932945-3 : STP references to stale interfaces remain when the port group changes

Links to More Info: BT932945

Component: F5OS-A

Symptoms:
When you change an existing port group, e.g., from one 100G to 4 25G, STP still reports the old interfaces when you issue 'show stp' from the CLI. Additionally, the new interface does not display in the CLI.

Conditions:
This occurs when making changes to the port group mode, e.g., from one 100G to 4 25G mode.

Impact:
-- The old interfaces still display when running 'show stp' from the CLI.
-- The new interface does not display when running 'show stp' from the CLI.
-- You must manually remove the old interfaces and add the new interface via the CLI.

Workaround:
You must manually remove the old interfaces and add the new interface using the CLI.

2296793 : Supported optic reports UNKNOWN state after upgrade

Component: F5OS-C

Symptoms:
After a system upgrade, a supported optic may report its state as UNKNOWN even though the system supports it.

Conditions:
This issue occurs when optics are inserted in the system before a live upgrade.

Impact:
For any optics that require specific tuning values, they will not be applied and may result in unexpected or inconsistent behavior.

Workaround:
Remove and reinsert the affected optic, or reboot the device.

Fix:
The optics-mgr process was timing out before it could retrieve optic data. The timeout period has been extended to allow the system to complete the data request.

2295445 : Kubelet log flood: "orphaned pod ... failed to remove volume ... directory not empty" for Tenant ConfigMap Volumes After Reboot

Links to More Info: BT2295445

Component: F5OS-A and F5OS-C

Symptoms:
On F5OS-A systems, kubelet may continuously log errors similar to the following every ~2 seconds:

orphaned pod "<pod-uuid>" found, but failed to remove volume at path /var/lib/kubelet/pods/<pod-uuid>/volumes/kubernetes.io~configmap/<tenant>-configmap: remove ...: directory not empty

This log flood occurs when the kubelet is unable to clean up the configmap volume directory for an orphaned tenant pod

Conditions:
-- F5OS-A version 1.5.x or 1.8.x (including 1.8.3) on rSeries platforms
-- The tenant pod is orphaned after a reboot (old pod replaced by a new pod for the same tenant)
-- The configmap volume directory for the old pod retains its standard Kubernetes content (timestamped data subdirectory, ..data symlink, and key symlinks)

Impact:
-- Continuous error log messages in /var/log/messages (approximately one every two seconds)
-- No functional impact to running tenants; the issue is cosmetic/operational (log noise)
-- Manual intervention may be required to clean up the stale directory

Workaround:
Manually delete the stale configmap directory for the orphaned pod using standard Linux file removal commands (e.g., rm -rf)

Note: Ensure the directory is not in use by any active pod before removal

Fix:
This issue is fixed in F5OS 2.0 and later, which incorporate improved cleanup logic from upstream Kubernetes. For F5OS-A 1.8.x and 1.5.x, a dedicated fix is being tracked under this bug.

2292429 : CVE-2026-4786 python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API

Component: F5OS-A and F5OS-C

Symptoms:
This flaw in the Python webbrowser.open() API allows for command injection and arbitrary code execution when processing specially crafted URLs containing "%action". This bypasses a previous mitigation for CVE-2026-4519

Conditions:
N/A

Impact:
This bypass enables command injection, potentially resulting in arbitrary code execution.

Workaround:
N/A

Fix:
Fixed

2292365 : CVE-2026-4424 libarchive: Information disclosure via heap out-of-bounds read in RAR archive processing

Component: F5OS-A

Symptoms:
A heap out-of-bounds read vulnerability exists in the libarchive RAR archive processing logic due to improper validation of the LZSS sliding window size during compression method transitions

Conditions:
NA

Impact:
Leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.

Workaround:
N/A

Fix:
Upgrade to fixed version

2291497 : CVE-2026-1519 bind: BIND: Denial of Service via maliciously crafted DNSSEC-validated zone

Component: F5OS-A

Symptoms:
A flaw in BIND where processing a maliciously crafted DNSSEC-validated zone causes the resolver to consume excessive CPU resources

Conditions:
This occurs when a BIND resolver is configured for DNSSEC validation and receives a specific, crafted zone from a remote attacker

Impact:
N/A

Workaround:
N/A

Fix:
upgraded to the bind version.

2290657-1 : Orchestration Manager crash when partition configured with mgmt-vlans

Links to More Info: BT2290657

Component: F5OS-C

Symptoms:
The Orchestration Manager (OMD) process crashes and restarts when a partition is configured with mgmt-vlans.

Conditions:
- Partition configured with mgmt-vlans, e.g. "mgmt-vlans untagged".
- The mgmt-vlans added to an existing partition.

Impact:
- The Orchestration Manager process crashes and restarts.
- Cluster data is unavailable during the restart.

Workaround:
Create partition without "mgmt-vlans", or remove from existing partition:

conf
no partitions partition <partition> config mgmt-vlans
commit

2287977-1 : CVE-2026-23340: kernel: net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs

Component: F5OS-A

Symptoms:
A flaw was found in the Linux kernel. A race condition exists in the network queue management (qdisc) component when the number of transmit queues is dynamically reduced while network traffic is active. This can lead to a Use-After-Free (UAF) vulnerability, where memory is prematurely freed while still being accessed. A local attacker could exploit this to cause a denial of service.

Conditions:
NA

Impact:
Signal Handler Race Condition

Fix:
Fixed in kernel.

2287953-5 : CVE-2026-23352:kernel: x86/efi: defer freeing of boot services memory

Component: F5OS-A

Symptoms:
A flaw was found in the Linux kernel. During system startup, when the kernel attempts to free memory used by EFI (Extensible Firmware Interface) boot services, it may fail to properly release these memory regions. This occurs because the memory freeing process is initiated before the system's memory map is fully initialized. The consequence is a memory leak, which can lead to a denial of service by consuming available system resources.

Conditions:
NA

Impact:
Release of Invalid Pointer or Reference

Fix:
Fixed.

2285041-2 : The module-communication-error not clearing post-recovery

Links to More Info: BT2285041

Component: F5OS-C

Symptoms:
A shared commError flag in the VPC and VFC health monitoring tasks caused a race condition when tracking communication errors across controllers.

Conditions:
A shared commError flag caused a race condition where a communication error in one PSU controller could be incorrectly cleared by another PSU controller, leaving the original controller's error uncleared even after recovery.

Impact:
This led to scenarios where a module communication error status was not cleared even after recovery.

Workaround:
Restart diag-agent using the below command

docker restart diag-agent

Fix:
Fixed Communication Error not clearing for recovered modules

2279301 : CVE-2026-33412: Vim glob() handling

Component: F5OS-A

Symptoms:
Certain patterns may be processed incorrectly in specific scenarios.

Conditions:
NA

Impact:
May result in unintended command execution.

Workaround:
NA

Fix:
Fixed

2279229 : Kernel Panic Occurs While Accessing page_private Data During Writeback

Links to More Info: BT2279229

Component: F5OS-A and F5OS-C

Symptoms:
System crashes with kernel panic during filesystem writeback

Conditions:
Occurs when hardware or drivers (e.g., RDMA/DMA) write directly to file-backed pages pinned with get_user_pages() (GUP), bypassing normal filesystem write paths, so the filesystem is unaware of the changes

Impact:
Kernel panic/system crash

Workaround:
None

Fix:
Kernel upgraded

2277137 : CVE-2026-3497: OpenSSH GSSAPI message handling

Component: F5OS-A

Symptoms:
Certain SSH connections using GSSAPI may terminate unexpectedly under specific message sequences.

Conditions:
Applies when GSSAPI authentication is enabled and specific protocol error conditions occur during key exchange.

Impact:
May result in reduced availability and, in limited cases, exposure of unintended information.

Workaround:
Recommended mitigation is by default in place.

Fix:
Fixed

2266017-5 : CVE-2025-37789: Kernel openvswitch key length validation

Component: F5OS-A

Symptoms:
Under specific conditions, the system may become unresponsive.

Conditions:
NA

Impact:
May result in reduced availability and limited information exposure.

Workaround:
NA

Fix:
fixed in kernel.

2265997 : CVE-2026-23291 kernel: nfc: pn533: properly drop the usb interface reference on disconnect

Component: F5OS-C

Symptoms:
A reference counting issue in the Linux kernel nfc: pn533 driver may lead to a dangling USB interface reference when a supported NFC device is disconnected, potentially resulting in system instability or denial of service.

Conditions:
NA

Impact:
May cause system instability or denial of service (DoS).

Workaround:
The affected NFC pn533 driver is not present or active in F5OS.

Fix:
Fixed

2265989 : CVE-2026-23304 kernel: ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()

Component: F5OS-A

Symptoms:
A flaw in the Linux kernel IPv6 routing subsystem may trigger a NULL pointer dereference when a network device is removed from a Virtual Routing and Forwarding (VRF) instance while IPv6 route lookups are in progress, potentially causing a system crash.

Conditions:
Occurs on systems using VRF with IPv6 enabled while network devices are actively being attached to or removed from VRF instances during IPv6 traffic processing.

Impact:
May cause a kernel crash leading to denial of service (DoS).

Workaround:
N/A

Fix:
Fixed

2265985 : CVE-2026-23303 kernel: smb: client: Don't log plaintext credentials in cifs_set_cifscreds

Component: F5OS-C

Symptoms:
A flaw in the Linux kernel SMB client may expose plaintext SMB usernames and passwords in debug logs when CIFS debug logging is enabled.

Conditions:
Occurs only when the SMB/CIFS client is used with debug logging enabled and a local user has access to the generated debug logs containing credential information.

Impact:
May allow disclosure of plaintext SMB credentials to local users with access to debug logs, potentially leading to unauthorized access to SMB resources.

Workaround:
CIFS debug logging is disabled by default in F5OS. Avoid enabling SMB/CIFS debug logging and restrict access to system and debug logs to privileged users only.

Fix:
Fixed

2264293-1 : CVE-2026-23307 kernel: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message

Links to More Info: K000161138

2263417-5 : CVE-2026-23290 kernel: net: usb: pegasus: validate USB endpoints

Component: F5OS-A

Symptoms:
A flaw was found in the Linux kernel's pegasus driver. A malicious USB device can exploit this vulnerability by not presenting the expected number and types of USB endpoints. This lack of proper validation causes the driver to blindly access uninitialized endpoints, leading to a system crash.

Conditions:
NA

Impact:
System crash.

Workaround:
NA

Fix:
fixed by upstream patch.

2261481 : Packet loss on a F5OS tenant when vlan-groups are in use

Links to More Info: BT2261481

Component: F5OS-A and F5OS-C

Symptoms:
On an F5OS tenant, there may be packet loss when vlan-groups are in use. This occurs due to high churn inside the FDB table due to MAC addresses being learned between different host ports resulting in temporary DLF drops while the MAC is learned on the new port.

Conditions:
- BX520 blade
- VLAN groups
- A large amount of unique MAC addresses in the FDB table

Impact:
Packet loss. Failing monitor probes.

Workaround:
Monitor probe issues may be alleviated by creating a static FDB entry for the local admin bit flipped MAC address that TMM is egressing packets from.

Fix:
Enable service-DAG when learning host generated MAC addresses to eliminate port-motion events between host ports.

2260817 : [Windows AD] Secure LDAP / Basic LDAP is not working post toggling the active_directory flag True/False

Links to More Info: BT2260817

Component: F5OS-A and F5OS-C

Symptoms:
With Basic LDAP or Secure LDAP (LDAPS) integrated with Windows Active Directory, toggling the active_directory and unix_attributes flags causes LDAP authentication to stop working.

Specifically:

1. The Windows AD Domain SID is not recreated after the toggle.
2. LDAP-authenticated users receive a 403 Forbidden error when accessing the REST API.

Conditions:
1. F5OS-A/C is configured with Windows AD LDAP or Secure LDAP (LDAPS) authentication.
2. LDAP roles are mapped to AD groups using system aaa authentication roles.
The active_directory flag is toggled from true -> false (and unix_attributes from false -> true), then toggled back.

Impact:
All remote LDAP users cannot authenticate via LDAP, and LDAP-authenticated users lose access to the management CLI and REST API.

Workaround:
None.

Fix:
The issue is fixed on F5OS-2.0.0 and F5OS-A-1.8.4

2258893 : CVE-2026-3783: curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect

Component: F5OS-A

Symptoms:
A flaw was found in curl. When an OAuth2 bearer token is used for an HTTP(S) transfer that redirects to a second URL, curl could unintentionally leak the token. This occurs if the second hostname has entries in the .netrc file, allowing the bearer token intended for the first host to be sent to the redirected host.

Conditions:
NA

Impact:
May result in unintended information exposure.

Workaround:
Allow system access to trusted users.

Fix:
Fixed

2258845 : CVE-2026-28421: vim: Vim: Denial of service and information disclosure via crafted swap file

Links to More Info: K000160853

2257649 : Memory leak in confd-key-migrationd when frequently retrieving primary key data

Links to More Info: BT2257649

Component: F5OS-A

Symptoms:
The confd-key-migrationd process experiences a slow memory leak.

Conditions:
- primary-key state is frequently retrieved via 'show system aaa' or 'show system aaa primary-key state'.
- Equivalent API endpoints such as '/restconf/data/openconfig-system:system/aaa' can also trigger the leak.

Impact:
The resident size of the confd-key-migrationd process increases slowly over time, and may eventually exhaust system memory, resulting in OOM killer and system instability (typically after months of uptime).

Workaround:
Observe the resident size (RSS) of the confd-key-migrationd process with the following command:

ps -o pid,vsz,rss,cmd -p $(pidof confd-key-migrationd)

It is typically no more than ~20MB on a healthy system.

Reboot the system or restart the confd-key-migration-mgr docker container to free up the memory, if needed:

docker container restart confd-key-migration-mgr

2257529 : CVE-2022-50865 kernel: tcp: fix a signed-integer-overflow bug in tcp_add_backlog()

Component: F5OS-A

Symptoms:
Improper TCP backlog limit calculations may cause unexpected packet drops under heavy network load.

Conditions:
NA

Impact:
May cause reduced TCP service availability or degraded network performance due to premature packet drops

Workaround:
N/A

Fix:
Upgraded to fixed version

2241641 : Ports 7100 and 7200 Exposed, Allowing Remote Console Access via Management Network

Links to More Info: BT2241641

Component: F5OS-C

Symptoms:
Ports 7100 and 7200, used for internal console access between controllers, are remotely accessible over the management network. This can lead to potential unauthorized access to the controllers.

Conditions:
N/A

Impact:
Unauthorized access to the controller's console using exposed ports.

Workaround:
N/A

Fix:
Ports 7100 and 7200 are included in the controller allowlist, which allows adding allowed-IP rules for these ports.

2241521 : PlatformStatsBridge crash on VELOS due to malformed SNMP requests

Links to More Info: BT2241521

Component: F5OS-A

Symptoms:
Multiple PlatformStatsBridge core dumps observed on VELOS controller and partition.

Conditions:
Occurs when the system receives malformed or out-of-range SNMP queries, such as those generated by misconfigured monitoring scripts (e.g., Zabbix integration).

Impact:
PlatformStatsBridge process crashes, generating core files. No impact to production traffic or overall VELOS system health reported.

Workaround:
Ensure SNMP monitoring tools send only valid and supported OIDs. Review and correct any custom SNMP scripts or templates to avoid malformed queries. No further action required if scripts are compliant; issue does not affect production service.

2230833 : Stale USB drive entry remains in show components after USB removal on VELOS

Links to More Info: BT2230833

Component: F5OS-C

Symptoms:
After a USB drive is removed, show components may still display the removed USB disk entry (for example sda DataTraveler) even though lsusb, lsblk, and platform-hal GET:drives no longer show it.

Conditions:
On VELOS systems, a USB drive was previously attached to a controller and then removed; stale drive data may remain shown in show components.

Impact:
Show components can report stale storage information, which may mislead operators about currently attached USB devices.

Workaround:
None.

2230697 : Tenant image uploads are failing without error notifications, despite sufficient available storage.

Links to More Info: BT2230697

Component: F5OS-A and F5OS-C

Symptoms:
In some scenarios extra disk space is required for a tenant image. If there is enough space to upload the image, but not enough extra space, the operation will silently fail.

Conditions:
There is sufficient disk space to upload the tenant image; however, there is not enough space to copy it.

Impact:
Silent failure when uploading a tenant image.

Workaround:
Clear disk space by removing old tenant images, or resize the images volume.

2230673 : Tenant image upload silently fails

Links to More Info: BT2230673

Component: F5OS-A and F5OS-C

Symptoms:
In some scenarios extra disk space is required for a tenant image. If there is enough space to upload the image, but not enough extra space, the operation will silently fail.

Conditions:
Enough disk space available to upload a tenant image, but not enough to copy it.

Impact:
Silent failure when uploading a tenant image.

Workaround:
Clear disk space by removing old tenant images, or resize the images volume.

2230189 : The dbus-daemon SIGSEGV causes NetworkManager communication failures leading to Vcc-host-config issues

Component: F5OS-C

Symptoms:
The dbus-daemon SIGSEGV causes NetworkManager communication failures leading to Vcc-host-config issues.

Conditions:
The dbus daemon should crashed or restarted.

Impact:
Communication failures leading to Vcc-host-config issues.

Workaround:
Restart NetworkManager.service.

Fix:
Issue has been fixed.

2229517-2 : Possible that cluster status output in controller CLI may not represent actual status

Links to More Info: BT2229517

Component: F5OS-C

Symptoms:
There is a rare possibility that the cluster status output in the controller CLI may not display the actual cluster status in the chassis.

Conditions:
There is a timing case where stale values for the cluster status are written to the confd database on startup and are not refreshed when actual values are available.

Impact:
User will see an incorrect cluster state.

Workaround:
User can issue a controller failover and that will update to the correct cluster status within confd

2228961 : CVE-2026-25749 : Vim: Arbitrary code execution via 'helpfile' option processing

Component: F5OS-A

Symptoms:
Vim's tag file resolution logic allows a local attacker to achieve a out-of-bounds write. By providing a specially crafted helpfile option value a local user can trigger a heap buffer overflow, as consequence lead to memory corruption presenting a data integrity impact or leading the vim process to crash resulting in availability impact. Although being non-trivial and very complex, arbitrary code execution is not discarded as worst case scenario.

Conditions:
a local user provides or opens a specially crafted 'helpfile' option value or help/tag file

Impact:
Leading to impact on confidentiality, integrity, and availability, within the privileges of the local user.

Workaround:
N/A

Fix:
updated to the fixed version

2227221 : F5OS tpm-integrity-status is Unavailable on certain versions released since October 2025

Links to More Info: BT2227221

Component: F5OS-A

Symptoms:
When you run show components component state tpm-integrity-status, the TPM integrity status reports "Unavailable"

# show components component state tpm-integrity-status

          TPM
          INTEGRITY
NAME STATUS
-----------------------
platform Unavailable

Conditions:
-- Running the tpm-integrity-status command from F5OS-A or F5OS-C on rSeries or VELOS:
- VELOS systems running F5OS-C versions 1.8.2, 1.8.2-EHF, or 1.6.4
- rSeries systems running F5OS-A versions 1.8.3, 1.8.3-EHF, or 1.5.4
- EHFs built after October 15, 2025, including EHFs posted to MyF5 downloads in October such as:
  - F5OS-A-1.8.3-23493.R5R10.EHF-1
  - F5OS-C-1.8.2-28324.CONTROLLER.EHF-1
  - F5OS-C-1.8.2-28324.PARTITION.EHF-1

-- The calendar date is on or after April 4, 2026

Impact:
The tpm-integrity-status output reads Unavailable after April 4th, 2026.

Workaround:
If it is before April 4, 2026, you can run 'show components component state tpm-integrity-status' to get the TPM status.

2225577 : AOM and fan alarms persist on rSeries appliance persist after hardware replacement and cannot be cleared

Links to More Info: BT2225577

Component: F5OS-A

Symptoms:
After replacing a faulty fan tray via RMA, critical fan and AOM fault alarms remain visible in show system alarms even though replacement hardware is operating normally and show system health reports all components as healthy. Standard docker alert-service clear commands fail to remove the stale alarms.

Conditions:
Fan tray hardware replaced via RMA
Replacement fans operating correctly (>15K RPM, health status: ok)

Impact:
Persistent false-positive critical alarms create operational confusion and monitoring noise.

Workaround:
Log into the system as root and run:
docker exec alert-service /confd/test/sendAlert -n "<message>" -s <Resource> -r clear -se error -i <ID> -d "<Text>"

If above does not clear it.
1. docker restart alert-service
2.docker exec alert-service /confd/test/sendAlert -n "<message>" -s <Resource> -r clear -se error -i <ID> -d "<Text>"

2225321 : CVE-2025-15281: glibc: wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory

Component: F5OS-A

Symptoms:
A flaw was found in glibc. When the wordexp function is called with the flags WRDE_REUSE and WRDE_APPEND, it may return uninitialized memory.

Conditions:
If the caller inspects the we_wordv array or calls the wordfree function to free the allocated memory.

Impact:
Reduced availability

Workaround:
NA

Fix:
Fixed

2225181 : 'Show NTP' Command Displays Incorrect Server IP Information

Links to More Info: BT2225181

Component: F5OS-A and F5OS-C

Symptoms:
The 'show ntp' command does not indicate an error when a server DNS name cannot be resolved. Additionally, if multiple NTP servers are configured, sometimes it displays the IP address of the synchronized time source as the IP address of all configured servers.

Conditions:
Configure multiple NTP servers, possibly with some with unresolvable domain names.

Impact:
NTP server information is inaccurate.

Workaround:
None

Fix:
NTP server status display has been corrected.

2225081 : VELOS BX520 ATSE Datapath lockup causes blade to report unhealthy and stop passing traffic

Component: F5OS-C

Symptoms:
This failure looks like an RQM lockup. An RQM lockup can show up as a DMA receive failure or a DMA transmit failure.

Receive failure because the receive queue will not accept HBM memory writes. Transmit failure because loopback health check packets will back up and flow control the transmit data-path.

Conditions:
No known conditions. This typically happens on initialization, but has been seen at runtime.

Impact:
This causes a data-path lock-up and traffic will not be passed by the affected blade.

Workaround:
Reboot the system.

Fix:
HBM calibration has been fixed.

2224645 : CVE-2025-11731: libxslt: Type Confusion in exsltFuncResultCompfunction of libxslt

Links to More Info: K000160721

2222109 : CVE-2025-68160 openssl vulnerability

Links to More Info: K000160552

Component: F5OS-A

Symptoms:
See https://my.f5.com/manage/s/article/K000160552

Conditions:
See https://my.f5.com/manage/s/article/K000160552

Impact:
See https://my.f5.com/manage/s/article/K000160552

Workaround:
See https://my.f5.com/manage/s/article/K000160552

Fix:
https://my.f5.com/manage/s/article/K000160552

2221793 : PSU alarm disappears intermittently when PSU issues exist

Links to More Info: BT2221793

Component: F5OS-C

Symptoms:
The PSU alarm gets stuck when PSU hardware is faulty and frequent controller switchovers (or power cycle followed by switchovers) that can generate more LOP events and trigger the issue.

Conditions:
Faulty PSU hardware and frequent controllers switchover.

Impact:
No functional impact but PSU alarm gets stuck in ConfD.

Workaround:
Need to replace faulty PSU hardware. For more information on Platform maintenance, refer to Platform Guide: VELOS CX Series. For further assistance, contact F5 Support.

2221105 : CVE-2025-69421 openssl: OpenSSL: Denial of Service via malformed PKCS#12 file processing

Links to More Info: K000160554

2221101 : CVE-2025-69420 openssl: OpenSSL: Denial of Service via malformed TimeStamp Response

Links to More Info: K000160560

2221097 : CVE-2025-69419 openssl: OpenSSL: Arbitrary code execution due to out-of-bounds write in PKCS#12 processing

Links to More Info: K000160558

2221093 : CVE-2025-69418 openssl: OpenSSL: Information disclosure and data tampering via specific low-level OCB encryption/decryption calls

Links to More Info: K000160557

2220649 : CVE-2023-53552 kernel: drm/i915: mark requests for GuC virtual engines to avoid use-after-free

Component: F5OS-A

Symptoms:
Improper handling of Intel i915 GPU virtual engine requests may lead to invalid memory access.

Conditions:
Applies only when the Intel i915 graphics driver is loaded and GPU rendering is in use.

Impact:
May result in reduced stability and unexpected behavior.

Workaround:
This driver is not active by default. Keep the i915 module unloaded unless required.

Fix:
Upgraded to fixed version

2219897 : PSU alarms getting cleared during controller failover

Component: F5OS-C

Symptoms:
PSU fault alarms were not triggered during controller failover.

Conditions:
When PSU alarms are present in the system and are followed by a controller failover.

Impact:
When PSU health status is displayed as faulty, the corresponding alarm notification does not appear.

Workaround:
None.

Fix:
Updated diag-agent service so that any psu alarms won't be cleared by standby controller boot up.

2219861 : TCP Packet loss after upgrade with AFM provisioned★

Links to More Info: BT2219861

Component: F5OS-A

Symptoms:
After an upgrade, disabled hardware DOS vectors may use old values.

Conditions:
-- F5OS tenant
-- Upgrade
-- AFM provisioned

Impact:
DOS thresholds may be incorrectly set or set too low resulting in packet loss that causes poor throughput.

Workaround:
Disable and re-enable the disabled DOS vectors.


Log into the BIG-IP GUI and navigate to
Security ›› DoS Protection : Device Protection

Filter attack vectors: tcp

click the "Network" text

Enable all the disabled vectors by clicking on the vector name and changing state from "disabled" to "mitigate".

Then disable the vectors by clicking on the vector name and changing state from "mitigate" to "disabled".

2219841 : L2 table become inconsistent after reseating VELOS blades

Component: F5OS-A

Symptoms:
After reseating blades, L2 tables become inconsistent and traffic is sent to wrong interfaces despite static FIB entries being present.

Conditions:
Occurs when multiple VELOS blades are removed and reinserted. L2-agent fails to connect to confd during blade initialization, preventing proper interface/portgroup configuration updates.

Impact:
Traffic misdirection, inconsistent L2 tables, SNMP and CLI interface commands may fail.

Workaround:
Perform partition failover, disable/re-enable partition, or reseat affected blades.

2219813-2 : Empty File path in upload api leads to core

Links to More Info: BT2219813

Component: F5OS-C

Symptoms:
The utils-agent service crashes

Conditions:
Provide an empty file path to the upload api

Impact:
Utils-agent crashes and generates a core.

Workaround:
None

Fix:
Empty/Null check added for file path field in upload api to make sure no crash in utils-agent service.

2219077 : Enhance logging for clear-all alert cases.

Component: F5OS-A and F5OS-C

Symptoms:
When a Power Supply Unit (PSU) is removed or a hardware component is cleared, there is no corresponding trace or log entry in velos.log or platform.log confirming that the associated alarms were cleared. The system clears the alarms, but it does so silently.

Conditions:
Observed the behaviour when triggers a "clear-all" operation for component specific alerts.

Impact:
No functional impact.

Administrators and support cannot verify via system logs whether an automatic clear-all alert operation was successfully triggered or executed, making it difficult to diagnose edge cases where alarms might fail to clear properly.

Workaround:
No

Fix:
Logging has been enhanced. The system now explicitly logs informational messages whenever a clear-all request type is received and processed.

2218937 : CVE-2025-14524 curl: Information disclosure via cross-protocol redirect with OAuth2 bearer token

Links to More Info: K000160292

2218885 : CVE-2025-40154 kernel: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping

Links to More Info: K000160420

2218565 : Controller boot up in rare conditions can impact blade management network after failover

Links to More Info: BT2218565

Component: F5OS-C

Symptoms:
A rare race condition in the vcc-lacpd process can prevent a system controller failover correctly setting the LACP status for LACP based link aggregations.

This condition is easily identifiable if the log msgid=0x6602000000000003 originating from vcc-lacpd process is seen since the last controller reboot.

Conditions:
Controller reboot. It is more likely though still extremely rare to occur if vcc-lacpd process restarts independently of a controller reboot.

Impact:
Blade management network can be impacted which can cause a variety of issues, including blade reboot loops on partition upgrade. If a management aggregation on the controller front panel management ports is configured for LACP, this aggregation may also be impacted.

Workaround:
Restart the affected vcc-lacpd process via docker restart cc-lacpd.

Fix:
While you may still see msgid=0x6602000000000003, the log no longer indicates a problem as the vcc-lacpd process will appropriately recover.

2218489 : CVE-2025-38085 kernel: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race

Component: F5OS-A

Symptoms:
Unexpected memory access behavior may occur due to race conditions in huge page management

Conditions:
Occurs on vulnerable kernel versions during concurrent memory operations involving huge pages (hugetlb) and fast page pinning (GUP-fast)

Impact:
May lead to unintended access to memory belonging to another process, potentially exposing sensitive information

Workaround:
N/A

Fix:
Fixed

2218469 : CVE-2025-39817: kernel: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

Component: F5OS-A

Symptoms:
A slab-out-of-bounds exists in the linux kernel in efivarfs_d_compare, such that the issue can be triggered by parallel lookups using an invalid filename due to an incorrect memcmp function.

Conditions:
Occurs during concurrent efivarfs lookups with malformed or invalid EFI variable filenames, typically requiring local privileged access

Impact:
May lead to kernel instability or crash.

Workaround:
N/A

Fix:
The kernel has been updated to the fixed version.

2218193 : No guradrail for downgrade from 2.0.0 to lower version when common criteria mode enabled.★

Component: F5OS-A and F5OS-C

Symptoms:
The common criteria compliance_cfg file is persistent with status enabled when downgrading from 2.0.0 to a lower version.

Conditions:
No guardrail for downgrade from 2.0.0 to lower version when common criteria mode is enabled.

Impact:
The common criteria compliance_cfg file will have incorrect information about the common criteria mode.

Workaround:
Implement guardrail while downgrading from 2.0.0 when common criteria mode is enabled.

Fix:
Once Common criteria mode is enabled, the user will not be able to downgrade to a version that does not support Common Criteria mode. To perform a downgrade, the user must first disable Common Criteria mode.

2218133 : CVE-2026-0915: glibc: glibc: Information disclosure via zero-valued network query

Component: F5OS-A

Symptoms:
A flaw was found in glibc, the GNU C Library. When an application calls the getnetbyaddr or getnetbyaddr_r functions to resolve a network address, and the system's nsswitch.conf file is configured to use a DNS (Domain Name System) backend for network lookups, a query for a zero-valued network can lead to the disclosure of stack memory contents.

Conditions:
DNS must be enabled in nsswitch config.

Impact:
Sensitive data gain.

Workaround:
NA

Fix:
Fixed

2217377-2 : Tenant management IP may be inaccessible until ARP entries timeout after controller failover

Component: F5OS-C

Symptoms:
After a controller failover, or reboot of the active CC mode, Stale ARP entries may cause the tenant management IPs to not be accessible.

GARP packets are sent, but there was a race between the management port on the new CC becoming active and the tenant orchestration layer sending the GARPs

Conditions:
This can happen after reboot/power cycle of the active controller, or manual failover the system controllers.

Impact:
The tenant management IP will become inaccessible until the ARP entries in the upstream switch times out, or the tenant generates outbound traffic on the management port that causes an update of the ARP table.

Workaround:
None.

Fix:
GARPs are now sent for a longer time after the controller failover to make sure they reach the upstream network device.

2216921-2 : Controller can incorrectly remove from the OpenShift cluster during rolling upgrade★

Links to More Info: BT2216921

Component: F5OS-C

Symptoms:
After a rolling upgrade of the controller software, one of the controllers may incorrectly be removed from the OpenShift cluster. This leaves the OpenShift cluster in a state where there is only one leader node in the cluster.

Conditions:
This can happen during a rolling upgrade due to a race condition on checking the status of the standby controller.

Impact:
If this occurs the affected controller will no longer be in the OpenShift cluster, so HA availability of the OpenShift cluster between the controllers will be compromised.

Workaround:
The workaround is to manually retrigger the addition of the removed controller to the Openshift cluster.

If controller-1 was removed, on controller 2 the user would do a touch /var/omd/CONTROLLER1_REINSTALL

If controller-2 was removed, on controller 1 the user would do a touch /var/omd/CONTROLLER2_REINSTALL

Fix:
The race condition that led to the controller being incorrectly removed from the cluster has been fixed, so that a controller will no longer be removed from the cluster during rolling upgrade.

2216829 : F5 rSeries Port Down, Optic Unplugged, or other frequent unexpected events.

Component: F5OS-A

Symptoms:
A small number of r5000/r10000 appliances have been found with a hardware defect on the internal PCIe links. This defect can result in erroneous internal register reads, causing the system to falsely detect conditions such as link down or optic unplugged. Other alarms or indications of system instability are possible.

Conditions:
There are no special conditions. This issue occurs frequently on affected systems.

Impact:
The system is unstable and unusable.

Workaround:
There is no specific log entry to detect the issue. Provide a QKVIEW for assessment by F5. If the issue is found in the QKVIEW, the unit must be returned and replaced.

Fix:
The manufacturing test has been updated to screen these defects in production. Existing units confirmed to have the issue must be returned and replaced.

2211261 : Enable login-attribute to work with UPN based authentication in F5OS

Links to More Info: BT2211261

Component: F5OS-A

Symptoms:
Authentication using userPrincipalName is not enabled by default in F5OS.

Conditions:
In F5OS, When configured active_directory to true and trying to authenticate the user with userPrincipalName instead of sAMAccountName will fail.

Impact:
Authentication using userPrincipalName will fail in F5OS for active directory based remote authentications.

Workaround:
1. Configure login-attrribute to userPrincipalName from ConfD CLI as below:
system aaa authentication ldap login-attrribute userPrincipalName

2. For client based UPN authentication -
   a. Client Certificates should have been generated using UPN name
   b. Configure in which field we need to fetch username in confd via "system aaa authentication clientcert config client-cert-name-field"
   c. Configure login-attribute as userPrincipalName in confd via "system aaa authentication ldap login-attrribute userPrincipalName"



Note:
We can configure login-attribute via confd cli or restconf api. In this release there is no support to configure login-attribute from GUI.

Fix:
Added configurable parameter in confd to enable "userPrincipalName" based authentication.

2209117 : System is not booting after trying password recovery steps on rocky OS

Component: F5OS-A and F5OS-C

Symptoms:
When tried to use password recovery steps as mentioned in the KB article https://my.f5.com/manage/s/article/K000134739, system is unable to boot to OS.

Conditions:
When tried to use password recovery steps as mentioned in the KB article https://my.f5.com/manage/s/article/K000134739, system is unable to boot to OS.

Impact:
System is unable to boot to OS.

Workaround:
In the recovery steps, if we use reboot instead of the 2nd exit, the containers/services are getting up as expected.

Fix:
KB article must be updated with proper steps mentioning that reboot must used, instead of the second exit.

2209005 : TLS client authentication for LDAP servers not working

Links to More Info: BT2209005

Component: F5OS-A

Symptoms:
F5OS does not authenticate to LDAP servers.

Conditions:
- LDAP authentication in F5OS configured to use a client certificate and key ("system aaa authentication ldap tls_cert" and "system aaa authentication ldap tls_key").
- Either or both of the following:
-- An LDAP group mapping is configured (ldap-group specified for a role)
-- Active Directory enabled and Unix Attributes disabled

Impact:
F5OS is unable to connect to the LDAP server

Workaround:
None

2208601 : Long BIG-IP tenant names will prevent virtual console access

Links to More Info: BT2208601

Component: F5OS-A

Symptoms:
Creating a BIG-IP tenant in the GUI with a name longer than 32 characters will prevent virtual console access to the tenant.

Conditions:
BIG-IP tenant name is longer than 32 characters.

Impact:
The creation of the tenant-console user fails, preventing access to the virtual console for that tenant.

Workaround:
Use tenant names that don't exceed 32 characters in length.

2207865 : Snmpwalk misses LAG interface stats intermittently

Links to More Info: BT2207865

Component: F5OS-A

Symptoms:
Though the LAG interface is configured in system, some stats for the LAG interface will be missed in snmpwalk output intermittently.

Conditions:
Issue is rarely observed when running snmpwalk in a loop continuously.

Impact:
Snmpwalk may not display all statistics for the LAG interfaces.

Workaround:
Run snmpwalk after a 20 second delay.

Fix:
Ensured all LAG interface statistics are properly reported in SNMP walk output.

2202065 : LACP LAG interface stops forwarding packets when interface is disabled and re-enabled

Links to More Info: BT2202065

Component: F5OS-A

Symptoms:
When an interface that is part of a LACP LAG is disabled and then re-enabled, the interface stops forwarding packets.

Conditions:
LACP LAG interface disabled and re-enabled.

Impact:
LACP LAG down since BPDU packets are not being captured.

Workaround:
A reboot re-enables packet forwarding on the interface.

Fix:
Restarting the appliance allows BPDU packet capture which fixes LACP.

2201421 : Removing the active controller does not trigger an immediate tenant failover

Component: F5OS-C

Symptoms:
On a VELOS chassis setup where the BIG-IP tenant is active for a traffic group and the HA score includes a weighted value for F5OS_INTERNAL_TRUNK. Removing the active controller does not result in an immediate failover.

Conditions:
The tenant is active for a traffic group and is running on the controller that is currently active for the partition hosting the tenant.

The active system controller is removed or powered off using AOM.

Impact:
Tenant failover is delayed upto 4min when an active controller of the active tenant is pulled out .

Workaround:
None.

Fix:
Reduce the polling interval for lost VQF-link confD events to shorten the event detection time.

2201365 : Intermittent webUI startup failure after F5OS v1.8.x upgrade caused by SSL certificate generation issue

Links to More Info: BT2201365

Component: F5OS-A and F5OS-C

Symptoms:
In rare cases after upgrading to F5OS v1.8.x, the Web GUI (httpd) may fail to start. System logs may show a missing ServerName directive, and the /etc/auth-config/default/f5os.cert file may be missing or zero bytes.

Conditions:
This issue can occur in certain scenarios where the upgrade process fails to properly generate or retain the f5os.cert certificate file, and the authentication-manager does not recover from the missing or empty certificate, resulting in an invalid httpd configuration.

Impact:
The webUI is completely unavailable. CLI and API access remain functional.

Workaround:
Restart the authentication-mgr and http-server services using the following CLI command:
 
system diagnostics os-utils docker restart node platform service authentication-mgr

system diagnostics os-utils docker restart node platform service http-server

2201053 : WebUI Connection may be refused After Upgrading to version F5OS-A 1.8.3

Links to More Info: BT2201053

Component: F5OS-C

Symptoms:
After upgrading from version 1.5.3 to 1.8.3, access to the WebUI is no longer available. All connection attempts result in a "connection refused" error.

Conditions:
Occurs when upgrading from v1.5.3 to v1.8.3

Impact:
WebUI becomes inaccessible.

Workaround:
None.

2200097-1 : F5OS Backplane connectivity issues: 'TMM Not Ready', VoQ EMMs disabled for Blades due to VQF-CC link failures

Component: F5OS-C

Symptoms:
Dataplane switch interfaces corresponding to the even slot of a BX520 blade may be incorrectly disabled, causing a link outage to the Dataplane port of the even slot BX520 blade.

Conditions:
The Platform HAL sends a chassis platform response to the Chassis Manager indicating lop_ok is 0 for the even slot of a BX520 blade. Consequently, the Chassis Manager registers the blade as 'not present' (present = 0), prompting switchd to disable the port associated with the even-numbered slot.

Impact:
VQF IMM watchdog timeouts appear in the FPGA manager log.

Workaround:
Reboot both CCs. Can be performed in service if standby is rebooted first, followed by lsystem redundancy go-standby and then rebooting the new standby.

Fix:
The Chassis Manager will not publish a loss of presence specifically for the even slot of BX520 blades, ensuring that the corresponding dataplane port is not inadvertently disabled by switchd.

2199337 : Invalid or unresponsive rsyslog remote servers for log forwarding can exhaust system memory.

Links to More Info: BT2199337

Component: F5OS-A

Symptoms:
System memory usage will increase over time without boundaries.

Conditions:
Remote-syslog servers configured with TCP protocol that cannot establish a connection (or has a unreliable connectivity).

Impact:
The rsyslog daemon will retry, and memory will continue to increase.

This could potentially exhaust system memory.

Workaround:
Fix the connection, remove the invalid or flaky servers from config, OR use the UDP protocol.

Fix:
The new syntax used for rsyslogd remote-servers forwarding configuration requires specifying for each forwarding action a linked list queue type. This will implicitly use the default queue size of 1000 messages (or lower for earlier versions of rsyslogd).

2197021 : CVE-2025-65082 httpd: Apache HTTP Server: CGI environment variable override

Links to More Info: K000159875

2196545 : Tenant image upload failure when there is still sufficient space available

Links to More Info: BT2196545

Component: F5OS-A

Symptoms:
Tenant image upload failure when there is still sufficient space available. You may see below error from logs

"Disk usage exceeded threshold."

Conditions:
When there is sufficient space available, tenant image upload fails.

Impact:
Unable to upload tenant image

Workaround:
None

Fix:
Fixed in 2.0

2196293 : The file /var/omd/CLUSTER_REINSTALL on Standby causes openshift reinstall after failover

Links to More Info: BT2196293

Component: F5OS-A

Symptoms:
If /var/omd/CLUSTER_REINSTALL exists on Standby, when there is a controller failover, an openshift reinstall triggers.

Conditions:
- /var/omd/CLUSTER_REINSTALL exists on the Standby controller.
- A failover to that controller occurs.

Impact:
Service outage of Chassis

Workaround:
The file /var/omd/CLUSTER_REINSTALL is created by the user in order to trigger an openshift reinstall. It should not normally exist.

Proactively check that /var/omd/CLUSTER_REINSTALL does not exist on the Standby controller.

For example, from Active blade console:

[root@controller-A(VELOS):Active ~]# ssh controller-B ls -la /var/omd/CLUSTER_REINSTALL
ls: cannot access /var/omd/CLUSTER_REINSTALL: No such file or directory

Where "controller-B" is the other controller, for example "controller-2".

2195581 : FPGA firmware health status reported as unhealthy/error

Links to More Info: BT2195581

Component: F5OS-A

Symptoms:
Shortly after a VELOS BX520 blade boots up, the health status of the blade shows an error for one of the FPGAs, it never clears, and the blade still successfully runs traffic. There are also verification errors in velos.log.

For example, in confd: "blade/firmware/fpga/atse1 firmware:update-status unhealthy error error"

In velos.log, entries such as:
"FWU response error." ... "PCI slot ca:00.0 width is 4; expected 8."
FWU atse2 Verification failed, retrying (also appears in the blade PEL)
FWU atse2 Verification failed (also appears in the blade PEL)

Conditions:
Booting up a VELOS BX520 blade.

Impact:
One or more of the FPGA-to-CPU (PCIe) links may be running in a degraded state and could affect the bandwidth of traffic between the blade's FPGA and CPU.

Workaround:
The blade can be rebooted to retry the FPGA load process, which will retrain all the FPGA PCIe links.

Fix:
Retries were increased for the FPGA load process to make it more reliable.

2188089-2 : After Power Cycle testing on 1.8.2 EHF-3, observed partition mgmt interface stuck DOWN

Links to More Info: BT2188089

Component: F5OS-C

Symptoms:
Access to partition management can be permanently lost if
the System Controller is power cycled.

Conditions:
Power cycle the system controller on which the active instance of a partition is running.

Impact:
Management access to partition CLI / webUI lost.

Workaround:
Delete and recreate the partition management interface from the System Controller ConfD partition configuration.

config# no partitions partition <name> config mgmt-ip
config# commit
config# partitions partition <name> config mgmt-ip <ipv4 | ipv6> address <ip address> prefix-length <length> gateway <gateway address>

Fix:
Reconnection to partition CLI/webUI through the management IP can be reliably reestablished after power cycling the system controller hosting the active partition instance.

2187625 : Chassis partition go-standby command does not work correctly after Active/Active resolution

Links to More Info: BT2187625

Component: F5OS-A

Symptoms:
If an internal chassis network partition causes the chassis partition HA pair to go active/active, the HA pair will resolve to the current preferred controller when the network partition is fixed. But future attempts to manually fail over to the other controller using the 'go-standby' command will immediately fail back to the original controller.

Conditions:
If an internal controller network partition causes partition HA pair to go active/active the internal failover state is left inconsistent.

Impact:
The go-standby command will not work.

Workaround:
Proper operation can be restored by restarting the partition HA on the non-preferred controller (controller-2 if in 'auto' mode):

syscon-1-active(config)# system diagnostics os-utils docker restart node controller-2 service partition1_ha
Restarting container affects configuration and data path. Do you want to proceed? [yes/no] yes
result partition1_ha restarted successfully
syscon-1-active(config)#

Fix:
The go-standby command works correctly after active/active resolution.

2185853 : No logs observed when mgmt interface state changes

Links to More Info: BT2185853

Component: F5OS-A

Symptoms:
When mgmt interface state changes, there are no logs observed in platform.log.

Conditions:
Mgmt interface state change.

Impact:
There is no functional impact. interface state changes can be still read from Confd.

Workaround:
None

Fix:
NA

2185625-1 : Controller upgrade struck in in-progress after upgrading the chassis from 1.7.1 EHF1 to 1.8.2 EHF3★

Links to More Info: BT2185625

Component: F5OS-C

Symptoms:
When performing a rolling System controller upgrade from 1.7.1 to 1.8.x it is possible on of the upgrading System Controllers does not complete its upgrade and show system image displays "in-progress" for that system controllers upgrade status indefinitely.

Conditions:
Problem is known to occur on a fully loaded CX1610 chassis.

Impact:
Dataplane should continue to function at a reduced rate. However, the System Controllers will not form a ConfD HA pair until both System Controllers are running the same System Controller version and management communication may be lost with the upgrading controller.

Workaround:
Perform a manual switch of both service and os versions to match the peer System Controller. Example:

echo "switch cc_os <iso-version> " | nc -U /var/sw-mgmt.unix
echo "switch cc_serv <iso-version> no_restart" | nc -U /var/sw-mgmt.unix

where <iso-version> is the version the peer System Controller is currently running.

Then reboot the system reboot the system controller

Fix:
Ugrades from 1.7.1 to releases 1.8.x and later are no longer subject to becoming stuck in the "in-progress" state.

2183789 : FDB entries may expire when multiple entries hash to the same FPGA table index and traffic is intermittent

Links to More Info: BT2183789

Component: F5OS-A

Symptoms:
L2/FDB entries may expire even when traffic is arriving at the FPGA of the Appliance or VELOS Blade.

Conditions:
L2 entries which internally hash to the same table index inside the FPGA can lead to the expiration of the entry when traffic is arriving on intervals of more than 30 seconds from that MAC address. On each interval, an age refresh message might be lost, leading to decrement the age of the entry on 30 seconds. When the entry reaches the last period it will expire, and then it will be re-learnt again.

Impact:
The expiration of the FDB entry can lead to Destination Lookup Failures that are rate-limited, i.e. traffic loss. Depending on the scenario this could lead to intermittent potential outages between the entry expires, and it is learnt again.

Workaround:
Create a static FDB entry for the MAC address that suffers expiration issues. See K000152328.

Ensure that traffic from the MAC address expiring arrives continuously under 30 seconds intervals.

Open a Support case and request an EHF.

2183301 : Error Catalog not generating Hex Values in msgid

Component: F5OS-A and F5OS-C

Symptoms:
Error catalog messages were not generated past 9. Hex values A-F were skipped if they were in the msgid.

Conditions:
When there is a log message that has msgid that go past 9.

Impact:
Previously generated log messages did not have Hex msgid values past 9. Clouddocs error catalog page will not show the HEX msgid entries.

Workaround:
None.

Fix:
Allow msgid's to represented as hex values.

2183141 : Observed ctrlplane0x interface missing & ixgbe load errors after Active System Controller power cycle test

Links to More Info: BT2183141

Component: F5OS-C

Symptoms:
After performing a power cycle of active system controller, an error of loading ixgbe diver is observed which results in ctrlplane0x port missing in team0.

Errors:

[ 5.611594] ixgbe: probe of 0000:06:00.0 failed with error -5

Conditions:
Install v1.8.X-C/v1.7.C-X build on the system and perform active system controller power cycle. (This is intermittent issue)

On the failure case, dmesg logs will point:

[ 5.611594] ixgbe: probe of 0000:06:00.0 failed with error -5

Impact:
A malformed trunk between the control plane switch and controller host can lead to unpredictably unreliable traffic flows between the controller host and control plane switch.

Workaround:
Reboot the controller.

Fix:
The failed PCI device has been reinitialised.

2182497-4 : CVE-2025-38352: kernel: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

Component: F5OS-A

Symptoms:
A race condition was found in the Linux kernel’s POSIX CPU timer handling, where handle_posix_cpu_timers() may run concurrently with posix_cpu_timer_del() on an exiting task which could result in use-after-free scenarios. An attacker with local user access could use this flaw to crash or escalate their privileges on a system.

Conditions:
NA

Impact:
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Fix:
Kernel has been updated to a non-vulnerable version.

2181801 : CVE-2025-38498 kernel: do_change_type(): refuse to operate on unmounted/not ours mounts

Component: F5OS-A

Symptoms:
A flaw in do_change_type() allowed a process to change mount propagation flags on mounts outside its own mount namespace, breaking expected isolation guarantees. This could enable a local attacker with mount privileges to disrupt or alter mount behavior in other namespaces, potentially causing system-wide denial of service.

Conditions:
NA

Impact:
denial of service

Workaround:
N/A

Fix:
updated to fixeed version

2181757 : CVE-2022-50367 kernel: fs: UAF/GPF bug in nilfs_mdt_destroy

Links to More Info: K000158972, BT2181757

2181737 : CVE-2025-38718 kernel: sctp: linearize cloned gso packets in sctp_rcv

Links to More Info: K000158198

2181721 : CVE-2023-53354 kernel: skbuff: skb_segment, Call zero copy functions before using skbuff frags

Links to More Info: K000158127

2181701 : CVE-2022-50406 kernel: iomap: iomap: fix memory corruption when recording errors during writeback

Links to More Info: K000158197

2181681 : CVE-2023-53373 kernel: crypto: seqiv - Handle EBUSY correctly

Links to More Info: K000159889, BT2181681

2181285 : Vqf bitstream failed to load on blade

Links to More Info: BT2181285

Component: F5OS-C

Symptoms:
When there is a power outage/down without power backup then sometime a blade's usb drive will be disconnected. That will cause the vqf bitstream to fail to load.

Conditions:
Install the 1.8.2-C build on the system and perform power cycle. (This is highly intermittent issue)

Impact:
Blade will be in an inoperative state.

Workaround:
Power cycle will bring the system back

Fix:
NA

2180637-3 : Tenant disk can get removed when there is a double fault scenario

Component: F5OS-A

Symptoms:
Tenant disk will be recreated from scratch, prompting for changing the password from the default one.

Conditions:
When a controller is booting and is required to become the active role (including all partition active instances) due to the other controller being unavailable, a race condition may occur. This can result in the orchestration daemon removing tenant disks, as it has not have acquired the latest system state.

Impact:
Tenant disk is lost. No way to recover it.

Workaround:
Whenever possible, perform a power cycle on the controllers following a partition failover to the active controllers. Additionally, verify that there are no faults in the controller hosting the active partitions. This approach helps mitigate race conditions that may occur when the standby controller, during startup, is required to take over due to an unhealthy active controller.

Fix:
Removed the race condition that could cause prematurely removing tenant disks.

2179429 : Switchd may process blade slot operational data updates that are not intended to trigger any action

Links to More Info: BT2179429

Component: F5OS-C

Symptoms:
On software upgrade v1.7.x to v1.8.x and later releases following with a firmware upgrade, it is observed that the power field in the slot operdata may fluctuate. This behavior can cause switchd to incorrectly detect that the slot's dataplane ports require reconfiguration, resulting in a link flap on the affected blade dataplane port(s)

This will show up in the blade fpga manager as VOQ watchdog timeouts.

Conditions:
Upgrade from v1.7.x to v1.8.x and later that also involve a firmware update.

Impact:
Degraded dataplane performance and TMM HA failovers.

Workaround:
Reboot system controllers and / or impacted blades.

Fix:
Switchd configures the dataplane ports of a slot only in response to changes in slot presence or blade type

2179369 : F5OS does not validate the LDAP TLS CA certificate

Links to More Info: BT2179369

Component: F5OS-A

Symptoms:
F5OS does not validate that LDAP CA cert config (system aaa authentication ldap tls_cacert) is a valid CA certificate. An error similar to the following will be logged:

authd[7]: priority="Err" version=1.0 msgid=0x3901000000000101 msg="LDAP API error during : -" oper="SASL bind" code=-1 msg="Can't contact LDAP server".

Conditions:
-- F5OS system configured to use remote authentication via LDAP.
-- Invalid ldap tls_cacert configured.

Impact:
Remote LDAP authentication does not work.

Workaround:
None

2171937 : The Virtual Server is not receiving traffic due to an incorrect VLAN update from F5OS platform

Links to More Info: BT2171937

Component: F5OS-A

Symptoms:
When a specific native VLAN is configured for a port in virtual-wire, the incoming packets still arrive with VLAN ID 4094, while the Virtual Server expects traffic with the configured VLAN ID.

Conditions:
Configuring a specific native vlan on a port and then configuring it in virtual-wire.

Impact:
When enabling/disabling virtual-wire mode on a port with a configured native VLAN, the port default VLAN was being set with values (4094 for vwire enable, 4095 for vwire disable), ignoring any existing native VLAN configuration.

Workaround:
Once the virtual-wire is configured on the port, if the remove and re-add the native vlans to the interfaces, the hardware should get programmed correctly.

Fix:
Added a fix such that ensure native VLAN configuration is respected and preserved throughout the virtual-wire lifecycle.

2171805 : DmaTenantTcpCopOperHdlr, couldn't find stats for tenant

Links to More Info: BT2171805

Component: F5OS-A

Symptoms:
An error is found in platform.log

platform-stats-bridge[10]: nodename=controller-1(p3) priority="Err" version=1.0 msgid=0x4305000000000008 msg="" msg="DmaTenantTcpCopOperHdlr, couldn't find stats for tenant".

Conditions:
-- Tenant is in configured or not deployed completely
-- tcp-cop stats are queried when there are not yet any stats. (show tenants tenant tcp-cop tcp-cop)

Impact:
No functional impact. The log message is logged at the error level and should be logged at the warning level.

Workaround:
None

Fix:
The Err log is changed to Warning log in the latest versions (from 2.0+ and C-1.8.3)

2164309 : CVE-2023-53178 kernel: mm: fix zswap writeback race condition

Links to More Info: K000159018

2163677 : K3s install fails if a weak SSH MAC algorithm is configured★

Links to More Info: BT2163677

Component: F5OS-A

Symptoms:
If a weak SSH MAC algorithm is configured (via "system security services service sshd"), K3s will fail to install.

Conditions:
-- Appliance.
-- Weak SSH MAC algorithm configured.

Impact:
This can prevent upgrades or K3s reinstallations.

Workaround:
Configure a strong SSH MAC algorithm, e.g. hmac-sha2-256. In the CLI:

config
system security services service sshd config macs [ hmac-sha2-256 ]
commit

It is possible to configure multiple MAC algorithms, in which case the administrator should keep the stronger algorithms enabled as well.

2162969 : CVE-2022-50356 kernel: net: sched: sfb: fix null pointer access issue when sfb_init() fails

Links to More Info: K000160222, BT2162969

2162701 : Tenant outage caused by deletion of VLAN in the tenant and unassignment of the VLAN from F5OS

Links to More Info: BT2162701

Component: F5OS-A and F5OS-C

Symptoms:
When a VLAN inside the tenant is deleted and the VLAN is un-assigned from F5OS, a service for the tenant could be deleted. Deletion of service will cause an outage on the tenant.

Here are the two log messages on F5OS

datapath-cp-proxy[11]: priority="Info" msgid=0x5901000000000045 msg="Confd Event Update:" EVENT="DELETE_SERVICE_ID" FROM="CONFD" TENANTNAME="" ATSE=0 SUBMODULE=0.

datapath-cp-proxy[11]: priority="Info" msgid=0x5901000000000034 msg="Service Instance Update Success." TENANTNAME="tenant-1" DOSGRP="[2]" SVCGRP="[7]" SVCID=22.

Conditions:
-- Deletion of the VLAN inside the tenant.
-- Un-assignment of the same VLAN from the F5OS.

Impact:
Because the service is removed, all VLANs on that service will be inaccessible for the tenant and cause an outage in the tenant.

Workaround:
If a VLAN is going to be deleted from the tenant, first un-assign the VLAN inside the tenant from F5OS. Then after a 2 second delay, delete the VLAN inside the tenant.

2162197-2 : After a controller upgrade, out-of-sync etcd processes can lead to unhealthy cluster

Links to More Info: BT2162197

Component: F5OS-C

Symptoms:
After a controller upgrade, is is possible that the controller etcd processes can be out of sync causing the cluster to go into an unhealthy state.

Conditions:
The etcd processes require a quorum of three and the third etcd process is not being launched which leaves the etcds on both controllers in an inconsistent state.

Impact:
The cluster will remain in an unhealthy state.

Workaround:
On the active controller, manually launch the third etcd instance, by running this command at the root shell

/etc/etcd/launch_etcd.sh

Then issue a controller failover.

2160697 : Rsync.log files on blades are not rotated

Links to More Info: BT2160697

Component: F5OS-C

Symptoms:
The rsync.log files on VELOS blades are not rotated.

Conditions:
-- Chassis-based system.
-- Large (several GB) rsync.log file on at least one blade.

Impact:
This can cause disk space issues on blades, which can cause various issues, including the failure to run tenants.

Workaround:
Manually truncate the rsync.log file.

1. From the active controller, ssh to the blade with the large log file, e.g.:

ssh blade-1

2. Truncate the rsync.log file:

truncate -s0 /var/F5/partitionN/log/rsync.log

... where N is the ID of the partition with the large rsync.log file.

NOTE: This will remove all the contents of the rsync.log file. If you wish to keep this data, back it up before performing this operation.

2153981 : Tenant Disk can be removed as a result of misinterpreting system state.

Links to More Info: BT2153981

Component: F5OS-C

Symptoms:
A tenant disk will be removed from compute nodes when the tenant appears to be running from partition ConfD CLI. As a result, the VM pods cannot be started because the disk is gone.

The orchestration software will notice this and recreate the tenant with a new disk, but all configuration and other data associated with the original tenant will be lost.

Conditions:
- Power Cycle is performed on the a controller, forcing the partition go to the one staying up if it was not already there
- Cause a fault in the system that is up (like unplug mgmt interface cable). This is to cause the controller that was power cycled to take over as soon as it is able to.
- When the node that was down takes over (because the one that became active is at fault after unplugging cable) the tenants in the partition could end up getting wiped. This is intermittent since it is cause by a race condition at failover time.

When the failover occurs, the other partition instance is running on controller node that will take a number of seconds to become active on the controller side and take over the kubernetes layer.

Impact:
The orchestration software that takes over because the other node is at fault could end up running the reconciliation logic to add and remove tenants with no data because the DB read is not done and/or the kubernetes layer is not ready for queries.

If the reconciliation tenant list is empty, orchestration software end up misinterpreting it as if there were no tenants, causing tenants to be removed. But the DB does have the tenants. Subsequent iterations will detect there is a tenant that needs to be created, but at this point the disk is gone and a new disk gets created.

Workaround:
Because this is a race condition that occurs when a double fault happens (powercycle on one controller node and not having the mgmt interface up on the other controller node), the only way to try avoid it is to be ahead of the faults reported by the system.

Fix:
Orchestration software that was meant to reconcile what was missed should not take any action if the information is not available.

2153821 : During live-upgrade, "show cluster cluster-status" shows "K3s IMAGE update has failed, will retry"★

Component: F5OS-A

Symptoms:
If the prompt status is stuck in either of these 2 stages after F5OS-A live upgrade:
'Cluster update in-progress/Waiting for cluster service',

checkout the cluster state by running following command:
'show cluster cluster-status'

If the cluster state shows some output like this where K3s Image update has failed, and confirm that this same issue is hit.

INDEX STATUS
---------------------------------------------------------------------------------------------------
... . . . ...
6 2024-07-25 15:51:23.567837+00:00 - K3s IMAGE update has failed, will retry.
... . . . ...

Conditions:
This can occur while performing a live upgrade of F5OS-A.

Impact:
The prompt status is stuck in 'Cluster update in-progress/Waiting for cluster service' error.

Workaround:
Reboot the system. The upgrade will resume and complete.

2152957 : Disabled ports or port mode mismatches can cause bad register reads.

Links to More Info: BT2152957

Component: F5OS-C

Symptoms:
When a Front panel port is disabled or the port mode is mismatched, it can cause incorrect register reads. This may manifest as port interface flapping on other unrelated ports.

Conditions:
Front Panel Port is disabled or a port mode mismatch, such as a 100GE optic installed when the port is configured for 40GE operating mode.

Impact:
The status on other interfaces may incorrectly show ‘down’ when the interface is ‘up’ or other unexpected behavior.

Workaround:
Enable all Front Panel ports, even those not in use, and ensure there are no port mode mismatches.

Fix:
Updated FPGA firmware is required for the fix.

2152949 : Disabled ports or port mode mismatchs can cause bad register reads.

Links to More Info: BT2152949

Component: F5OS-A

Symptoms:
When a Front panel port is disabled or the port mode is mismatched, it can cause incorrect register reads. This may manifest as port interface flapping on other unrelated ports.

Conditions:
Front Panel Port is disabled or a port mode mismatch, such as a 100GE optic installed when the port is configured for 40GE operating mode.

Impact:
The status on other interfaces may incorrectly show ‘down’ when the interface is ‘up’ or other unexpected behavior.

Workaround:
Enable all Front Panel ports, even those not in use, and ensure there are no port mode mismatches.

Fix:
Updated FPGA firmware is required for the fix.

2152845 : VELOS controller unhealthy if it is rebooted after clean install while platform-services-deployment still starting★

Links to More Info: BT2152845

Component: F5OS-C

Symptoms:
A newly-installed controller running the correct software version is inaccessible from the network or peer controller, even though it is booted into F5OS.

Log messages in /var/log/messages or "journalctl -u platform-services-deployment" indicating that it failed to pull docker images, and the initial registries were set as a mirror of themselves:

platform-deployment: Initial registry (port 2000) setup as mirror of port 2000 registry complete
platform-deployment: Initial registry (port 2500) setup as mirror of port 2500 registry complete
[...]
platform-deployment: Pulling repository localhost:2500/vcc-partition-software-manager
platform-deployment: Error: image vcc-partition-software-manager:7.2.7-f5os-c-1-8-1-candidate.2025-02-11-05-55-35.S383ff41b not found
platform-deployment: Unexpected error encountered while starting platform services via docker-compose.
platform-deployment: Nov 12 11:57:57 controller-2.chassis.local platform-deployment[3342]: Error: image vcc-partition-software-manager:7.2.7-f5os-c-1-8-1-candidate.2025-02-11-05-55-35.S383ff41b not found
platform-deployment: Platform services done

Conditions:
A fresh install of software on a VELOS system controller (an RMA replacement system controller, or a clean install via PXE or USB).

During the initial boot into F5OS, the new system controller is rebooted while platform-services-deployment is still running in the background.

Impact:
The VELOS system controller remains inoperative.

Workaround:
Perform a clean install of the VELOS system controller software again, and do not reboot the controller while platform-services-deployment is still running.

2152701 : The port of Allowed IP Addresses is shown as "Select" on GUI instead of port number.

Links to More Info: BT2152701

Component: F5OS-A

Symptoms:
While editing Allow List Entry under System Settings -> System Security -> Allowed IP Addresses in the "Port" field you see "Select" instead of port number e.g. "22".

Conditions:
You configured Allowed IP Address Entry for port other than SNMP (161).

Impact:
The word "select" is incorrectly displayed, but it otherwise has no effect.

Workaround:
None

Fix:
None

2152353 : The "system aaa tls config passphrase" command does not validate whether or not the new passphrase correctly decrypts the current key file

Links to More Info: BT2152353

Component: F5OS-A

Symptoms:
If the GUI is configured to use a custom key and certificate ("system aaa tls config certificate" and "system aaa tls config key") and use an encrypted key file protected by a passphrase ("system aaa tls config passphrase"), the system fails to perform validation for subsequent changes to the passphrase (and the system is not decrypting and re-encrypting the key file).

Conditions:
-- System is configured to use a custom key and certificate for GUI access.
-- They key is encrypted with a passphrase, and "system aaa tls config passphrase" is used to set this passphrase in F5OS.
-- "system aaa tls config passphrase" is later used to change the passphrase, but the underlying key is not changed.

Impact:
-- Key migration fails
-- HTTP GUI and API are rendered unusable

Workaround:
Using the CLI:

-- Manually re-encrypt the key to use the new passphrase.
OR
-- Change the passphrase ("system aaa tls config passphrase") back to the one that matches they key.

2151753 : BX110 ports configured for 40G can fail to link with OPT-036 optics

Links to More Info: BT2151753

Component: F5OS-C

Symptoms:
BX110 front panel interface configured for 40G with OPT-0036 optic fails to achieve link.

Conditions:
BX110 front panel interface configured for 40G and using an OPT-0036 optic.

Impact:
Front panel interface remains DOWN, preventing traffic from flowing.

Workaround:
None

Fix:
Implement a software workaround that first writes a reset bit to '0' before writing it to a '1'.

2151413 : TACACS External Authentication Failure after a software upgrade

Links to More Info: BT2151413

Component: F5OS-A

Symptoms:
TACACS users are not able to login to the device.

Conditions:
TACACS+ server sends back an authorization reply with an auth status of 'PASS_REPL' (pass + *replace all attributes*) instead of 'PASS_ADD' (pass + *add* to attributes)

Impact:
TACACS users will be unable to log in when the server is configured under the specified conditions.

Workaround:
Avoid using PASS_REPL on Tacacs server.

Fix:
After upgrading device to latest EHF build, the issue is not reproduced.

2151269 : Prompt-statusd process occasionally cores

Links to More Info: BT2151269

Component: F5OS-A

Symptoms:
Occasionally the prompt-statusd daemon will core.

Conditions:
This can occur in prompt-statusd during normal operation.

Impact:
After core, service will restart the operation

Workaround:
None

2150853 : Logs in /var/confd/log are not rotated on system controllers★

Links to More Info: BT2150853

Component: F5OS-C

Symptoms:
Log files in /var/confd/log are not rotated on system controllers. Upgrades may fail due to a timeout.

Conditions:
-- A chassis-based system.

Impact:
If the files get too large, there can be disk space issues. It can also cause upgrades to fail due to a timeout.

Workaround:
If these files get too large, they can be pared down using the Linux "truncate" command. Note that this will remove log messages from these files.

2150537 : On r5xxx, multicast packets are replicated to unused ports causing invalid packet drops.

Links to More Info: BT2150537

Component: F5OS-A

Symptoms:
On r5xxx systems, multicast packets are forwarded to unused ports of the crossbar switch, resulting in packet drops on those ports. Because the ports are unused, the drop counters are meaningless.

Conditions:
Multicast packets received on a front-panel interface.

Impact:
None, this is purely cosmetic.

Workaround:
None

Fix:
Don't include unused ports in multicast duplication.

2148949 : CVE-2025-8194: cpython: Cpython infinite loop when parsing a tarfile

Component: F5OS-A

Symptoms:
A flaw was found in the Python tarfile module. Processing a specially crafted tar archive, specifically an archive with negative offsets, can cause an infinite loop and deadlock.

Conditions:
Should be able to process specially crafted tar archive.

Impact:
Infinite loop and deadlock resulting in denial of service.

Workaround:
Not affected.

Fix:
Fixed

2145489 : CVE-2025-6069: cpython: Python HTMLParser quadratic complexity

Component: F5OS-A

Symptoms:
A denial-of-service (DoS) vulnerability has been discovered in Python's html.parser.HTMLParser class.

Conditions:
Should be able to process specially malformed HTML input.

Impact:
Increased processing time can lead to excessive resource consumption, ultimately causing a denial-of-service condition in applications that rely on this parser.

Workaround:
NA

Fix:
Fixed

2141089 : Multicast traffic can be dropped by Host DLF rate-limiter

Links to More Info: BT2141089

Component: F5OS-A

Symptoms:
Multicast traffic from a tenant can be dropped by the host DLF rate-limiter, causing traffic loss.

Conditions:
Egress multicast traffic exceeding 2500 packets per second.

Impact:
Loss of multicast traffic.

Workaround:
Create a static FDB entry for the multicast MAC address.

Fix:
We changed the behavior of the FPGA code to remove multicast packets that miss the L2 table from being classified as DLF.

2141081 : Serial console access behavior

Component: F5OS-A

Symptoms:
Console access may be temporarily unavailable.

Conditions:
NA

Impact:
Could affect maintenance operations.

Workaround:
Follow standard recovery procedures.

Fix:
Fixed

2140617 : Tenants not receiving traffic after multi-bladed VELOS chassis upgrade to F5OS-C 1.8.2★

Links to More Info: BT2140617

Component: F5OS-A

Symptoms:
1. Output of "show fpga-tables vqf-voq-stats" on a partition will show 0s in IMM_ENABLED column for affected destination blade.

For example:
partition-1# show fpga-tables vqf-voq-stats

                                                          
            EMM IMM SMS
SLOT NAME ENABLED ENABLED DRPLVL PKT CNT BYTE CNT
----------------------------------------------------------
1 1.15 1 1 65535 212663 30410809
1 1.4 1 1 65535 106066 15170734
1 1.9 1 1 65535 122845 22230707
1 2.15 1 1 65535 416 67808
1 2.4 1 1 65535 110 23540
1 2.9 1 1 65535 0 0
1 3.15 1 1 65535 26772858 2222180494
1 3.4 1 1 65535 991 194844
1 3.9 1 1 65535 7 611
1 4.15 1 0 65535 0 0 <==
1 4.4 1 0 65535 0 0 <==
1 4.9 1 0 65535 0 0 <==
1 5.15 1 1 65535 415 67645
1 5.4 1 1 65535 12 1926
1 5.9 1 1 65535 2 170

IMM_ENABLED ןis 0 for 4.15,4.4 and 4.9, which means that blade1 will not send traffic to either of the blade4 ports including to tenants deployed on blade4.

2. Partition velos.log will have similar "Could not acquire lock" for voq-state component creation/deletion errors after trying to set EMM state or activation status of the peer blades (there can be number of similar occurrences along the log):

fpgamgr[12]: nodename=blade-4(p1) priority="Info" version=1.0 msgid=0x305000000000005 msg="VoQ programmed" blade=2 port=4 module="EMM" state="enabled".
fpgamgr[12]: nodename=blade-4(p1) priority="Info" version=1.0 msgid=0x305000000000005 msg="VoQ programmed" blade=2 port=9 module="EMM" state="enabled".
fpgamgr[12]: nodename=blade-4(p1) priority="Info" version=1.0 msgid=0x305000000000005 msg="VoQ programmed" blade=2 port=15 module="EMM" state="enabled".

fpgamgr[12]: nodename=blade-4(p1) priority="Err" version=1.0 msgid=0x302000000000009 msg="Failed to delete CDB component" COMPONENT="/voq-states/voq-state" ERROR="locked" LASTERR="Could not acquire lock" ERRNO=10.

or

fpgamgr[13]: nodename=blade-8(p1) priority="Info" version=1.0 msgid=0x305000000000023 msg="Enabling VQF synchronization with slot" slot=1.
fpgamgr[13]: nodename=blade-8(p1) priority="Info" version=1.0 msgid=0x305000000000024 msg="Slot activation status updated in VQF" slot=1 status=1.
fpgamgr[13]: nodename=blade-8(p1) priority="Err" version=1.0 msgid=0x302000000000003 msg="Failed to create CDB component" COMPONENT="/voq-states/voq-state{%d %d}" ERROR="locked" LASTERR="Could not acquire lock" ERRNO=10.

fpgamgr[13]: nodename=blade-8(p1) priority="Info" version=1.0 msgid=0x305000000000023 msg="Enabling VQF synchronization with slot" slot=2.
fpgamgr[13]: nodename=blade-8(p1) priority="Info" version=1.0 msgid=0x305000000000024 msg="Slot activation status updated in VQF" slot=2 status=1.
fpgamgr[13]: nodename=blade-8(p1) priority="Err" version=1.0 msgid=0x302000000000003 msg="Failed to create CDB component" COMPONENT="/voq-states/voq-state{%d %d}" ERROR="locked" LASTERR="Could not acquire lock" ERRNO=10.

fpgamgr[13]: nodename=blade-8(p1) priority="Info" version=1.0 msgid=0x305000000000023 msg="Enabling VQF synchronization with slot" slot=3.
fpgamgr[13]: nodename=blade-8(p1) priority="Info" version=1.0 msgid=0x305000000000024 msg="Slot activation status updated in VQF" slot=3 status=1.
fpgamgr[13]: nodename=blade-8(p1) priority="Err" version=1.0 msgid=0x302000000000003 msg="Failed to create CDB component" COMPONENT="/voq-states/voq-state{%d %d}" ERROR="locked" LASTERR="Could not acquire lock" ERRNO=10.

Conditions:
Multi-bladed chassis is rebooted after an upgrade to 1.8.2.

Impact:
The impact will be related to inter-blade traffic.

If imm_enabled is 0 for an affected destination blade, ingress traffic entering the chassis on one blade destined to the tenant deployed on the affected blade will not reach the tenant.

Workaround:
Reboot affected blade, on partition issue:
cluster nodes node blade-X reboot

X being the number of the affected blade.

2139613 : Open Telemetry - system.disk.usage is always reported 0 on rSeries and VELOS

Links to More Info: BT2139613

Component: F5OS-A

Symptoms:
Open Telemetry - system.disk.usage is always reported 0 on rSeries and VELOS

Conditions:
In all cases when a telemetry exporter is configured

Impact:
In all cases when a telemetry exporter is configured, the system.disk.usage is always reported 0

Workaround:
None

Fix:
When an exporter is configured, the value for system.disk.usage is always 0. This is because of mapping the metric to a wrong tmstat table. As a part of fix, mapped this correctly to report the correct value of stats.

2138185 : LLDP may core when ConfD restarts or reconnects

Links to More Info: BT2138185

Component: F5OS-A and F5OS-C

Symptoms:
LLDP may core when ConfD restarts or reconnects. Log messages similar to the following may be soon in velos.log (F5OS-C) or platform.log (F5OS-A) around the time of the core:

2025-06-04T01:09:47.357839+03:00 blade-1(p1) lldpd[8]: priority="Err" version=1.0 msgid=0x6001000000000015 msg="Unable to start confD session." ERROR="Lost connection to ConfD" LASTERR="EOF on socket to ConfD" ERRNO=45.
2025-06-04T01:09:47.357842+03:00 blade-1(p1) lldpd[8]: priority="Err" version=1.0 msgid=0x6001000000000015 msg="Unable to start confD session." ERROR="Lost connection to ConfD" LASTERR="EOF on socket to ConfD" ERRNO=45.

Conditions:
-- LLDP in use.
-- ConfD restarts or reconnects.

Impact:
No functional impact.

Workaround:
NA

Fix:
Thread processing has been improved to enable smoother restarts and reconnections.

2137957 : Observing FCS Errors on system controller Peer HG Links

Links to More Info: BT2137957

Component: F5OS-C

Symptoms:
The symptom of this issue is FCS error counters incrementing on control plane system controller peer HG links.

Conditions:
Run a system with 1.8.1+ that has the 6.5.26 version of the broadcom SDK.

Impact:
Error counters increment, no system impact is observed aside from the counters incrementing.

Workaround:
None

Fix:
Had to modify SDK at init time to properly set advertisements to disable FEC on the peer links when running 6.5.26 SDK.

2137893 : TCP response packets dropped between F5OS and tenant after upgrade to F5OS 1.8.3★

Links to More Info: BT2137893

Component: F5OS-A

Symptoms:
TCP packets (e.g., ServerHello) are dropped between F5OS and tenant, causing application slowness or outages when connections exceed ~25K.

Conditions:
-- F5OS-A upgraded to 1.8.3 (from 1.3.2)
-- BIG-IP tenant running 17.1.3 or 17.5.1
-- TCP ACK (TS) DoS vector enabled (default or low threshold settings)
-- High connection rates (25K–30K+ active connections)

Impact:
- -Application downtime or degraded performance
-- Service disruption at high connection counts

Workaround:
Raise TCP ACK (TS) vector thresholds per K000139860
Disable the vector if not needed

2137577 : After upgrading, system health shows "disk encryption" as unhealthy even when UEFI communication is successful★

Links to More Info: BT2137577

Component: F5OS-A

Symptoms:
When upgrading from a version before 1.8.2 to version 1.8.2 or later, the system may incorrectly show "Disk Encryption" as unhealthy.

Conditions:
Occurs when upgrading from a version earlier than 1.8.2 to version 1.8.2 or later.

Impact:
System hardware health is incorrectly shown as unhealthy.

Workaround:
Reset the component attributes by calling below API as below:

docker exec -it diag-agent psf run POST:components/reset component=appliance/hardware/drives/disk-encryption

Fix:
Component attributes have been updated to correctly reflect the actual system state.

2132141 : Interface 8.0 on r2000 and r4000-series F5OS appliances does not join LACP LAG or transmit LLDP BPDUs after upgrade to F5OS-A 1.8.3★

Links to More Info: BT2132141

Component: F5OS-A

Symptoms:
- Interface 8.0 has an operational status of UP
- Interface 8.0 does not join a LACP LAG.
- Interface 8.0 does not transmit any LLDP packets.
- Log messages similar to the following in the platform.log:

nic-manager[8]: priority="Err" version=1.0 msgid=0x720c000000000003 msg="Error NULL interface descriptor".

Conditions:
- Running an affected version of F5OS-A.
- An r2000-series or r4000-series appliance. This issue does not affect r5000-, r10000-, or r12000-series appliances.
- Interface 8.0 is in a LACP LAG.

Impact:
Interface 8.0 is not able to negotiate and join a LACP LAG

Workaround:
This issue is fixed in F5OS-A 1.8.3 EHF-1, which is available for download on MyF5: https://my.f5.com/manage/s/downloads?productFamily=F5OS&productLine=F5OS+Appliance+Software&version=1.8.3&container=1.8.3-EHF

2131773 : Error message IDs for image-agent do not match those documented in the error catalog

Links to More Info: BT2131773

Component: F5OS-A

Symptoms:
Some of the message ids logged by the image-agent service in platform log do not match the error message id in the catalog.

Conditions:
Looking up image-agent logs by ID in the error message catalog.

Impact:
This discrepancy makes it difficult to correlate system logs with documentation for troubleshooting and support.

Workaround:
None

Fix:
Updated the error catalog message IDs correctly.

2131677 : PSU inventory data shows "Not Available" on F5OS-A

Links to More Info: BT2131677

Component: F5OS-A

Symptoms:
After PSU power test, F5OS reports PSU serial/part number as "Not Available" and shows empty state. Platform-hal logs "wrong common header format version: 0" and "wrong zero checksum 255 != 254" errors. PSU functions normally but inventory data unavailable.

Conditions:
Occurs after PSU power test/reseat
PSU FRU EEPROM corrupted
Failed to read the Seriel number.

Impact:
Incorrect PSU inventory display.

Workaround:
None

2131529 : CVE-2025-8058: glibc: Double free in glibc

Links to More Info: K000157129, BT2131529

2131429 : init_etile: Cable check failed

Links to More Info: BT2131429

Component: F5OS-A

Symptoms:
F5 rSeries Appliances may experience issues with port bringup when using an OPT-0036 in 4x10G bifurcated (breakout) mode. The system log will show an “init_etile: Cable check failed” message for one or more of the bifurcated ports. The system will not be able to establish a link on the port and the port status will remain down.

Conditions:
rSeries Appliance using an OPT-0036 in 4x10G breakout mode running F5OS-A-1.8.3 or earlier.

Impact:
Port remains down.

Workaround:
None. Requires F5OS update.

Fix:
Fixed in F5OS-A-1.8.3-25023-EHF-6 and later.

2131289 : CVE-2025-8114

Component: F5OS-A

Symptoms:
A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash.

Conditions:
NA

Impact:
NULL Pointer Dereference

Workaround:
NA

Fix:
Fixed libssh rpm.

2131057 : CVE-2016-2148: Heap-based buffer overflow in the DHCP client, affecting BMC firmware

Links to More Info: K000156994, BT2131057

2130889 : CVE-2025-47273: setuptools path handling

Component: F5OS-A

Symptoms:
Certain package download operations may write files outside the expected temporary location.

Conditions:
Applies when the affected setuptools functionality is invoked in an environment where download inputs can be influenced.

Impact:
May lead to unintended file placement within the same security boundary.

Workaround:
NA

Fix:
Fixed

2130793 : CVE-2025-47268 iputils: Signed Integer Overflow in Timestamp Multiplication in iputils ping

Links to More Info: K000158112, BT2130793

2130773 : CVE-2025-48964 iputils: iputils integer overflow

Component: F5OS-A

Symptoms:
An integer overflow flaw has been discovered in the ping function within the iputils package. This overflow may allow an attacker to craft an ECHO reply which can prevent iputils from operating normally.

Conditions:
ping to the system.

Impact:
This issue may allow an attacker to craft an ECHO reply which can prevent iputils from operating normally.

Workaround:
NA

Fix:
Fixed

2119061 : Authentication failures not logged at default level in authentication-mgr and user-manager

Links to More Info: BT2119061

Component: F5OS-A

Symptoms:
When LDAP authentication fails due to TLS certificate validation errors (e.g., "unable to get local issuer certificate"), these failures are not captured in the default log level of authentication-mgr or user-manager. As a result, administrators must enable debug logging to obtain useful diagnostic information about the failure.

Conditions:
Running F5OS-C 1.8.1 (VELOS platform) or lower version.
LDAP authentication is configured for the system.

Impact:
- Administrators are unable to diagnose LDAP/TLS authentication failures using standard logs.
- Additional troubleshooting steps (enabling debug logging) are required to obtain error details.
- Increases time to resolution and may delay identification of root cause for authentication issues.

Workaround:
Enable debug logging for authentication-mgr and user-manager to capture detailed error messages related to LDAP/TLS failures.

Fix:
Future versions will improve logging so that LDAP/TLS authentication failures (such as certificate validation errors) are captured at the default log level, eliminating the need to enable debug logging for basic troubleshooting.

2119017 : F5OS not able to handle changes to LDAP tls_reqcert configuration

Links to More Info: BT2119017

Component: F5OS-A

Symptoms:
Changes to an LDAP server's tls_reqcert configuration are not handled by F5OS, resulting in authentication-manager and user-manager communication failures with the LDAP server

Conditions:
- LDAP system authentication configured to authenticate against an Active Directory Server
- Under the system Authentication Settings configuration in the Common LDAP Configuration section, "Authenticate with Active Directory" set to True and "Unix Attributes" set to False
- LDAP group filters specified for one or more roles
- The LDAP server's tls_reqcert configuration is modified while F5OS is actively running.

Impact:
Changes to the LDAP server's tls_reqcert setting will cause communication failures with the LDAP server.

Workaround:
Restart authentication manager and user manager after making configuration changes to the tls_reqcert configuration option.

2099829 : LLDP errors are logged when no IPv4 management address is configured

Links to More Info: BT2099829

Component: F5OS-C

Symptoms:
If a partition (F5OS-C) does not have an IPv4 management address configured, errors like the following will be logged in the partition's velos.log file:

lldpd[9]: nodename=blade-1(p1) priority="Err" version=1.0 msgid=0x6001000000000015 msg="Unable to start confD session." ERROR="item does not exist" LASTERR="/oc-sys:system/state/f5-partition:mgmt-ipv4 does not exist" ERRNO=1.

fpgamgr[11]: nodename=blade-5(p2) priority="Err" version=1.0 msgid=0x302000000000005 msg="cdb_get failed for" COMPONENT="/voq-states/voq-state{1 5}" ERROR="item does not exist" LASTERR="/f5-voq:voq-states/voq-state{1 5}/voqs_enabled does not exist" ERRNO=1.

Conditions:
A partition's IPv4 management address is not configured. Systems with only an ip6 address will also exhibit the same messages.

Impact:
These logs are benign and can be ignored.

Workaround:
To prevent these logs, configure an IPv4 management IP address.

2088601 : The anaconda-ssh service fails to start during installation phase, preventing remote SSH access

Links to More Info: BT2088601

Component: F5OS-C

Symptoms:
SSH access is unavailable when using the inst.sshd boot parameter to enable remote debugging or Kickstart monitoring.

Conditions:
To enable SSH access and troubleshoot boot issues during the bare metal installation process.

Impact:
Blocks remote debugging over SSH during the bare metal installation process.

Workaround:
Need to trobleshoot through console only.

Fix:
Enabled the eno1 physical port and resolved the OpenSSL and OpenSSH compatibility.

2087761 : A partition's "show system events" no longer updates after multiple partition failovers

Links to More Info: BT2087761

Component: F5OS-C

Symptoms:
After a partition is failed over more than once it will no longer list new events when running "show system events".

Conditions:
-- Chassis system with at least one partition.
-- The partition must have failed over at least twice.

Impact:
New events are no longer seen when running "show system events".

Workaround:
None

2079113 : Partitions created on VELOS v1.1.x will have configuration wiped during controller upgrade to VELOS v1.6.4, v1.8.1, or v1.8.2★

Links to More Info: BT2079113

Component: F5OS-C

Symptoms:
A partition's configuration can get wiped out and reset to default when the controller is upgraded to VELOS 1.6.4, v1.8.1, or v1.8.2.

Conditions:
If a partition was created while the system controller was running VELOS v1.1.x, the partition configuration volume may have been created with as an LVM "thin pool" rather than a logical volume. The problem does not occur with partitions created on VELOS 1.2.0 or later.

In VELOS v1.6.4, v1.8.1, and v1.8.2, the partition startup logic incorrectly fails to recognize that these filesystem volumes are already initialized, and reinitializes them resulting in data loss.

The reinitialization error is persistent, and will be repeated any time the partition instance is restarted, until the volumes are recreated without "thin provisioning".

Impact:
-- The partition configuration data is wiped and reset back to default.

Workaround:
Before upgrading to the system controllers to VELOS v1.6.4, v1.8.1, or v1.8.2, check if the partition logical volumes on either system controller are incorrectly provisioned.

To do this, run the "lvs" command from a bash shell on both controllers. "Thin provisioned" volumes will have numeric entries in the "Data%" and "Meta%" columns, and will have the "t" flag in the "Attr" column

In this example, partitions 1 is effected:

[root@controller-1:Active log]# lvs
 LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
 partition1 partition_config twi-a-tz-- 10.00g 0.00 10.61
 partition3 partition_config -wi-ao-z-- 10.00g
 export_chassis partition_image -wi-ao---- 256.12g
 partition1 partition_image twi-a-tz-- 15.00g 0.00 10.57
 partition1_shared partition_image -wi-a----- 10.00g
 partition3 partition_image -wi-ao-z-- 15.00g
 partition3_shared partition_image -wi-ao---- 10.00g
 ...

If this condition exists, do not upgrade to these versions and contact support for assistance for non-destructively converting these volumes.

Fix:
In VELOS v1.8.3, the partition startup logic correctly recognizes that these partition logical volumes are already initialized, and does not wipe and recreate them.

2078813 : CVE-2025-6395 gnutls: NULL pointer dereference in _gnutls_figure_common_ciphersuite()

Component: F5OS-A

Symptoms:
A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().

Conditions:
NA

Impact:
NULL Pointer Dereference

Workaround:
NA

Fix:
Fixed the gnutls.

2078809 : CVE-2025-32990 gnutls: certtool template parsing

Component: F5OS-A

Symptoms:
A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

Conditions:
NA

Impact:
Heap-based Buffer Overflow

Workaround:
NA

Fix:
Fixed the gnutls.

2078689 : CVE-2025-6170 libxml2: Stack Buffer Overflow in xmllint Interactive Shell Command Handling

Component: F5OS-A

Symptoms:
The xmllint interactive shell may crash when processing excessively long user input.

Conditions:
Occurs when a local user runs xmllint in interactive shell mode and provides specially crafted oversized input.

Impact:
May cause the xmllint process to crash, resulting in limited denial of service; exploitation is unlikely in typical deployments.

Workaround:
N/A

Fix:
Upgraded to fixed version

2078301-4 : Dagd may crash if a malicious message is sent from the tenant

Links to More Info: K000156796, BT2078301

2064397 : TACACS GUI Authentication Failure

Links to More Info: BT2064397

Component: F5OS-A and F5OS-C

Symptoms:
When using an affected version of F5OS, TACACS users may successfully authenticate; however, the GUI session closes immediately, and any requests return a 401 error. The following error message is observed:

ERROR: PAM validation failed: User role modified

Conditions:
-- Occurs on F5OS-A (rSeries) and F5OS-C (VELOS) platforms running version 1.8.x.
-- TACACS server configuration includes a home directory attribute (F5-F5OS-HOMEDIR) with a trailing space (e.g., "/tmp ").

Impact:
TACACS users are unable to log into the F5OS GUI.
Authentication succeeds, but authorization fails, resulting in immediate session termination and a 401 error.
SSH access is unaffected.

Workaround:
-- Remove any trailing spaces from the F5-F5OS-HOMEDIR attribute in the TACACS server configuration.
-- Ensure all TACACS attributes are formatted correctly without extra whitespace.

Fix:
The system handles extraneous whitespace in TACACS attributes more robustly.

2063565 : CVE-2022-23219: glibc: Stack-based buffer overflow in sunrpc clnt_create via a long pathname

Links to More Info: K52308021, BT2063565

2063545 : CVE-2022-23218: glibc: Stack-based buffer overflow in svcunix_create via long pathnames

Links to More Info: K52308021, BT2063545

2063497 : Controllers lose connectivity to blades with stale LACP members in member table

Component: F5OS-C

Symptoms:
LACP member table has stale members and controllers lose connectivity to blades.

Conditions:
Issue can happen when the following are performed.
- Manually failover the controllers.
- Power down active controller.
- Reboot active controller.
- Physically remove active controller from the chassis.

Impact:
Controllers lose connectivity to blades and stale LACP members cannot be cleaned up.

Workaround:
Restart cc-lacpd container on the active controller, or reboot active controller.

Fix:
Debug log is added to help debugging the issue. Enable cc-lacpd debug log and look for msgid=0x3301000000000050 from velos.log. This debug log prints the cache of current confD member table data.

2063201 : Authentication of LDAP Remote user in AD server may fail

Links to More Info: BT2063201

Component: F5OS-A

Symptoms:
LDAP Remote user authentication in F5OS may fail when the Unix attributes is set to false.

Conditions:
If LDAP authentication is configured with an Active Directory (AD) server, remote users will not be able to authenticate successfully on F5OS.

Impact:
Remote user may not be able to login to F5OS.

Workaround:
None

2049845 : OPT-0056 100G link intermittently fails to come up after reboot or hot plug insertion due to incorrect Media Side FEC programming

Links to More Info: BT2049845

Component: F5OS-C

Symptoms:
An OPT-0056 100G link intermittently fails to come up after a reboot or hot plug insertion.

Conditions:
Having an OPT-0056 100G link and after a system reboot or hot plug inserts the optic into the system.

Impact:
Intermittent link issues.

Workaround:
None

2048033 : FCS or FEC uncorrected errors seen continuously on the system

Links to More Info: BT2048033

Component: F5OS-C

Symptoms:
FCS (Frame Check Sequence) and FEC (Forward Error Correction) error statistics for chassis/blade backplane ports were incorrectly reported as unhealthy because the system interpreted raw (non-zero) counter values as errors.

Conditions:
Occurs when switch reports FCS or FEC errors greater than 0

Impact:
System will display switch port status alarms and events.

Workaround:
None.

2047361 : 'show cluster events' cli output is not displaying unhealthy->healthy, ordering and timestamps of events

Links to More Info: BT2047361

Component: F5OS-A

Symptoms:
'show cluster events' cli output is not showing timestamp of events(when the event occurred) and no detailed information on the healthiness(healthy/unhealthy) or severity(Info/Warning) of the event.

Conditions:
When user executes cli related to 'show cluster events', the output is not showing timestamp of events(when the event occurred) and no detailed information on the healthiness(healthy/unhealthy) or severity(Info/Warning) of the event.

Impact:
There is no functional impact but displayed events timestamp, healthiness is missed.

Workaround:
No workaround.

Fix:
The issue is fixed.

2046597 : Setting the primary key on VELOS will intermittently cause a failover and primary key inconsistency

Links to More Info: BT2046597

Component: F5OS-C

Symptoms:
When performing a "system aaa primary-key set" operation, sometimes the controller will fail over prior to updating the database values, resulting in an inconsistent decryption key. The set key operation remains in 'IN_PROGRESS' and does not recover.

Conditions:
Retry timing problem in the key retrieval logic sometimes causes the database to hang for over 30 seconds during configuration reload, resulting in the hardware watchdog expiring and causing a failover.

Impact:
Configuration database will not be usable, partitions will not start correctly. System must be restored from backup.

Workaround:
Prior to attempting to change the primary-key, ensure that a controller, partition, and tenant backups with a known primary-key are available. If the problem occurs, perform a "system database reset-to-default", reset the primary key to the previous known value corresponding to the backup and restore the backups.

Fix:
Setting the primary key does not cause a failover.

2046501 : NTP CLI/webUI displays "ntp api, the server or underlying service is unreachable"

Component: F5OS-A

Symptoms:
1. Newly configured DNS IPs are not used in tcpdump-platform-agent container.
2. show system ntp command is unresponsive.

Conditions:
1. New DNS IPs are configured

Impact:
1. The "ping" command is unable to use the recently configured DNS IPs
2. Timeout occurs when you execute "show system ntp".

Workaround:
None

Fix:
1. Ping now correctly uses newly configured DNS servers.
2. The show system ntp command responds faster.

2044517 : Changing LDAP configuration via the GUI results in an unexpected error

Links to More Info: BT2044517

Component: F5OS-A

Symptoms:
Changing LDAP configuration on GUI errors out with the following error message - "object is not writable:
/oc-sys:system/oc-sys:aaa/oc-sys:authentication/f5-aaa-ldap:ldap/f5-aaa-ldap:state"

Conditions:
When using a Windows Active Directory (AD) server and LDAP settings are configured with Active Directory authentication enabled (true) and Unix Attributes disabled (false).

Impact:
You are unable to make LDAP configuration changes via the GUI.

Workaround:
Make the configuration change from CLI.

Fix:
GUI will not modify the read-only state part of the LDAP configuration and allow user to save the LDAP configuration changes.

2037525 : Appliance_orchestration_manager process occasionally cores

Links to More Info: BT2037525

Component: F5OS-A

Symptoms:
Occasionally the appliance_orchestration_manager daemon will core.

Conditions:
This can occur in appliance_orchestration_manager during normal operation.

Impact:
After core, service will restart the operation.

Workaround:
None

2037233 : VELOS controller cannot change primary key if there is an NTP key configured

Links to More Info: BT2037233

Component: F5OS-C

Symptoms:
If an NTP key is configured, attempts to change the system's primary key will fail and log these errors:

confd-key-migrationd[9]: nodename=controller-1 priority="Err" version=1.0 msgid=0x1b01000000000010 msg="Failed to set element in cdb" path="/system/ntp/ntp-keys/ntp-key{1}/state/key-value" error="" errno="Interrupted system call".
confd-key-migrationd[9]: nodename=controller-1 priority="Crit" version=1.0 msgid=0x1b01000000000002 msg="Key Migration failed, attempting to restore" stage="RESTORE_SECURE_ELEMENTS"

Conditions:
-- VELOS system controller running F5OS-C.
-- NTP encryption key configured.

Impact:
Unable to change primary key.

Workaround:
-- Remove the NTP key from the configuration.
-- Perform the key migration.
-- Re-add the NTP key to the configuration.

2035593-2 : Max DNS entries supported are three, if more are configured the extras are ignored, and even after reducing to three, the previously ignored entries are not reapplied.

Links to More Info: BT2035593

Component: F5OS-A

Symptoms:
The system supports a maximum of three DNS entries. When more than three are configured, the additional entries are ignored. However, after removing the extra entries and reducing the list to three, the previously ignored entries are still not added back to the system.

Conditions:
Configuring more than 3 DNS entries and removing previously added entries

Impact:
DNS resolution failure.

Workaround:
Recreate DNS entries

Fix:
NA

2035549 : System_host_config container's outbound DNS traffic will use stale DNS lookup entries.

Component: F5OS-A

Symptoms:
When DNS server entries are added to the appliance via ConfD, the entry is not updated in /etc/resolv.conf of the system_host_config container. Outbound traffic from system_host_config will use stale DNS entries.

Conditions:
A new DNS server or host-entries are added on appliances via ConfD.

Impact:
The new entry is not updated in the system_host_config container's /etc/resolv.conf file. This container does not generate outbound traffic so there is no functional impact.

Workaround:
If you need system_host_config to have the updated DNS server entries, restart the system_host_config container:

docker restart system_host_config

Fix:
Restarting the container should update the DNS lookup entries.

2035545 : Incorrect network namespace for system_tmstat_merged

Component: F5OS-A and F5OS-C

Symptoms:
system_tmstat_merged is running in the host network namespace at all times

Conditions:
It is running in the host network namespace all the time.

Impact:
Isolation, Security Implications, Behaviour change

Workaround:
Changed the network namespace from host to service:identifier

Fix:
system_tmstat_merged is running in the container network namespace

2035153 : The confd-key-migrationd logs may display incorrect error messages during migration failures

Links to More Info: BT2035153

Component: F5OS-A

Symptoms:
The confd-key-migrationd logs may display incorrect or misleading error messages during migration failures.

Conditions:
When confd-key-migrationd encounters errors during migration, the logged error messages may not accurately reflect the actual cause.

Impact:
The logs don't provide enough detail to identify the underlying problem.

Workaround:
NA

Fix:
Fixed an issue that caused confd-key-migrationd to log incorrect error messages during migration failures.

2034949 : Authentication-mgr's restart triggers Controller Switchover

Component: F5OS-C

Symptoms:
When the container is restarted using ‘docker restart authentication-mgr’, at times, controller failover occurs.

Conditions:
When the container is restarted using ‘docker restart authentication-mgr’, the following container events take place: · container:event:kill · container:event:die · container:event:stop · container:event:start · container:event:restart. During this process, it's container:running attribute is temporarily set to Unhealthy | Error before the container starts.

Impact:
When authentication-mgr's container:running attribute is set to Unhealthy, even for a very short interval, In some of the instances, the parent components(Controller)are also updated to Unhealthy, which triggers a failover.

Workaround:
None.

Fix:
The value of parameter 'critical' for authentication-mgr is updated. This will not set the container:running attribute to Unhealthy | Error before the container starts.

2034889 : Blade interface presence/stats are getting wiped because of bad power event during system controller failover

Links to More Info: BT2034889

Component: F5OS-C

Symptoms:
After inserting a blade in the chassis, the blade interface state may be wiped out on the next system controller failover.

Interfaces will be shown as "NOT_PRESENT" even though the blade is present and running.


default-1# show interfaces interface state oper-status
NAME OPER STATUS
--------------------
1/1.0 DOWN
1/2.0 DOWN
2/1.0 NOT_PRESENT
2/2.0 NOT_PRESENT
3/1.0 DOWN
3/2.0 DOWN

Conditions:
Physically inserting a blade in the chassis, followed by a controller failover after the blade finishes booting.

Impact:
After the controller failover, the incorrect 'power off' event causes the partition software to erase the blade dataplane state, resulting in the blade dataplane being inoperative.

Workaround:
To avoid the issue:

After inserting a blade in the chassis, cause a controller failover and then reboot the blade.

To recover if the problem is encountered:

Reboot the blade.

Fix:
Inaccurate power events are not generated during system controller failover.

2034665 : F5 VELOS BX520 ATSE firmware v75.3.25.00

Links to More Info: BT2034665

Component: F5OS-C

Symptoms:
F5 VELOS BX520 ATSE firmware v75.3.25.00

Conditions:
F5 VELOS BX520 Platform

Impact:
Not applicable.

Workaround:
None

Fix:
Fixes disaggregation issue. See ID2034661 for more information.

2034661 : BX520 blade eDAG masking issue causes redirections with ipv6-prefix-len not equal to 128.

Links to More Info: BT2034661

Component: F5OS-C

Symptoms:
This issue can cause lower overall system performance because of bad disaggregation to service endpoint. Host software recognizes that packets are not at the correct endpoint and redirects the packets to the correct endpoint. The extra packet hop can cause lower overall system performance.

Conditions:
ipv6-prefix-len not equal to 128.

ATSE v75.3.23.00 or earlier.

Impact:
Variable packet performance and latency impact.

Workaround:
Update to ATSE v75.3.25.00 or newer bitstream release for BX520 blade.

Fix:
Logic issue in disaggregation masking found and fixed in ATSE v75.3.25.00 bitstream release for BX520 blade.

2034381 : System controller configuration of cplagg interfaces should be modified

Links to More Info: BT2034381

Component: F5OS-C

Symptoms:
If the lag-type of a cplagg_1.x interface is removed,
System Controller/blade communications will stop working. System Controller ConfD configuration of cplagg interfaces is set up by the confd initialization XML. The configuration may be viewed but should never be modified. Modification of the CPLAGG interface configuration needs to be blocked.

Conditions:
System Controllers are up and running, and the confd configuration is accessible to the user.

Impact:
Control plane communications may be lost to the blade reachable through the modified cplagg interface.

Workaround:
Restore the CPLAGG configuration that existed before the modification. Perform a staged reboot of the system controllers: reboot the standby controller, after the rebooted controller comes up, make it the active controller, and reboot the new standby controller.

Fix:
Users are prevented from modifying the System Controller confd configuration of the CPLAGG interfaces.

2025949 : Configuring more than one mgmt aggregation interface may cause an aggregated management port to stop working

Links to More Info: BT2025949

Component: F5OS-A

Symptoms:
It is a documented restriction that only one user-defined aggregation interface is allowed to be configured in the System Controller ConfD configuration - the aggregation interface required to support management port aggregation.

All subsequent user defined aggregation interfaces added to the System Controller ConfD configuration will be ignored by switchd. The management port aggregation may continue to function even after this configuration is performed since the switch trunk hardware is already programmed. However, after any event which requires reprogramming of the trunk hardware (ie. loss of trunk member or a system controller reboot), requests by LACP to update the trunk will be ignored by switchd and management connectivity will appear unreliable or completely non-existent.

Conditions:
Configuration of an additional System Controller aggregation interface followed by some event which requires switch hardware to be reprogrammed. Example: User upgrades the System Controller which causes the controllers to reboot.

Impact:
You may experience unreliable or complete loss of chassis, partition and tenant management connectivity.

Workaround:
- Delete all but one of the user-defined aggregation interfaces and LACP interfaces of the same name from the System Controller ConfD configuration.

- Make sure that SC management ports 1/mgmt0 and 2/mgmt0 ethernet aggregation-id are configured with the name of the aggregation interface that remains.

- Reboot both system controllers.

Fix:
Attempts to configure additional user-defined aggregation interfaces are blocked.

2017057 : F5OS-A 1.8.0 qkview does not include "user readable" docker ps -a command output

Links to More Info: BT2017057

Component: F5OS-A

Symptoms:
Qkview does not include "user readable" docker ps -a command output