requests do not follow best practices when handling authentication-related requests.

Conditions:
Undisclosed.

Impact:
Undisclosed.

Workaround:
Secure access to the F5OS GUI and expose only to trusted users and networks.

Fix:
WebUI and RestConf requests now follow best practices.

1297349 : Tightening controls on uploading files to F5OS

Component: F5OS-A

Symptoms:
The File Upload Manager permits arbitrary file types to be uploaded by an admin user.

Conditions:
-- Uploading files
-- User role is admin

Impact:
Arbitrary file types can be uploaded.

Workaround:
Do not upload untrusted files to the F5OS system. Reduce access to the management plane to trusted users.

Fix:
Only .iso, .os, .img, and .patch files are permitted to be uploaded.

1296997 : Large core files can cause system instability

Links to More Info: BT1296997

Component: F5OS-A

Symptoms:
When a system generates and stores large core files, it can cause the system unstable.

Conditions:
F5OS generates a large core file.

Impact:
F5OS core-writing script does not check filesystem availability before writing a core file and can fill up the filesystem, causing catastrophic system instability until disk-space is reclaimed.

For more information of other impacts see
1185577 - F5OS-A memory leak in ImageAgent process on rSeries hosts may affect tenant performance or lead to unexpected restarts of tenant or host
https://cdn.f5.com/product/bugtracker/ID1185577.html

1284705 - Appliance Orchestration Manager core file may consume entire root filesystem
https://cdn.f5.com/product/bugtracker/ID1284705.html

1290949 - Invalid memory read in appliance orchestration manager
https://cdn.f5.com/product/bugtracker/ID1290949.html

1327701 - Space in SNMP community/user/target name causing snmpd container restart
https://cdn.f5.com/product/bugtracker/ID1327701.html

Workaround:
None

Fix:
F5OS now takes into account the available filesystem space before writing a core file. If the core file is too large then it will be truncated and deleted to maintain system stability. The system log message will indicate if the core file was too large to safely write.

1294561 : When OCSP is disabled, configurations are not accurately shown outside of 'config' mode

Links to More Info: BT1294561

Component: F5OS-A

Symptoms:
When the OCSP feature is disabled, making any changes to OCSP configurations (i.e. nonce request, override-responder) are not being updated outside of 'config' mode on the ConfD CLI. When the OCSP feature is enabled, there is no issue.

Conditions:
Occurs when OCSP is set to 'disabled' and changes are made to the OCSP configurations. Running 'show system aaa authentication ocsp' will display incorrect information.

Impact:
No functional impact. User will not be able to see an accurate display of the OCSP configurations while the feature is disabled.

Workaround:
N/A

Fix:
Starting in F5OS 1.8.0, OCSP configurations are accurately displayed even if the feature is disabled.

1293249 : AAA server group Port and Type are not displayed on ConfD

Links to More Info: BT1293249

Component: F5OS-A

Symptoms:
When a server group is created on an F5OS appliance, "show system aaa server-groups" does not display the Port and Type of the server group.

Conditions:
When a AAA server group is created (LDAP/RADIUS/TACACS).

Impact:
This is a cosmetic issue.

Port and Type information is not displayed on ConfD:

appliance-1# show system aaa server-groups
NAME TYPE ADDRESS PORT
-------------------------------------------
ldap-group - 10.50.5.25 -

Workaround:
The Port and Type information can be viewed via Web UI.

1292405-6 : CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64

Links to More Info: K000137702, BT1292405

1291513 : Some log messages/timestamps do not observe configured timezone

Links to More Info: BT1291513

Component: F5OS-A

Symptoms:
Some logfiles and timestamps report the time as UTC even when the system is configured with a non-UTC timezone.

Conditions:
The orchestration-manager is not aware of the configured timezone, so Openshift/Kubernetes/Ansible log files produced by this component are reported as UTC. Also, the 'user login/last login' times reported by the CLI are always in UTC.

Impact:
Difficult to correlate timestamps across log files.

Workaround:
None

Fix:
Orchestration Manager recognizes the current timezone setting, and produces all timestamps as localtime using RFC3339 format (localtime + offset). All debug logfiles produced by this component are now timezone aware.

The sshd/login programs report login/last login times as localtime, not UTC. The CLI no longer (incorrectly) reports login time.

1289861 : Ability to suppress the proceed warning generated when portgroup mode is changed

Component: F5OS-A

Symptoms:
When the user commits portgroup mode changes, the system generates a proceed warning to inform the user of the potential consequences.

Conditions:
When committing portgroup mode changes.

Impact:
While the proceed warning is present, the user needs to input “yes” or “no” before the transaction is committed.

Workaround:
None

Fix:
Now you have the option to suppress the proceed-warning for the entire system. The setting is called portgroup-confirmation-warning and can be disabled in confd with the following command:

system settings config portgroup-confirmation-warning off

1288897-2 : Allowed IP rule name, which contains all underscores, will be deleted while upgrading to F5OS-A 1.7.0 and later versions

Links to More Info: BT1288897

Component: F5OS-A

Symptoms:
Customer are able to create an allowed-ip rule with a name containing all underscores, hyphens or dots, which is not readable.

Conditions:
Creating an allowed-ip rule with a name which contain only allowed special characters.

Impact:
Created allowed-ip rule, with a name containing only underscores, hyphens or dots, will be deleted during upgrade.

Workaround:
Customer must rename the allowed-ip rule name that contain all special characters with a name containing at least one alpha-numeric character before upgrading to F5OS-A 1.7.0 or later Versions.

1287245-2 : DAGD component crashes during live upgrade or downgrade

Links to More Info: BT1287245

Component: F5OS-A

Symptoms:
The DAGD component crashes occasionally during live upgrade or downgrade. However, these incidents won't affect the overall system, and the DAGD component will restart automatically without requiring any user action.

Conditions:
The DAGD component crashes occur rarely during live upgrade or downgrade.

Impact:
There is no impact on the overall health of the system.

Workaround:
N/A

Fix:
N/A

1286153 : Error logs while generating the qkview

Component: F5OS-A

Symptoms:
System logs following errors under platform.log while capturing qkview
---
2023-04-09T13:21:23.774606+00:00 appliance-1 tcam-manager[78]: priority="Err" version=1.0 msgid=0x6b01000000000007 msg="ERROR" MSG="handle_dbg_cmd_snapshot: bad tcam id 2".
2023-04-09T13:21:32.905003+00:00 appliance-1 tcam-manager[78]: priority="Err" version=1.0 msgid=0x6b01000000000007 msg="ERROR" MSG="handle_dbg_cmd_snapget: bad row id 512".
---

Conditions:
Generating a qkview

Impact:
The errors are false alarms, they don't have any functional impact.

1284389 : Show system health reports unhealthy during bootup

Component: F5OS-A

Symptoms:
In FIPS supported hardware, during the device boot-up, show system health report shows unhealthy due to fips-state reports -1 during boot-up.

Conditions:
-- during boot-up
-- FIPS partition not initialized

Impact:
No functionality impact, it's a cosmetic issue and reports unhealthy in confd and logging.

Workaround:
None

Fix:
While the device is booting, the fips state starts with -1 and it shows unhealthy till the device completely boots up, but actually, the -1 state is not initialized, so updated the code that, don't report the -1 state as unhealthy.

1282493-3 : Crypto devices are not released after tenants are deleted

Component: F5OS-A

Symptoms:
Deleting the tenants does not release the crypto devices that were allocated to those tenants while creating them.

Conditions:
When a software upgrade was initiated incorrectly such as:
1. Upgrading only OS version
2. Upgrading only Service version

Impact:
Crypto devices behavior will be unexpected.

Workaround:
Always upgrade the software with ISO that contains the correct OS and services combination.

Fix:
None.

1282185-2 : Unable to restore backup file containing expired TLS certificate

Links to More Info: BT1282185

Component: F5OS-A

Symptoms:
If a user attempts to restore a configuration backup whose contents include a TLS certificate that has expired, the configuration restore will fail.

Conditions:
User attempts to restore a configuration backup file which contains an expired TLS certificate.

Impact:
User is unable to restore their backed up configuration.

Workaround:
While there is no workaround for the issue, once the backup has been collected, this can be avoided by de-configuring any TLS certificates before collecting a configuration backup, and re-setting them manually after the configuration backup has been restored.

Fix:
Fixed issue where configuration backup files containing expired TLS certificates could not be successfully used for configuration restore.

1277429-1 : Operational and Configurational prompts do not persist through user sessions

Component: F5OS-A

Symptoms:
prompt1 (Operational) and prompt2 (Configurational) do not persist over user sessions and logins once configured.

Conditions:
Configure both prompts, exit from session and re-login. It can be observed that the configured prompts are reset to default.

Impact:
Hard to identify the terminal session without configured prompts when working with multiple terminal sessions with new logins.

Workaround:
None

Fix:
Operational (oper-prompt) and Configurational (config-prompt) prompts can be configured which persist over sessions and logins.

1270309 : Audit.log may log incorrect username initially for users logging into the CLI, remotely-authenticated users may see hostname in prompt reported as "appliance-1", and remotely-authenticated LDAP users may experience lengthy delays when authenticating

Links to More Info: BT1270309

Component: F5OS-A

Symptoms:
The audit log may initially show the incorrect username when users log in to the CLI:

For example:

msg="audit" user="[one username]/[number]" cmd="created new session via cli from 192.0.2.1:56166 with ssh".
msg="audit" user="[one username]/[number]" cmd="CLI 'show system state hostname'".
msg="audit" user="[one username]/[number]" cmd="CLI done".
msg="audit" user="[one username]/[number]" cmd="terminated session (reason: normal)".
msg="audit" user="[actual username]/[another number]" cmd="created new session via cli from 192.0.2.1:56166 with ssh".
msg="audit" user="[actual username]/[another number]" cmd="CLI 'exit'".
msg="audit" user="[actual username]/[another number]" cmd="terminated session (reason: normal)".


Or:

confd[121]: audit user: [tenant name]/[number] assigned to groups: admin
confd[121]: audit user: [tenant name]/[number] CLI done
confd[121]: audit user: [tenant name]/[number] terminated session (reason: normal)
confd[121]: audit user: test_user/[number] assigned to groups: admin


If role GID mapping is configured, remotely-authenticated users may see the hostname reported in the prompt as "appliance-1", rather than the correct hostname. For instance:

User f5osadmin last logged in 2023-10-01T01:02:03.123456+00:00, to appliance-1 from 192.0.2.1 using cli-ssh
f5osadmin connected from 192.0.2.1 using ssh on appliance-1.chassis.local
appliance-1#


Remotely-authenticated LDAP users may experience lengthy delays when authenticating via SSH, particularly if one or more of the following are true:
- the LDAP server has a large number of groups
- the LDAP server has many users in groups
- there is noticeable latency between the F5OS system and the LDAP server

Conditions:
When trying to use remote authentication, multiple user accounts have the same UID (user identifier). The user IDs may overlap between multiple remote users, or between remote users and local users.

Impact:
The audit.log will show an incorrect username for the first few entries.

The CLI prompt may display the generic hostname "appliance-1".

Workaround:
To avoid the audit.log reporting an incorrect username, ensure all user accounts have unique user IDs.

If that is not practical, or to work around the other symptoms of this issue, the following procedure will work around the issue; this procedure will be reverted by any software version changes.

1. Log into the rSeries appliance as root

2. Put the script below into /etc/cron.hourly, as a file named "ID1270309-workaround", and then mark it executable ("chmod 755 /etc/cron.hourly/ID1270309-workaround").

===
#!/bin/bash

set -Eeuo pipefail

# f5_confd_cli from different versions of F5OS-A
# 1.5.0 / 1.5.1
# 1.5.1 with the fix for ID1301837
MATCHING_CHECKSUM=( "5496b29958666ab7eeb44e1dbc78afb4c99a08d5" "a5d4a6928fb77fd089ed8289f1162220d30e2c8c" )
# The same file, with the patch below applied to it.
MODIFIED_CHECKSUM=( "37ab85644d33f1fdd1724e284aa694c897a4e898" "8d552eb9f79853dacf762d9ee21c06cc950383f3" )

FILE=/var/lib/controller/f5_confd_cli

CHECKSUM=$(sha1sum "$FILE" | awk '{print $1}')

if [[ "${MATCHING_CHECKSUM[@]}" = *"$CHECKSUM"* ]]; then
    :
elif [[ "${MODIFIED_CHECKSUM[@]}" = *"$CHECKSUM"* ]]; then
    # Already modified. Nothing to do
    exit 0
else
    echo >&2 "f5_confd_cli is in unknown state, not modifying."
    exit 0
fi

patch -p1 "$FILE" << 'EOF'
--- /var/lib/controller/f5_confd_cli.ID1270309.orig 2023-09-05 15:35:44.651749231 -0700
+++ /var/lib/controller/f5_confd_cli 2023-09-05 15:37:08.894286756 -0700
@@ -180,16 +180,11 @@
     echo "System Time: $date"
 fi
 
-# Read the hostname from /system/state/ if it exists,
-# otherwise default to the hostname
-hostname_cli_out=$(echo "show system state hostname" | /var/lib/controller/confd_cli -N)
-
-hname=${HOSTNAME}
-if [[ ! -z "${hostname_cli_out}" ]]; then
- if [[ "$hostname_cli_out" == *"system state hostname"* ]]; then
- hname=$(echo ${hostname_cli_out} | awk '{print $(NF)}')
- fi
+if [ -r /etc/f5_sys_hostname/env ]; then
+ . /etc/f5_sys_hostname/env
 fi
+hname=${SYS_CONFIG_HOSTNAME:-$HOSTNAME}
+
 if [[ -z "${supplementary_gids}" ]]
 then
     exec /var/lib/controller/confd_cli -C -H ${hname} -u ${USER} --gid "${primary_gid}"
EOF
===

This script will check and potentially update the login script once an hour to apply the workaround. After a system reboot or the system_manager docker container restarts, there is a potential period of up to an hour before the workaround is reapplied.

This workaround will also only function for specific versions of F5OS software; currently, only for F5OS-A 1.5.0 and F5OS-A 1.5.1.

1268433 : Some firewall rules do not generate denial logs

Links to More Info: BT1268433

Component: F5OS-A

Symptoms:
system_latest_vers network namespaces are disabled by default to prevent host kernel log flooding from inside a container.

Conditions:
By default, all network namespace logs are disabled except for init namespace.

Impact:
When traffic is denied from an IP, we do not get a message saying traffic from a particular IP is denied.

Workaround:
Command to enable system_latest_vers network namespace denial logs:
sysctl -w net.netfilter.nf_log_all_netns=1 (not-persistent)

Persistent solution:
1) Create a file: /etc/sysctl.conf

2) Run the command:
echo "net.netfilter.nf_log_all_netns = 1" >> /etc/sysctl.conf

1251989 : Changing the system Date/time back and forth using NTP server brings the system to abnormal state

Links to More Info: BT1251989

Component: F5OS-A

Symptoms:
Upon changing the system date following things can be observed in the appliance
1. K3S cluster pods go into an errored state.
2. Cannot bring up the tenant on the Cluster

Conditions:
Either by using an NTP server or by using CLI date/time can be changed.

Changing the date forward and moving back to the original date.

Impact:
The K3S cluster does not come UP properly and eventually it brings down the tenant

Workaround:
Workaround:

1. Identify the pods which are having certificate issues.
2. In the case of the K3S cluster and kubevirt pods, It can be recovered by deleting the pods.

Fix:
Check for pods in an errored state and delete using the following commands.

kubectl delete pod <name> -n <namespace> --force

1251957 : SNMP OIDs to monitor serial number of the device, type of hardware and hostname

Component: F5OS-A

Symptoms:
Device serial number, type, and hostname are not available for the SNMP interface.

Conditions:
Install the F5OS-A/F5OS-C version and run SnmpWalk.
You cannot find the device’s serial number, type, and hostname.

Impact:
You are not able to poll for device serial number, type, and hostname through the SNMP interface.

Workaround:
None

Fix:
Added support for device serial number, type, and hostname for SNMP interfaces.

1251161-2 : Authentication fails via the webUI when “:” is at the end or beginning of the password

Links to More Info: BT1251161

Component: F5OS-A

Symptoms:
After modifying the user's password to include ":" either at the beginning or the end of the password, the user is not able to log in via the webUI.

The user is able to log in via the CLI (SSH).

Conditions:
The password includes ":" at the beginning or end of the password string.

Impact:
User not able to log in via the webUI.

Workaround:
Do not use ":" at the beginning or end of the password string.

Since it is possible to log in via the CLI, modify the password accordingly.

1250925 : Alarm for AOM fault due to "LOP Runtime fault detected: lop:nc-si-rmii:failure"

Links to More Info: BT1250925

Component: F5OS-A

Symptoms:
The AOM may report a runtime fault after a failure to configure the NC-SI RMII interface. This results in a system alarm for "Fault detected in the AOM" and an event indicating that "LOP Runtime fault detected: lop:nc-si-rmii:failure".

Conditions:
The conditions causing the LOP runtime fault for NC-SI RMII interface configuration are not known.

Impact:
The AOM uses the NC-SI RMII interface to allow external SSH access directly to the AOM through the management interface. When the interface configuration fails, then the AOM is not accessible via SSH.

Workaround:
A reset of the AOM can correct this issue. Login to the system as root. Issue the following command to reset the AOM.

docker exec -ti platform-hal psf POST:lop/object/reset-device device=Aom
 
Wait approximately 10 minutes and check the AOM runtime status to verify the the "LOP Runtime fault detected: lop:nc-si-rmii:failure" condition has cleared.

docker exec -ti platform-hal psf GET:lop/object/health

For example, a healthy LOP with no runtime status faults will return "runtimeStatus" equal to zero as shown below.

[root@appliance-1 ~]# docker exec -ti platform-hal psf GET:lop/object/health
  field | value
-----------------------------+--------
  postBitDescriptionItems | []
  postStatus | 0
  runtimeBitDescriptionItems | []
  runtimeStatus | 0

Fix:
Fixed with AOM version 2.00.350.0.1 and later.

1238245 : Prevent system upgrade during firmware update★

Component: F5OS-A

Symptoms:
Triggering a system upgrade when BIOS update is in progress will result in a system reboot, interrupting all processes. The system will get into an inaccessible state.

Conditions:
Trigger system software upgrade when firmware update is running in the background.

Impact:
System gets into inaccessible state and ConfD session become unreachable.

Workaround:
None

Fix:
A compatibility check failure message is displayed stating that the firmware update is in progress.

1233865-5 : Memory capacity and utilization details are confusing / misleading

Component: F5OS-A

Symptoms:
The memory statistics do not provide a clear or accurate representation of the total memory and how it is being utilized.

Conditions:
Using ConfD to retrieve information about memory capacity and utilization.

Impact:
There are no clear, easy-to-understand statistics for memory capacity and utilization.

Workaround:
N/A

Fix:
More detailed, granular memory statistics are provided to give user a clear understanding of total memory and how it is being used.

1211233-4 : F5OS dashboard in webUI displays the system root file system usage, not the entire disk

Links to More Info: BT1211233

Component: F5OS-A

Symptoms:
The Dashboard page displays disk usage information that can be misleading.

For example, on an r5900 the following information may be shown:

Storage Capacity: 109.4GB
System Storage Free: 89.1GB
System Storage Used: 15%

However, the storage capacity is a value taken from the root (/) filesystem. It does not represent the entire 800GB disk, and does not show information about the file systems where tenant images reside.

Conditions:
View Dashboard page in webUI.

Impact:
This is a cosmetic issue.

Workaround:
Linux commands such as "df -hl -t ext4" will provide detailed information about disk usage.

Another breakdown of the disk partition use can also be seen using "lsblk /dev/nvme0n1". Note that nvme0n1 is the physical disk of interest.

Example from rSeries appliance:

# lsblk /dev/nvme0n1
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
nvme0n1 259:0 0 683.5G 0 disk
|-nvme0n1p1 259:1 0 1G 0 part /boot/efi
|-nvme0n1p2 259:2 0 1G 0 part /boot
|-nvme0n1p3 259:3 0 455.3G 0 part
| `-partition_tenant-root 253:2 0 455.3G 0 lvm /var/F5/system/cbip-disks
|-nvme0n1p4 259:4 0 113.9G 0 part
| `-vdo_vol 253:3 0 227.7G 0 vdo
| `-partition_image-export_chassis 253:4 0 227.7G 0 lvm /var/export/chassis

Fix:
N/A

1208573-2 : Disabling Basic Authentication does not block the RESTCONF GET requests

Links to More Info: BT1208573

Component: F5OS-A

Symptoms:
When basic authentication is disabled by user, RESTCONF GET requests are not getting blocked.

Conditions:
User disables basic authentication. RESTCONF GET requests never get blocked.

Impact:
No effect on configuration. Some of the APIs data will be displayed in RESTCONF GET requests, even when basic authentication is disabled.

Workaround:
N/A

Fix:
The GET operation for the APIs has been blocked when basic authentication is disabled.

1207889 : FEC configuration on r5k/r10k 25G interfaces

Component: F5OS-A

Symptoms:
FEC configuration has been added

Conditions:
Interfaces which require FEC configuration to a non default setting.

Impact:
FEC and be enabled or disabled.

Workaround:
None

Fix:
FEC configuration is supported.

1205409 : Cannot export or download files from diags/shared/tcpdump path

Links to More Info: BT1205409

Component: F5OS-A

Symptoms:
The diags/shared/tcpdump path gives access to the tcpdump files captured for system diagnostics. However, these files could not be downloaded from the webUI to the local system.

Conditions:
- User generates a tcpdump file for system diagnostics
- User navigates to the diags/shared/tcpdump path in the webUI and tries to download file, resulting in an error

Impact:
Unable to download tcpdump files from diags/shared/tcpdump path in the webUI. Hence, a user cannot access these files from the webUI.

Workaround:
Create /var/docker/config/platform.override.yml with these contents:

version: '2.1'
services:
  http-server:
    volumes:
      - /var/F5/system/shared/tcpdump:/var/shared/tcpdump

Then, restart platform-services.

Fix:
User is now able to download and export files from diags/shared/tcpdump path to any required destination without any errors.

1204985 : The root-causes of F5OS upgrade compatibility check failures are hidden in /var/log/sw-util.log.

Links to More Info: BT1204985

Component: F5OS-A

Symptoms:
When performing a live upgrade, if the upgrade compatibility check fails, users can only see "System database upgrade compatibility check failed" error message. The applicable information about what failed is neither displayed nor shown in platform.log/velos.log.

Conditions:
1. Perforrm a live-upgrade.
2. If the upgrade compatibility check fails, users can only see "System database upgrade compatibility check failed" error message. The applicable information about what failed is neither displayed nor shown in platform.log/velos.log.

Impact:
Upgrade failure logs are not logged in platform.log/velos.log.

Workaround:
None

Fix:
This issue is fixed and displays the error scenarios in platform.log/velos.log.

1196417 : First time user SSH session is getting closed after password change

Links to More Info: BT1196417

Component: F5OS-A

Symptoms:
User SSH session is getting closed after password change, at the time of first SSH login.

Conditions:
When changing password at the time of first SSH login.

Following is an example:
ssh jeevan1@10.238.160.60
The authenticity of host '10.238.160.60 (10.238.160.60)' can't be established.
ECDSA key fingerprint is SHA256:RlyjC/Tx6uI7rX9zZy6q0ADKkx6GNReSyb1iohYnKio.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.238.160.60' (ECDSA) to the list of known hosts.
jeevan1@10.238.160.60's password:
You are required to change your password immediately (root enforced)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user jeevan1.
Changing password for jeevan1.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to 10.238.160.60 closed. <=== SSH session shouldn't be closed.

Impact:
No impact on any of the features due to this issue. The user just needs to log in again with the changed password as the current SSH session will be closed after password change.

Workaround:
N/A

Fix:
N/A

1188825 : New role named "user" with read-only access to non-sensitive system level data

Component: F5OS-A

Symptoms:
To meet security requirements, you need to create a user account on F5OS that cannot access sensitive data, such as platform logs, system events, login activities, and more.

Conditions:
Create user account with roles available on the F5OS using the following CLI command:
system aaa authentication users user <user_name> config role <role_name>

Impact:
F5OS is unable to meet defined security requirements.

Workaround:
None

Fix:
A new user role named “user” is provided on F5OS to have a role with no access to the sensitive data such as platform logs, system events, and login activities and meet security requirements.

1188069 : F5OS installer does not indicate progress or completion state

Links to More Info: BT1188069

Component: F5OS-A

Symptoms:
The F5OS installer does not indicate the process or completion state of upgrade/installation.

Conditions:
Upgrade/reboot the system.

Impact:
You are unable to identify the readiness state of system.

Workaround:
None

Fix:
The upgrade, installation or initialization detail is now included in the system's bash prompt.

1185805-1 : The "test media" option during USB install may be interrupted by the hardware watchdog

Links to More Info: BT1185805

Component: F5OS-A

Symptoms:
During USB booting there is an option for "Test this media & install F5OS". If this is selected then the system verifies the media for only 5 minutes before the hardware watchdog reboots the device and the verification is interrupted.

Conditions:
USB booting, "test media" option selected.

Impact:
The "test media" option does not work.

1167477-5 : CVE-2021-20233: grub2 - Heap out-of-bounds write due to miscalculation of space required for quoting

Component: F5OS-A

Symptoms:
A flaw was found in grub2 in versions prior to 2.06. The option parser allows a user to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
Grub2 has been updated to a non-vulnerable version.

1162341 : Front panel interface status is not reported in alarms or events

Links to More Info: BT1162341

Component: F5OS-A

Symptoms:
Front panel interface flap events are not displayed in alarms or events CLI/GUI.

Conditions:
Front panel interface is down or oper-status changes.

Impact:
Interface status is not shown in alarms or events.

Workaround:
View interface with "show interfaces interface state oper-status".

1154733 : LLDP error on management interface

Links to More Info: BT1154733

Component: F5OS-A

Symptoms:
LLDP on mgmt interface is not supported. When enabled, show lldp command in ConfD CLI will not show any info related to mgmt interface.
Also, when enabled, below log will be displayed:

lldpd[8]: priority="Err" version=1.0 msgid=0x7302000000000021 msg="Failed to get did from interface name." ifname="mgmt"

Conditions:
When LLDP is enabled using ConfD CLI.

Impact:
The system logs an error message every 30 seconds:

lldpd[8]: priority="Err" version=1.0 msgid=0x7302000000000021 msg="Failed to get did from interface name." ifname="mgmt"

Workaround:
None

Fix:
NA

1147673 : Downloading QKViews directly from the System Reports screen.

Component: F5OS-A

Symptoms:
The F5OS-A webUI lacks the ability to download QKView files directly from the System Reports screen. You must navigate to the File Utilities screen to perform the action.

Conditions:
Download QKView files.

Impact:
No functional impact, you need to navigate to a different webUI screen to download QKView files.

Workaround:
Navigate to the File Utilities screen to download QKView files.

Fix:
From F5OS-A v1.8.0, QKView files can be downloaded from System Reports screen.

1145049 : K3s cluster deployment sequence is modified to avoid pods entering into UNKNOWN state

Links to More Info: BT1145049

Component: F5OS-A

Symptoms:
CNI pods enter into UNKNOWN state.

Conditions:
Multus is installed before Flannel installation is successful.

Impact:
K3s cluster deployment fails.

Workaround:
Restart K3s cluster deployment.

Fix:
K3s cluster deployment sequence is modified to avoid pods entering into UNKNOWN state.

1140577 : config-restore will cause a reboot if the portgroup configuration changes

Component: F5OS-A

Symptoms:
If config-restore causes the portgroup configuration to change, the system will reboot automatically, but no warning prompt is given.

Conditions:
Restoring a saved configuration with a different portgroup configuration than the current configuration.

Impact:
System reboots unexpectedly.

Workaround:
N/A

Fix:
N/A

1136557 : F5OS config restore fails if .iso or components vary between two devices.

Component: F5OS-A

Symptoms:
If the .iso or components in the backup file do not match the ones in the restore file, the restore operation fails with admin access denied error:

Error: Database config-restore failed.

Conditions:
Take a config backup from one device and restore it on another device on where .iso or components vary.

Impact:
Configuration restore fails.

Workaround:
Ensure that .iso and components match when performing backup and restore between devices.

1135021 : F5OS config-restore with an incorrect primary-key does not produce a warning

Component: F5OS-A

Symptoms:
'system database config-restore' does not verify that the backup file is encrypted with the same database primary-key that is currently active on the device.

Conditions:
Restoring a config-backup on a device with a different primary-key than when the backup was produced.

Impact:
System will not operate properly because it will not be able to decode encrypted secrets that control certificates, private keys, and other items. Tenants will not operate properly.

Workaround:
Ensure that a new config-backup is created after executing the "system aaa authentication primary-key set" command.

Fix:
Config-restore fails is the database primary key does not match the config backup file, and reports the primary-key hash. Reset the primary-key to match the backup file in order to restore the backup file.

1128633-3 : Failed upload entries displayed under CLI file transfer-operations

Links to More Info: BT1128633

Component: F5OS-A

Symptoms:
Old, failed uploads continue to display in the file transfer-operations list for an unknown period of time both in CLI and GUI.

Conditions:
If the image upload operation fails for some unknown reason, then the failed entries are listed under both the transfer-status list and the transfer-operations list. The list under transfer-status is cleared every 24 hours, but the list under transfer-operations remains.

Impact:
- As old, failed uploads continue to display in the list for an unknown period of time, the list under transfer-operations is more cluttered.
- There is no functional impact.

Workaround:
None

Fix:
All operation entries are cleared if their transfer time exceeds 24 hrs making the file transfer-operations list clutter free.

1126865-2 : F5OS HAL lock up if the LCD module is not responding.

Links to More Info: BT1126865

Component: F5OS-A

Symptoms:
There are rare cases where the LCD module is present, enabled, and its network link is up; however, it does not respond to requests made by the HAL. Ultimately this causes a the HAL services to become unresponsive.

Conditions:
There are rare cases where the LCD does not respond to requests from the HAL services. When this happens, the HAL service can get locked up.

Impact:
When this rare event occurs, the HAL becomes unresponsive for other devices in the system, like the AOM for example.

Workaround:
If this occurs, a restart of the HAL services or a reset of the system is required to clear the condition.

1124953-2 : Intel microcode updates: CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21166

Links to More Info: K04808933

1124853-1 : Backup and restore fails when port-profile is mismatched

Links to More Info: BT1124853

Component: F5OS-A

Symptoms:
Because there will be some configuration changes between two different port-profiles, database backup and restore between two appliances with different port-profiles will fail.

Conditions:
Make sure both source and target appliances have the same port-profile configurations before performing a database
restore.

Impact:
A database restore will fail when port-profile configuration is mismatched.

Workaround:
The target appliance where the restore is being performed should have the same port-profile as the backup database.

Fix:
Fix is that the target appliance where we are performing restore should have same port-profile as backup database.

1124809 : Add or improve the reporting status of imported images

Component: F5OS-A

Symptoms:
There are no correct error messages or status is shown in the log files and in the CLI, when the non-compatible images, corrupted images, or zero-sized images are copied to the imported directories.

It is difficult to determine the exact problem, as they had to examine the import directory and mount status of the ISO file being copied.

Conditions:
Coping zero-length, file name having special characters, corrupted or incompatible ISO files to the import directory /var/import/staging.

Impact:
No status is displayed in the CLI and in the log files.

Workaround:
None

Fix:
The log files will display the exact error messages. System events will show the cause of the error and SNMP traps are generated in the event of the error.

1121921 : Common name for setup-wizard tool across platforms

Links to More Info: BT1121921

Component: F5OS-A

Symptoms:
The setup-wizard tool command is named differently in F5OS-A and F5OS-C, which can be confusing for administrators of both systems.

Conditions:
'appliance-setup-wizard' is used to run tool in F5OS-A bash prompt whereas 'velos-setup-wizard' is used in F5OS-C.

Impact:
Increases complexity and creates confusion in running the tool on device.

Workaround:
None

Fix:
'setup-wizard' is made as a common command name to run the tool on both F5OS-A and F5OS-C

1099069-3 : Issues with pulling files from F5OS device using SCP

Links to More Info: BT1099069

Component: F5OS-A

Symptoms:
Unable to pull packet capture files off of the F5OS device using SCP from admin.

Conditions:
Download packet capture files using SCP from the admin account.

Impact:
Unable to download packet capture files through SCP from admin.

Workaround:
N/A

Fix:
Added support to download files from more directories.

1057401 : CVE-2018-16402 libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service or possibly have unspecified other impact

Component: F5OS-A

Symptoms:
libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.

Conditions:
N/A

Impact:
Although vulnerable code is present, this vulnerability does not impact R2R4 or R5R10 in any default, standard, or recommended configuration.

Workaround:
N/A

Fix:
elfutils has been updated to a non-vulnerable version.

1008701-1 : Using curl to access 'scp:' URIs on the partition management IP does not work

Links to More Info: BT1008701

Component: F5OS-A

Symptoms:
Attempting to upload a tenant image via

"curl filename scp:IMAGES"

would fail, even though

"scp filename admin@mgmt-ip:IMAGES"

works.

Conditions:
Accessing ssh/scp via curl rather that the scp application.

Impact:
Cannot use curl to copy files.

Workaround:
Use scp directly rather than curl.

Fix:
The ssh/scp server has been fixed to correctly interpret the file/directory names supplied by the 'curl' command.