System messages say it will reboot after the firmware update but the system does not actually reboot.

Note: If you try to reboot while the update is in progress, the reboot fails and logs a message indicating that the system is going down for reboot. It does not reboot, however.

Messages displayed:

-- Failed to start reboot.target: Transaction contains conflicting jobs 'stop' and 'start' for systemd-reboot.service. Probably contradicting requirement dependencies configured.

-- See system logs and 'systemctl status reboot.target' for details.

-- Broadcast message from root@localhost on ttyS0 (Tue 2020-01-28 10:18:33 PST):

The system is going down for reboot NOW!

Conditions:

-- Firmware is being updated.

-- User initiates a system reboot.

Impact:

The system prevents rebooting while the firmware upgrade is in progress, but an erroneous message is logged indicating that a reboot will occur.

Do not attempt to reboot during a firmware update. The message is erroneous and you can safely ignore it.

Conditions:

-- Train Cold - Run Hot (TCRH) Compensation Feature triggered in response to platform temperature changes.

-- VELOS BX110 blades.

Impact:

The Train Cold - Run Hot (TCRH) Compensation Feature is an expected behavior on the VELOS BX110 blade and these infrequent correctable errors have no system impact.

None needed. This is a benign message that you can safely ignore.

During boot, the system logs a message: i8042: No controller found.

Conditions:

This occurs during system startup of a VELOS System Controller or Blade.

Impact:

The message is benign, and you can safely ignore it.

None

'Error parsing PCC subspaces' appears on the console when the system boots.

Conditions:

Viewing the console on boot.

Impact:

The message is benign and can be ignored.

None

During boot, the system controllers may display the message [FAILED] Failed to start origin-node.service.

Conditions:

The system is booting up.

Impact:

An error is logged, but there are no known negative impacts to system operation. The origin-node service is dependent on the docker daemon and other dependent services. In the background, the origin-node service automatically starts when the dependent services are up and running.

PWR-0366-XX 3000W AC power supply used in VELOS CX410 series chassis reports a 'PSU <n> other communication fault event' in the log when the power supply is hot plugged (Hot plug: disconnecting/applying power to a PSU connection).

Conditions:

This fault indicates that there is a problem with the communication between the primary and secondary PSU DSP devices inside the PSU. This usually happens when the PSU is connected to 12V bus and the AC power cord has been removed. In this situation, the secondary-side DSP is powered from the 12V bus through a peer supply, while the primary-side is not powered because AC is removed.

Impact:

Eventually, the lack of communication triggers a STATUS_CML.COMM_FAULT and records the message in the log. This is a latching fault that can turn-off 12Vout, meaning that, in PMBus, this fault remains asserted even if internally the fault is already removed.

There is no fix for this issue as the power supply functions as designed.

When you issue a 'bigstart stop' command in a tenant running on the VELOS platform, the management port becomes unreachable.

Conditions:

-- Log into the tenant using an ssh connection to the management IP address.

-- Issue the command: bigstart stop.

Impact:

Cannot ssh or ping the tenant management IP address.

Specify tmm with the command: bigstart stop tmm

The tenant management MAC addresses do not originate from the chassis-wide management pool. They are software-generated MAC addresses. Though unlikely, this randomly allocated MAC address might collide with an existing MAC address in the tenant management network. This can result in unexpected and erratic network behavior for the tenant and for the external entity that has the same MAC address.

Conditions:

-- Start up a tenant.

-- The system assigns a random management port.

-- The random management port has a MAC address that already exists in the network.

Impact:

A tenant or external entity with the same MAC as the tenant could experience intermittent network issues on the management network, including tenant startup failure.

To have the system generate a new MAC address: toggle the tenant's running state to Provisioned and back to Deployed.

Note: If the new MAC address also conflicts with an existing MAC address, you must perform these steps again.

When you change an existing port group, e.g., from one 100G to 4 25G, STP still reports the old interfaces in 'show stp' from the CLI. Additionally, the new interface does not display in the CLI.

Conditions:

This occurs when making changes to the port group mode, e.g., from one 100G to 4 25G mode.

Impact:

-- The old interfaces still display when running 'show stp' from the CLI.

-- The new interface does not display when running 'show stp' from the CLI.

-- You must manually remove the old interfaces and add the new interface via the CLI.

You must manually remove the old interfaces and add the new interface via the CLI.

The show components information does not include the firmware version information for the sirr or ssd.

Conditions:

Running the show components command.

Impact:

The show components command does not report the firmware version information for the sirr or ssd data fields.

None

The 'show interfaces interface state operstatus' reports 'UP' for interfaces on System Controller when it is permanently down (i.e., powered off or removed).

Conditions:

-- Running the command: 'show interfaces interface state operstatus'.

-- A System Controller is removed or ceases to function.

Impact:

Incorrect status is returned. This occurs because the interfaces operstatus cannot be updated by the down or missing System Controller.

None

If you issue a reset counters command, the in-discards counter is not reset to 0.

Conditions:

Issue 'reset counters interfaces <interface>' or 'reset counters all' commands.

Impact:

Counter is not reset to 0.

None

When a USB device is present in the blade, the velos.log contains a large number of errors from platform-hal related to the USB device and attempts to detect it.

Conditions:

USB device is present in the blade.

Impact:

Numerous unnecessary messages appear in the log.

These messages are benign, and you can safely ignore them.

During startup, the VELOS system logs a message:

BAR 7: failed to assign.

Conditions:

This occurs when Intel X553 Ethernet is initialized during system startup of a VELOS blade.

Impact:

The messages is benign and you can safely ignore it.

None

After system startup, dmesg shows the following messages:

[ 1.306207] ERST: Error Record Serialization Table (ERST) support is initialized.

[ 18.503404] uds: kvdo0:dedupeQ: verifyBufferedData got unexpected data: UDS Error: Corrupt saved component (1030)

Conditions:

Viewing messages after system startup.

Impact:

ERST is not an error. It means ERST is initialized and although 'E' stands for 'error', the log message is not an error message. The kvdo0:dedupeQ message occurs when the VDO volume is initialized. Since the volume has only been initialized, there's nothing to corrupt. Both messages can be ignored.

These are not error messages, and you can safely ignore them.

The CLI command 'show system blade-power' displays the power requested and allocated to a blade. It does not show the power currently being drawn by the blade.

Conditions:

Blade is powered off via AOM commands.

Impact:

The 'show system blade-power' command output does not change, so it is not a suitable method to determine the power status of blades in the system. There is no impact to the running system itself.

When appliance mode is enabled, access to the Advanced shell (bash) is removed, and the system root user cannot log in to the device by any means, including the serial console. When appliance mode is then disabled, Advanced shell access and root login are still disabled.

Conditions:

-- Enable appliance mode for a tenant.

-- Disable appliance mode for a tenant.

Impact:

Cannot access the Advanced shell or log in as root user when appliance mode is disabled. This is intended functionality.

Log in via tmsh:

tmsh modify sys db systemauth.disablerootlogin value false tmsh

modify sys db systemauth.disablebash value false

Conditions:

This may happen intermittently if the internal subnet is set to a non-default value.

Impact:

You cannot reliably view CPU and memory utilization through the CLI.

None

If the standby system controller is removed, the CLI command 'show components component' information is not updated to reflect its removal.

Conditions:

-- Standby system controller is removed.

-- Running the CLI command 'show components component'.

Impact:

No operational impact other than the data is stale. If another controller is installed, the data is updated to reflect the new controller.

To remove the stale data, you must reboot the remaining system controller or replace the removed standby controller.

Status LED may be left in the off state after an LCD test.

Conditions:

Issue occurs after the LCD test is executed.

Impact:

Status LED may not reflect actual state of the system after an LCD test.

Power-cycling the chassis resolves the Status LED state.

Several switch-related events sometimes occur when a blade is rebooted. These events are generated if the switch port to which the blade is connected reports an FEC Uncorrected Error, and posts error messages similar to the following:

-- NOTICE 'Switch Port in fault state'.

The errors usually clear soon after the blade boots up.

Conditions:

This occurs upon system start up.

Impact:

The system generates a few unwanted events. If the blade boots successfully and networking is functioning normally, you can safely ignore the 'Switch Port in fault state' events.

None

Qkview collection is distributed, and there is a main process for collecting qkview information from peer devices. The main qkview process (running on the active system controller) or the partition manager, spawns processes to collect from its peers. Peers are not aware of whether the main qkview operation has been canceled.

Conditions:

A qkview is canceled, and then immediately restarted.

Impact:

Partial qkview collection. When a qkview is canceled on the main collection system, the peers are not aware of this, and continue to collect. The peer qkviews may not be collected if the peers are still processing the last qkview request.

Wait 5 minutes after canceling, and then run qkview again.

If an admin configures a tenant with a name that is longer than 49 characters, tenant deployment fails.

Conditions:

Partition created and enabled on VELOS hardware for admin to login and create a tenant configuration.

Impact:

Configured tenant fails to schedule on the VELOS cluster due to Red Hat OpenShift name length restrictions, i.e., if the tenant name has more than 49 characters, the server rejects the deployment request

Delete the existing tenant and create a new tenant deployment with a name having 49 or fewer characters.

Note: The system might not prevent you from using more characters, but the recommendation is 49 or fewer.

The CLI includes the TACACS_ALL authentication option, but this option has no functionality.

Conditions:

This is encountered while configuring authentication using the following command:

system aaa authentication config authentication-method

Impact:

TACACS_ALL is presented, but this option does nothing.

Do not use the TACACS_ALL option.

No interfaces are listed in the partition management screen under Network Settings :: Port Groups, Interfaces, or LAGs.

Conditions:

Conditions under which this occurs are not entirely known. It has been seen after multiple reset-to-defaults commands are issued.

Impact:

System does not function properly.

Issue a single reset-to-defaults command at a time. Should this condition occur, reboot the entire chassis (both controllers) and the interfaces should repopulate as expected.

When creating a partition using the CLI, and trying to validate the changes with 'commit check', a validation error occurs: partitions 'partition part1 uuid' is not configured.

Conditions:

-- Create a partition using the CLI.

-- Attempt to validate the changes using 'commit check'.

Impact:

The 'commit check' operation rejects this config change. This error is misleading, indicating that you need to specify a uuid value.

Note: Not only is uuid irrelevant, it is not possible for you to specify it.

None

When restoring a previously saved system database, the filename is not tab-expandable. There is no way to get a list of the existing system database backup filenames, other than by using CLI filesystem operations.

Conditions:

-- Run 'system database config-backup name' to restore a previously saved system database using the CLI.

-- Attempt to tab-expand the filename portion of the command.

Impact:

You must exit to the bash shell, or use the file operations to find the backup filename and try the operation again.

To determine the previously saved filenames:

-- For system controller, use:

file list path /var/confd/configs/

-- For partitions, use:

file list path /var/F5/partition/configs/

If the qkview filename contains a space, the system uses only the first word for the qkview filename.

Conditions:

Using filenames with spaces in them while generating a qkview.

Impact:

Only the first word is used in the generated qkview filename.

Do not use spaces in qkview filenames.

The system does not display the current date/time and timezone in the GUI, which can make it difficult to review alerts or logs without knowing/remembering how the system is configured. The system does not provide a mechanism to update the system clock directly, without NTP.

Conditions:

Attempting to view or set system time and date via the GUI.

Impact:

You cannot view or set system time and date through the GUI.

None

The GUI stops working without any warning or error if an ed25519 crt/key is imported.

Conditions:

Import an ed25519 crt/key.

Impact:

GUI stops working. In the system controller log you see errors:

OpenSSL PEM_read_bio_PrivateKey failed read key" file="server.key". -- controller-1 /usr/bin/authd[7]: priority="Err" version=1.0 msgid=0x3901000000000022 msg=OpenSSL X509_PUBKEY_get failed to get key."

Do not use ed25519 crts/keys.

It is possible to assign the same management IP address to multiple partitions.

Conditions:

This is encountered when creating new partitions using the CLI. You can duplicate the management IP address without getting an error.

Impact:

Creating a duplicate management IP address can cause management traffic disruption.

Reconfigure the affected partitions with unique IP addresses.

When the CLI is used to clear the configured IPv4 address, the system reports the prefix length as 32 bits

Conditions:

-- Clearing the configured IPv4 address.

-- Viewing the prefix information the system reports.

Impact:

CLI shows prefix length of 32. There is no functional impact. When an IPv4 address and prefix is set again, the proper prefix length is reported.

None

When the standby system controller is removed, the CLI data is not updated to reflect its removal. The empty state field is one of several bits of data that is not correct.

Conditions:

-- After removal of standby system controller.

-- Viewing state information in the CLI.

Impact:

No operational impact; just stale/incorrect CLI data about the state of the removed system controller.

You can correct the data using either of the following:

-- Reboot the remaining system controller.

-- Insert a system controller to replace the standby controller that was removed.

Qkviews are started and collected on the active controller/partition. If a failover happens while a qkview is in progress, that qkview operation is aborted, and the file deleted.

Conditions:

1. Start a qkview on the active device.

2. Failover the active to standby.

Impact:

The qkview collection stops and no file is created.

Do not initiate a failover from active to standby while qkview is in progress.

The top command defaults to 80 characters, if run outside of a console, as it is in qkview. When top is executed in this fashion, the -w parameter must be used, in order to specify output width.

Conditions:

Run qkview.

Impact:

Output of top command is truncated at 80 characters. Some contents of the top command may be missing in qkview files.

Run top separately from qkview.

The CLI presents configuration options for IPv6, but the IPv6 functionality is not supported in this release and does not function properly.

Conditions:

-- Viewing the CLI configuration options.

-- Attempt to configure the IPv6 options.

Impact:

IPv6 configuration does not work.

None

A number of system controller operations related to images suffer from an approximately 5-second delay. This includes CLI commands such as 'show image partition' and 'show image controller', but there is also a delay when using tab-completion to view suggested completions for such commands. The delay appears to be mostly constant, independent of the number of partitions in the system. The delay is always present for these commands.

Conditions:

Using CLI commands related to images.

Impact:

In addition to the 5-second delays experienced directly on the CLI, there is likely similar impact to related GUI functionality, such as the partition management page. These delays do not appear to negatively impact any functionality.

None

Inside the F5OS CLI, the 'delete' key behaves in the same way as the backspace key. Instead of deleting the next character (the character to the right of the cursor), pressing 'Delete' deletes the previous character (the character to the left of the cursor).

Conditions:

Using the F5OS CLI.

Impact:

'Delete' key does not function in expected fashion.

Use the arrow keys to change the cursor location and then use backspace.

Tcpdump may show the packets in an out-of-order fashion if it is run from a partition that spans multiple blades. The order refers to the timeline of these packets appearing on the network links outside the system, e.g., a TCP SYN may come from the client to the system, and the system may have responded with a SYN-ACK to the outside client. The capture may show the SYN-ACK packet first and then the SYN.

Other than inferring from knowledge of the protocol what these packets represent, there is no real way to mitigate in the multiple-port aggregation scenario.

Note: A tcpdump run from inside a BIG-IP tenant shows the correct order.

Conditions:

-- This may be encountered where there is an LACP-aggregated link that spans two ports on two different blades.

-- It has also been seen less frequently as out-of-order between ingress (outside-to-host) and egress (host-to-outside) packets.

Impact:

Tcpdump captures show the order of the packets differently from when they really happened, leading to possible misinterpretation of events.

None

After a system controller failover, the PSU information may not be populated in the command:

show components component.

Conditions:

Active system controller fails over to the standby.

Impact:

PSU data is not listed. There is no operational impact to the system.

A total system reboot is the only option for listing the PSU data in the 'show components component' output.

While using the GUI to create a new user on the System Controller, you click the Save and Close button and the user is created but an error is displayed:

Server Error(s)

Something went wrong. Check the web browser console for more details or contact technical support for assistance.

Conditions:

Using the GUI to create a new user account.

Impact:

The user is created but an error is displayed.

None

The partition 'system database config-backup' command overwrites an existing backup file.

Conditions:

Running the partition 'system database config-backup' command.

Impact:

If a config backup exists, the operation silently overwrites it.

Specify a unique filename for each backup operation:

system database config-backup name unique-filename

The top-level software for F5OS comprises two ISO images: one for partition/blades, and one for the system controller. These must both be installed, separately.

You have the option of downloading a .tar file containing both .iso files. However, the .tar archive is not itself directly importable on the running system, and download stalls.

Conditions:

-- Download the F5OS software in a bundled .tar archive.

-- Attempt to import the bundle for use on the system.

Impact:

Import operation does not complete. You must perform manual steps to import F5OS the .tar software file.

-- There are two .iso files that you must download for F5OS software: one for the system controller and one for the partition. These must both be installed, separately. You can download them separately and install them individually.

-- You can also download the .tar file, if you prefer to download both .iso files simultaneously. That way, you can untar the download in a location on an HTTPS server to serve the images to the chassis being rolled out. Once copied over, unpack the archive and import each ISO individually, by copying them to the import directory (/var/import/staging) on the active system controller.

K42910051: OpenSSL vulnerability CVE-2020-1971

In many cases, software imports (such as chassis partition or system controller ISO imports) can take up to 30 minutes to complete and synchronize across both system controllers.

Conditions:

This is encountered when importing F5OS platform software for VELOS.

Impact:

It may take a long time for the import to complete and synchronize.

Wait at least 30 minutes for imports to synchronize before assuming the import has failed and trying to fix it.

A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Not vulnerable.

K27238230: glibc vulnerability CVE-2020-29573

Interface config tpid leaf is exposed but it is not supported.

Conditions:

-- In CLI config mode, the system presents tpid as a possible config option.

-- In CLI show mode, tpid is shown as oper data.

Impact:

Interface config tpid leaf is exposed but it is not supported.

Ignore the tpid from interface/config or interface/state.

K84900646: Linux kernel vulnerability CVE-2020-14385

K32380005: Linux kernel vulnerability CVE-2019-18282

Multiple dnsmasq vulnerabilities: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687 A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

N/A

K27238230: glibc vulnerability CVE-2020-29573

The OpenShift cluster will appear offline to the user.

Conditions:

Occurs occasionally when the active system controller is physically removed.

Impact:

No access to the OpenShift cluster. The OpenShift cluster appears offline.

To have the cluster come back online, re-insert the extracted system controller.

A URL that does not specify HTTPS as the protocol is accepted as valid input, but results in a failed file transfer.

Conditions:

-- Importing a file to the device.

-- Enter a URL that does not specify HTTPS as the protocol.

Impact:

The URL field accepts the input, but the file transfer fails. Lack of protocol validation on the URL input does not prevent you from entering a URL that can result in a failed file import.

All file import URLs must be preceded with the HTTPS protocol.

Importing a file using File Utilities or the Software Management import utilities for System Controller and Chassis Partition software images can result in an error, even when the URL and other parameters are correct.

Conditions:

-- Importing a file.

-- The first attempt has an invalid URL.

-- Subsequent import attempts contain similarities in the URL paths used on the first attempt.

Impact:

The import fails and the error is ambiguous.

Refresh the screen and initiate a new file import attempt, making sure the URL and all other parameters entered are correct and valid.

The input validation on the URL field when you import a file, checks that the URL ends in .iso or .img, but it does not accept mixed case or uppercase entries, for example, .ISO / .IMG / .iMg / .Iso, etc.

Conditions:

-- Importing a file, either with File Utilities or the Software Management import utilities for System Controller and Chassis Partition software images.

-- The URL is appended with a file extension that is not lowercase.

Impact:

The URL field reports a validation warning.

Make sure the file extension appended on the end of the URL is all lowercase.

When the admin removes nodes from tenant configuration and upgrades the system controller software, the tenant status comes up with an error state.

Conditions:

Admin removes nodes from the tenant configuration using either of the following commands:

no tenants tenant <name> config nodes

tenants tenant <name> config nodes [ ]

Impact:

This has no effect on system functionality. The system is simply reporting an incorrect state of the tenant.

To process any traffic through the tenant, you must have a minimum of one node in the tenant config, for example:

show running-config tenants tenant <name> config nodes

tenants tenant example1

config nodes [ 1 ]

!

After setting the primary key, the system reports the following message:

-- Response Info: Key migration is initiated. Use 'show system primary-key state status' to get status.

This is the wrong command.

Conditions:

This is encountered when running the following command: system aaa primary key set

Impact:

The prompt for the set command is misleading.

Use the command:

show system aaa primary-key state status

Tenant validations are not working when a tenant is created using the CLI and subsequently edited in the GUI.

Conditions:

Admin creates the tenant via CLI and subsequently edits the following tenant config when the running-state is set to Deployed:

-- Scale-up/Scale-down the tenant.

-- Add/Remove VLAN.

Impact:

Admin cannot scale up/scale down the cluster using the GUI if the tenant is initially deployed via CLI.

Use the CLI to scale-up/scale-down and add/remove the VLAN to the tenant.

When the BIOS on a blade is freshly updated and the blade is booted, there may be a 'TPM Randomization failed' message observed in the log output. This message occurs only once (if at all) and is then followed by a successful boot of the system. This is caused by the TPM randomization step of the boot not being completed. The next boot of the system, initiated by the BIOS when this condition is encountered, allows the TPM randomization to complete. For security purposes, the system does not boot to the OS until TPM randomization has successfully completed.

Conditions:

This particular instance of this message may occur after a fresh BIOS update to the system. If the initial boot after a BIOS install is interrupted, the subsequent boot may display this message in the log. The BIOS then causes the blade to reboot, allowing the TPM randomization step to complete.

Impact:

There is no impact to the functionality of the system. The message is for informational purposes only in this situation. If the TPM randomization step of the BIOS execution is not able to complete successfully, the BIOS causes the blade to reboot until the TPM randomization is successful.

Note: If the system continually fails to boot due to this issue, you may have a hardware issue that requires F5 response to correct.

Allow the blade to continue to boot. Once the BIOS has caused the blade to reboot, the condition clears itself and the message no longer appears as part of the boot process.

The F5OS partition CLI correctly displays the tenant management MAC address that matches what the tenant reports via 'ifconfig mgmt'. However, 'tmsh show sys mac-address' shows a different value. vCMP guests also exhibit this behavior.

Conditions:

This is encountered on F5OS tenants and vCMP guests.

Impact:

No functional impact known; just reports incorrect data.

If the tenant MAC address is required, use 'ifconfig mgmt' inside the tenant, or use the value in the partition CLI.

If you create a tenant and set the running-state to deployed, (do not wait for full startup), immediately change the running-state to provisioned (do not wait for state change), immediately change tenant config such as vCPU/memory/VLANs/etc, and then immediately change back to deployed, the tenant starts up fine but may not come up with the right resources/config.

Conditions:

This occurs when the tenant running-state changes with no wait time in between state changes.

Impact:

The tenant starts up with inaccurate resources (e.g., vCPU/memory/VLANs/mgmt-ip).

Wait a minimum of 30 seconds to 1 minute between when the tenant running-state transitions from one state to another. One way to ensure the clean transition is to verify the following state if the tenant is reached the desired state.

If performing deployments from the CLI:

show tenants tenant <tenant-name> state status

For example:

-- If the tenant running-state is 'deployed':

default-1#

show tenants tenant defaultbip-1 state running-state

state running-state deployed

Verify the transition state if it reached the desired state: 'running' (if running-state is deployed).

default-1#

show tenants tenant defaultbip-1 state status

state status Running

-- If performing deployments from the GUI, verify the tenant status next to the state under Tenant Management :: Tenant Deployments.

If the system controller is powered off from the Linux bash shell using 'shutdown -P' or an equivalent command, there is no method available in Always On Always-On Management (AOM) menu, or any other method, to remotely power back on the system controller.

Once the system controller is powered off, it can be powered on only by either reseating the system controller or performing a full chassis power cycle.

Conditions:

The system controller is powered off using a bash command.

Impact:

You are unable to remotely power on a system controller after it has been powered off.

Reseat the controller or power cycle the chassis.

If a system controller reboots in the middle of importing platform software, the import does not automatically restart on the next boot. Additionally, it is not possible to overwrite it via a new file transfer to try again.

Conditions:

-- Valid F5OS software has begun importing on a system controller, but the import is not complete yet.

-- A reboot is issued by either the admin user or the software.

Impact:

The software is not imported.

Follow this procedure:

1. Download the software again, but using a different destination file name.

2. Try the import operation again.

Traffic is lost on the previously active system controller, so half of the traffic get lost.

Conditions:

If active system controller does not function, here are some examples:

-- The system controller is physically non-functional (no electrical activity, etc.).

-- System software results in system controller failures for a long time.

Impact:

Traffic is lost on the previously active system controller, so half of the traffic is lost.

Reboot the newly active system controller.

A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.

N/A

A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability

N/A

K44945790: glibc vulnerability CVE-2021-3326

K13591074: BIND vulnerability CVE-2020-8625

It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce an heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine.

N/A

K95593121: Linux kernel vulnerability CVE-2019-10126

A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.

N/A

K57542514: Python vulnerability CVE-2019-9636

libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.

N/A

K47227224: Linux kernel vulnerability CVE-2019-17133

The lacpd process dumps a core following deletion of the physical interface if the interface is a working member of an LACP trunk. Physical interface deletes are commonly caused by either removing an associated blade from the partition or changing the port bifurcation configuration (e.g., from 1x100G to 4x25G).

Conditions:

Delete a physical interface that is a working member of an LACP trunk.

Impact:

Lacpd crashes and writes a core file; traffic disrupted while lacpd restarts.

Delete the aggregate-id for any physical interface before the interface is deleted.

K95065016: glibc vulnerability CVE-2018-11236

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

N/A

K41103561: libxml2 vulnerability CVE-2016-4448

An out of bounds read flaw was discovered in libssh2 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a denial of service or read data in the client memory.

N/A

libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

N/A

file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.

N/A

K14560101: Wget vulnerability CVE-2019-5953

A credentials-exposure flaw was found in python-requests, where if a request with authentication is redirected (302) from an HTTPS endpoint to an HTTP endpoint on the same host, the Authorization header is not stripped and the credentials can be read in plain text. A man-in-the-middle attacker could exploit this flaw to obtain a user's valid credentials.

N/A

K13591074: BIND vulnerability CVE-2020-8625

If the chassis-id is changed from the default of 1 in the 'system network' configuration on the system controller, the cluster does not reinstall correctly once the change takes effect.

Conditions:

Chassis-id is changed from default of 1 to any other value.

Impact:

Cluster does not re-install correctly, which means tenants cannot be launched on the system.

None

K61903372: OpenSSL vulnerability CVE-2021-23839

K24624116: OpenSSL vulnerability CVE-2021-23840

K52833764: OpenSSL vulnerability CVE-2021-23841

K63525058: cURL vulnerability CVE-2020-8284

K61186963: cURL vulnerability CVE-2020-8285

K15402727: cURL vulnerability CVE-2020-8286

K15402727: cURL vulnerability CVE-2020-8286

An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.

N/A

K68251873: glibc vulnerability CVE-2019-25013

After restoring a config backup, the system controller software assigns auto-generated IDs for the partitions. These auto-generated IDs are not mapped to blades and OpenShift cluster namespaces. This behavior causes the system to not work properly.

Conditions:

This occurs when resetting the system to factory default settings via the system controller CLI, and then restoring the backup without rebooting the system controllers.

Impact:

System goes into an Inoperative state for tenant deployments.

The steps outlined below walk you through the entire process of taking a backup of the system, and then restoring the system to the factory default settings. The steps also include sample commands.

Note: You must have console access to the system to complete this task. Running the reset-to-default command removes the management network.

Backup

Restore

=======

1. Set up the system controller mgmt network using the wizard/CLI.
2. Import the backup from the external device to the system controller:

   ssh root@floatingip

   mkdir -p /var/confd/configs/

   scp <external-machine>:<backup> /var/confd/configs/

    

3. Restore the controller config:

    

   syscon-1-active(config)# system database config-restore name <controller-backup>

   response Succeeded.

    

4. Reboot the blades.
5. To restore the partition config (including VLANs/tenants/interfaces/etc.), import the partition config to the active partition that is running on the controller (running 'show partitions' from the system controller CLI displays which controller is running the active partition):

   part2-2(config)# system database config-restore name <partition-backup>

   result Database restore successful.

    

   part2-2(config)#

   System message at 2021-03-11 01:10:34...

   Commit performed by admin via tcp using cli.

    

6. Restore the tenant config once the tenant mgmt-ip is reachable. To do so, copy the config after the partition restores (where config.ucs is your .UCS filename):

   tmsh load sys ucs /var/tmp/config.ucs

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

https://support.f5.com/csp/home

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

https://devcentral.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.