Applies To:
Show Versions
F5OS-C
- 1.3.2
F5OS-C Release Information
Version: 1.3.2
Build: 9645
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
| The blue background highlights fixes |
Cumulative fixes from F5OS-C v1.3.1 that are included in this release
Cumulative fixes from F5OS-C v1.3.0 that are included in this release
Known Issues in F5OS-C v1.3.x
Functional Change Fixes
None
F5OS-C Fixes
| ID Number | Severity | Links to More Info | Description |
| 1077105-1 | 1-Blocking | BT1077105 | Chassis Partition/Tenant pods might not start |
Cumulative fixes from F5OS-C v1.3.1 that are included in this release
Functional Change Fixes
None
F5OS-C Fixes
| ID Number | Severity | Links to More Info | Description |
| 1071805 | 2-Critical | BT1071805 | Removing VELOS controller images used for bare metal install can cause Openshift failures after upgrade |
| 1071693 | 2-Critical | BT1071693 | KubeVirt pods might fail when upgrading from F5OS-C v1.2.1 to v1.3.0&start; |
| 1071673 | 2-Critical | BT1071673 | Tenants do not launch correctly after performing a rolling upgrade to F5OS-C 1.3.0&start; |
| 1073017 | 3-Major | BT1073017 | Downgrading VELOS from F5OS-C v1.3.0 can sometimes leave platform services in degraded state |
| 1072597 | 3-Major | BT1072597 | OpenShift cluster health can toggle between Ready and Not Ready when cluster health is not good |
Cumulative fixes from F5OS-C v1.3.0 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description |
| 989461 | CVE-2020-29573 | K27238230, BT989461 | CVE-2020-29573 glibc: stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern |
| 1004305 | CVE-2020-7595 | K04460334, BT1004305 | libxml2 2.9.10 vulnerability CVE-2020-7595 |
| 995645 | CVE-2019-9636 | K57542514, BT995645 | CVE-2019-9636: python vulnerability |
| 989189 | CVE-2019-18282 | K32380005, BT989189 | CVE-2019-18282: Linux kernel vulnerability |
| 1000453 | CVE-2019-25013 | K68251873, BT1000453 | CVE-2019-25013: glibc vulnerability |
| 1004309 | CVE-2020-12400 CVE-2020-12401 CVE-2020-12402 CVE-2020-12403 CVE-2020-6829 |
K61267093, BT1004309 | NSS vulnerability CVE-2020-12403 |
| 1004189 | CVE-2020-12825 | K01074825, BT1004189 | libcroco vulnerability CVE-2020-12825 |
Functional Change Fixes
| ID Number | Severity | Links to More Info | Description |
| 991917 | 3-Major | VELOS system controller/chassis partition should support a system hostname |
F5OS-C Fixes
| ID Number | Severity | Links to More Info | Description |
| 1008433 | 1-Blocking | BT1008433 | VQF hot signal asserted warnings |
| 1068517-1 | 2-Critical | BT1068517 | VLAN connectivity among VELOS tenants is lost |
| 1059209 | 2-Critical | BT1059209 | No tenant config attributes are allowed after 'storage size'. |
| 1055841 | 2-Critical | BT1055841 | Chassis component alarm LED shows up on active system controller |
| 1055397 | 2-Critical | BT1055397 | Platform registry ports could become mismatched depending on import timing |
| 1055329 | 2-Critical | BT1055329 | VLAN shared between two tenants might not pass traffic to tenant with non-default CMP hash. |
| 1055189-1 | 2-Critical | BT1055189 | Optical transceiver tuning values for OPT-0048 updated to reduce errors |
| 1054021 | 2-Critical | BT1054021 | Tcpdump on VELOS chassis blade or rSeries appliance cores when line-dma agent layer below it fails |
| 1052941-2 | 2-Critical | BT1052941 | Hardware-fault alarm not cleared. |
| 1051269-1 | 2-Critical | BT1051269 | Chassis partition ConfD cluster disk usage threshold feature not functioning as expected |
| 1044317 | 2-Critical | BT1044317 | dagd core |
| 1042845 | 2-Critical | BT1042845 | Unable to remove platform services versions that appear unused |
| 1042253-1 | 2-Critical | BT1042253 | System controller upgrade from F5OS-C 1.2.0-10357 to 1.2.1-10301 intermittently fails&start; |
| 1037525 | 2-Critical | BT1037525 | Some of the PCie AER severity and types are incorrect in the diagnostic monitoring |
| 1034481 | 2-Critical | BT1034481 | When using IPv6 on floating management address and DHCP, it is possible to get different IP addresses on failover |
| 1008549 | 2-Critical | BT1008549 | iHealth indicates multiple unhealthy and critical states for empty PSU bays |
| 1005025 | 2-Critical | BT1005025 | Orchestration-manager cores on standby system controller during cluster bringup |
| 1004049 | 2-Critical | BT1004049 | The "show system mgmt-ip" command displays "Application Timeout" on the active system controller |
| 995769 | 3-Major | CVE-2018-20060: python vulnerability | |
| 995649 | 3-Major | CVE-2018-16402: libelf vulnerability | |
| 995633 | 3-Major | CVE-2019-10160: Python vulnerability | |
| 995597 | 3-Major | CVE-2018-15688: systemd Vulnerability | |
| 991061 | 3-Major | Admin cannot edit the tenant config in Deployed state from GUI if the tenants are created via CLI | |
| 979249 | 3-Major | BT979249 | Nodes are displayed in the tenant instance IDs table even after removing them from the tenant |
| 951633 | 3-Major | qkview Hardening | |
| 950477 | 3-Major | BT950477 | USB device presence causes errors in the blade log |
| 950109 | 3-Major | BT950109 | Interface 'in-discards' counter not reset |
| 1065085-1 | 3-Major | BT1065085 | MD5 cipher is allowed on RESTCONF port 8888 with FIPS-enabled license. |
| 1061757 | 3-Major | BT1061757 | VLAN Listener for a VLAN shared between tenants may not upgrade properly.&start; |
| 1061065 | 3-Major | BT1061065 | After controller upgrade, tenant might not work correctly due to failed install of KubeVirt pods&start; |
| 1060417 | 3-Major | BT1060417 | Tpm-integrity-status is "Unavailable" for standby controller, but tpm-status reports "Valid" |
| 1060405 | 3-Major | BT1060405 | Management IP address displays incorrectly in LLDP neighbor information |
| 1058757 | 3-Major | BT1058757 | Optical transceiver OPT-0043 reports unknown as media type |
| 1054837 | 3-Major | BT1054837 | Vcc-ConfD may fail to start new child process |
| 1050761 | 3-Major | BT1050761 | System logs this error at startup: SDK error during device programming |
| 1050677 | 3-Major | BT1050677 | Disk I/O stats inaccurate in snmpwalk for chassis partition |
| 1047129 | 3-Major | BT1047129 | Partition_tmstat_merged container core on shutdown |
| 1046765 | 3-Major | BT1046765 | Tenant Data path will not work correctly on downgrade to controller version 1.1.x&start; |
| 1046217 | 3-Major | BT1046217 | Database import fails after database reset |
| 1045253 | 3-Major | BT1045253 | Errors related to LCD module show up in logs. |
| 1045177 | 3-Major | BT1045177 | Stale interfaces are left behind upon portgroup mode change from 100GB to 40GB |
| 1044557-1 | 3-Major | BT1044557 | Output from the image removal command is confusing and reveals extraneous details |
| 1044257 | 3-Major | BT1044257 | Removal of old chassis partition images might cause tenant issues after blade reboot&start; |
| 1044249 | 3-Major | BT1044249 | On initial installation, blades fail to PXE boot after chassis startup |
| 1044117-2 | 3-Major | BT1044117 | KubeVirt pods are not reinstalled after recovering cluster using internal debug setting&start; |
| 1043909 | 3-Major | BT1043909 | Inconsistencies in disk threshold limits.&start; |
| 1042785-1 | 3-Major | BT1042785 | Configuring spanning tree protocol (STP) while disabled might display incorrect state |
| 1042273 | 3-Major | BT1042273 | ETCD-HA Instance might not initialize correctly after PXE booting the system controller |
| 1041381 | 3-Major | BT1041381 | Tcpdump capture might not include broadcast and multicast egress (generated by the system and being sent out) when "--dls true" option is used |
| 1039085 | 3-Major | BT1039085 | Chassis partition config restore operation might cause the system to stop processing FDB files |
| 1038557-1 | 3-Major | BT1038557 | Chassis partition merged stats only reflect one blade when tmstat-rsync service moves to another blade |
| 1037749 | 3-Major | BT1037749 | Switch daemon crashes occasionally on shutdown |
| 1037673 | 3-Major | BT1037673 | Vcc-lacpd on a system controller can crash and leave a core file while restarting |
| 1035353-1 | 3-Major | BT1035353 | Missing controller images in show image controller CLI operation |
| 1034993-1 | 3-Major | BT1034993 | Key-migrationd service might crash if server elements are incomplete |
| 1034169 | 3-Major | BT1034169 | QKView reports status of "partial file recorded" when out of disk space |
| 1033817 | 3-Major | BT1033817 | webUI is affected due to /api/data/f5-cluster:cluster/nodes/node taking more than 25 seconds to complete |
| 1033813 | 3-Major | BT1033813 | Chassis partition 'show interfaces' command can be slow |
| 1032697 | 3-Major | BT1032697 | Confusing message displays when running "file delete" |
| 1032341 | 3-Major | BT1032341 | ConfD Encryption key gets rewritten intermittently |
| 1022729 | 3-Major | BT1022729 | Management port issues with instance names containing lacpd, lldpd, stpd, or tmstat-rsync |
| 1022589 | 3-Major | New blank blades inserted into system can wind up in a reboot loop and possibly be damaged |
Cumulative fix details for F5OS-C v1.3.2 that are included in this release
995769 : CVE-2018-20060: python vulnerability
Component: F5OS-C
Symptoms:
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
Conditions:
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
Impact:
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
Workaround:
N/A
Fix:
N/A
995649 : CVE-2018-16402: libelf vulnerability
Component: F5OS-C
Symptoms:
libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.
Conditions:
libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.
Impact:
libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.
Workaround:
N/A
995633 : CVE-2019-10160: Python vulnerability
Component: F5OS-C
Symptoms:
A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
Conditions:
A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
Impact:
A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
Workaround:
N/A
995597 : CVE-2018-15688: systemd Vulnerability
Component: F5OS-C
Symptoms:
It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce a heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine.
Conditions:
It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce a heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine.
Impact:
It was discovered that systemd-network does not correctly keep track of a buffer size when constructing DHCPv6 packets. This flaw may lead to an integer underflow that can be used to produce a heap-based buffer overflow. A malicious host on the same network segment as the victim's one may advertise itself as a DHCPv6 server and exploit this flaw to cause a Denial of Service or potentially gain code execution on the victim's machine.
Workaround:
N/A
991917 : VELOS system controller/chassis partition should support a system hostname
Component: F5OS-C
Symptoms:
System hostname is missing in operational data (state data).
For example: Even after configuring the system hostname, it is not visible when you run the "show system state hostname" command.
syscon-2-active# show system state hostname
% No entries found.
Conditions:
1. Configure hostname in config mode using this command: system config hostname <name>
2. Display the configured hostname using this command:
show system state hostname
Impact:
Hostname is not visible in state info.
Workaround:
Check for the configured hostname from the system controller login prompt or by checking the running configuration using the "show running-config system config hostname" command.
Fix:
Hostname now displays when you use the "show system state hostname" command.
Behavior Change:
The "show system state hostname" command now provides a valid response and displays the currently-set hostname.
991061 : Admin cannot edit the tenant config in Deployed state from GUI if the tenants are created via CLI
Component: F5OS-C
Symptoms:
Tenant validations are not working when a tenant is created using the CLI and subsequently edited in the GUI.
Conditions:
Admin creates the tenant via CLI and subsequently edits the following tenant config when the running-state is set to Deployed:
-- Scale-up/Scale-down the tenant.
-- Add/Remove VLAN.
Impact:
Admin cannot scale up/scale down the cluster using the GUI if the tenant is initially deployed via CLI.
Workaround:
Use the CLI to scale-up/scale-down and add/remove the VLAN to the tenant.
989461 : CVE-2020-29573 glibc: stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern
979249 : Nodes are displayed in the tenant instance IDs table even after removing them from the tenant
Links to More Info: BT979249
Component: F5OS-C
Symptoms:
When running the following command in confd:
show running-config tenants tenant dag-tenant config nodes
One of the fields displayed is tenant-instance-ids. The ID is displayed even after deleting the tenant instance.
Conditions:
Add a tenant and then delete it.
Impact:
The tenant instance ID is still displayed. This is cosmetic and there is no functional impact.
Workaround:
None
Fix:
The active tenant list is now displayed properly.
951633 : qkview Hardening
Component: F5OS-C
Symptoms:
Under certain conditions, qkview does not follow current best practices.
Conditions:
Occurs while running qkview.
Impact:
Under certain conditions, qkview does not follow current best practices.
Workaround:
N/A
950477 : USB device presence causes errors in the blade log
Links to More Info: BT950477
Component: F5OS-C
Symptoms:
When a USB device is present in the blade, the velos.log file contains a large number of errors from platform-hal related to the USB device and attempts to detect it.
Conditions:
USB device is present in the blade.
Impact:
Numerous unnecessary messages appear in the log.
Workaround:
These messages are benign, and you can safely ignore them.
950109 : Interface 'in-discards' counter not reset
Links to More Info: BT950109
Component: F5OS-C
Symptoms:
If you issue a reset counters command, the in-discards counter is not reset to 0.
Conditions:
Issue 'reset counters interfaces <interface>' or 'reset counters all' commands.
Impact:
Counter is not reset to 0.
Workaround:
None
1077105-1 : Chassis Partition/Tenant pods might not start
Links to More Info: BT1077105
Component: F5OS-C
Symptoms:
Chassis Partition/Tenant pods might fail to start if the partition namespace key is missing or stale.
Conditions:
Upgrading to F5OS-C v1.3.1 and creating a new partition, or deleting and creating an existing partition, either which is active on the Standby VELOS system controller.
Impact:
Chassis Partition/Tenant pods fail to start on a partition in this condition.
Workaround:
Fail over the active VELOS system controller, which causes the standby controller to generate the correct partition keys. To do this, from the command line on the active system controller type: "system redundancy go-standby"
Fix:
This issue is fixed.
1073017 : Downgrading VELOS from F5OS-C v1.3.0 can sometimes leave platform services in degraded state
Links to More Info: BT1073017
Component: F5OS-C
Symptoms:
After downgrading a VELOS system from F5OS-C v1.3.0 to v1.2.x, various platform services might fail to start.
Conditions:
After upgrading to F5OS-C v1.3.0, then downgrading to an earlier version.
Impact:
Various platform services might fail to start.
Workaround:
It may be necessary to rebuild the OpenShift cluster on the affected VELOS system controllers.
If that does not fix the issue, intervention from F5 might be required.
Fix:
This issue no longer occurs.
1072597 : OpenShift cluster health can toggle between Ready and Not Ready when cluster health is not good
Links to More Info: BT1072597
Component: F5OS-C
Symptoms:
When performing a rolling upgrade from F5OS-C v1.1.0 to 1.2.x, and then to v1.3.0, the cluster status toggles between Ready and Not Ready when VELOS cluster is unhealthy. Other conditions can also cause this issue.
Conditions:
Performing a rolling upgrade from F5OS-C v1.1.0 to v1.2.x, and then to v1.3.0.
Impact:
Cluster status toggles between Ready and Not Ready when VELOS cluster is unhealthy.
Workaround:
None
Fix:
This issue has been fixed.
1071805 : Removing VELOS controller images used for bare metal install can cause Openshift failures after upgrade
Links to More Info: BT1071805
Component: F5OS-C
Symptoms:
VELOS system controller performance is degraded when F5OS-C software versions prior to 1.1.4 are removed and an upgrade to F5OS-C 1.3.0 is initiated.
Conditions:
1. The ISO image versions prior to F5OS-C 1.1.4 used for bare metal install of controllers is removed.
3. The currently-running version of controller software is 1.2.X.
4. An upgrade to F5OS-C 1.3.0 is initiated.
Impact:
VELOS performance is degraded until manual intervention is taken.
Workaround:
Rebuild the Openshift cluster on the affected VELOS system controllers.
Fix:
Removing VELOS system controller images used for bare metal install no longer causes OpenShift failures after upgrade in certain cases.
1071693 : KubeVirt pods might fail when upgrading from F5OS-C v1.2.1 to v1.3.0&start;
Links to More Info: BT1071693
Component: F5OS-C
Symptoms:
During a system controller upgrade from F5OS-C v1.2.1 to v1.3.0, the KubeVirt pods fail to upgrade and produce an error causing the tenant to not operate properly.
Conditions:
Upgrading from F5OS-C v1.2.1 to v1.3.0.
Impact:
The KubeVirt images are not available on the VELOS system controller registry. and the tenant does not operate properly because it relies on KubeVirt pods to be installed correctly.
Workaround:
Follow these steps on the active VELOS system controller:
1. cp /usr/share/omd/kubevirt/omd-kubevirt-velos-install.sh /tmp
2. cd /tmp
vi omd-kubevirt-velos-install.sh
3. Add these lines at line 99 of that file:
else
echo "Using registry port of $official_port for kubevirt install"
echo "Update registry port in kubevirt yml files"
sed -i -e "s@:[0-9][0-9][0-9][0-9]/@:$official_port/@" $WORKDIR/kubevirt-velos.yaml
4. In one Linux shell window:
oc delete -f /usr/share/omd/kubevirt/kubevirt-velos.yaml
5. In another Linux shell window:
/tmp/omd-kubevirt-velos-install.sh /usr/share/omd/kubevirt/
Fix:
This issue is resolved.
1071673 : Tenants do not launch correctly after performing a rolling upgrade to F5OS-C 1.3.0&start;
Links to More Info: BT1071673
Component: F5OS-C
Symptoms:
After performing a rolling upgrade to F5OS-C v1.3.0, tenants do not launch correctly. This can be seen in the output of "oc get pods".
Conditions:
Rolling upgrade to F5OS-C v1.3.0.
Impact:
Tenants do not launch correctly.
Workaround:
On the active system controller:
touch /var/omd/CLUSTER_REINSTALL
This causes the OpenShift cluster to be re-installed using the current image registry.
Fix:
This issue is fixed.
1068517-1 : VLAN connectivity among VELOS tenants is lost
Links to More Info: BT1068517
Component: F5OS-C
Symptoms:
Inbound ARP broadcasts on VLANs shared by tenants on VELOS systems are not received, and shared VLAN connectivity among tenants is lost.
Conditions:
A high volume of DLF packets are handled by the VELOS software rebroadcaster.
Impact:
Loss of connectivity on VLANs shared among tenants.
Workaround:
Restart the sw_rbcast container on the affected blade:
# docker restart partition_sw_rbcast
Fix:
This issue no longer occurs.
1065085-1 : MD5 cipher is allowed on RESTCONF port 8888 with FIPS-enabled license.
Links to More Info: BT1065085
Component: F5OS-C
Symptoms:
When a FIPS-enabled license is installed on the system, some MD5 ciphers are allowed on RESTCONF port 8888, when they should not be allowed.
Conditions:
The command "openssl s_client -connect <mgmt-ip>:8888 -cipher MD5" returns a valid certificate.
Impact:
MD5 SSLCipher continues to work on port 8888 on both system controller and chassis partition management IP addresses.
Workaround:
None
Fix:
Removed MD5 SSLCipherSuites from ssl.conf when a FIPS-enabled license is installed on the system.
1061757 : VLAN Listener for a VLAN shared between tenants may not upgrade properly.&start;
Links to More Info: BT1061757
Component: F5OS-C
Symptoms:
After upgrading from F5OS-C 1.1.4 to a 1.2 release when there are tenants configured that share VLANs, the VLAN listener is not properly upgraded.
Conditions:
Tenants sharing VLANs in a configuration that is upgraded from F5OS-C 1.1.4 to 1.2.x.
Impact:
Traffic will not pass correctly.
Workaround:
Remove the VLAN from the interface(s) and then add it back (no changes to the tenant are necessary).
This re-creates the vlan-listener with the correct VTC value.
1061065 : After controller upgrade, tenant might not work correctly due to failed install of KubeVirt pods&start;
Links to More Info: BT1061065
Component: F5OS-C
Symptoms:
After a system controller upgrade, a tenant might not deploy, because upgraded KubeVirt pods might have failed to install correctly.
Conditions:
-- System controllers were recently upgraded.
-- KubeVirt pods not installed correctly
Impact:
Tenant will not deploy correctly.
Workaround:
1. Remove existing KubeVirt pods that are incorrectly installed.
2. Manually edit the kubevirt-velos-install.sh script to point to the correct registry port.
3. Rerun the install script to install the KubeVirt pods
correctly.
Fix:
The kubevirt-velos-install.sh script is now updated to the correct registry port, which enables KubeVirt pods to be updated correctly.
1060417 : Tpm-integrity-status is "Unavailable" for standby controller, but tpm-status reports "Valid"
Links to More Info: BT1060417
Component: F5OS-C
Symptoms:
The tpm-integrity-status is "Unavailable" for the standby controller, but tpm-status reports "Valid".
Conditions:
This is encountered when checking TPM status:
syscon-2-active# show components component controller-* state tpm-integrity-status TPM
INTEGRITY
NAME STATUS
---------------------------
controller-1 Unavailable
controller-2 Valid
Impact:
Wrong tpm-status will be displayed on confD.
Workaround:
Restart vcc-chassis-manager container.
From the root prompt of the system controller:
[root@controller-1 ~]# docker restart vcc-chassis-manager
Fix:
Issue is fixed in latest release. We are checking tpm-status in regular interval and updating correct information in confD.
1060405 : Management IP address displays incorrectly in LLDP neighbor information
Links to More Info: BT1060405
Component: F5OS-C
Symptoms:
The 'show lldp' command displays the management address of the neighbor incorrectly.
Conditions:
-- lldp is enabled
-- Run the 'show lldp' command
Impact:
The management address of the neighbor displays incorrectly. This is a display issue, and there is no functional impact.
Workaround:
None
1059209 : No tenant config attributes are allowed after 'storage size'.
Links to More Info: BT1059209
Component: F5OS-C
Symptoms:
While configuring the tenant in the one-line command, you are unable to give any other parameters after the storage size parameter. The storage size should be given at the end of the command only.
Conditions:
Preferring the storage command early while configuring the tenant in one-line command.
Impact:
Commands fail as invalid input if any other parameters are mentioned after storage size.
Workaround:
Place the storage size parameter at the end of command or split the config into multiple lines.
Fix:
N/A
1058757 : Optical transceiver OPT-0043 reports unknown as media type
Links to More Info: BT1058757
Component: F5OS-C
Symptoms:
The "show portgroups" command reports unknown for the media type for an OPT-0043.
Conditions:
OPT-0043 transceiver plugged into a system.
Impact:
Cosmetic - this has no functional impact. The media field is not used by any software, it is reported as information for the user.
Workaround:
None
Fix:
OPT-0043 now reports as a "40G BiDi" media type.
1055841 : Chassis component alarm LED shows up on active system controller
Links to More Info: BT1055841
Component: F5OS-C
Symptoms:
Chassis component alarm LED activates on the active system controller instead of on the LCD module.
Conditions:
If a chassis component, such as a PSU, generates an alarm, the RED alarm LED activates on the active system controller instead of the LCD module.
Impact:
A RED alarm LED could indicate a system controller problem instead of a chassis component problem.
Workaround:
None.
Fix:
Chassis component alarms, such as from a PSU, now activate a RED alarm LED on the chassis instead of on the active system controller.
1055397 : Platform registry ports could become mismatched depending on import timing
Links to More Info: BT1055397
Component: F5OS-C
Symptoms:
Under certain conditions, it is possible for the platform registry port configuration to become mismatched between the two system controllers. This can lead to a number of cascading issues with tenant deployments later.
Conditions:
If a platform image import succeeds on one system controller and fails on the other, or a sync of multiple images leads to them being imported in a different order on the standby system controller compared to the active, it is possible to encounter this scenario.
Impact:
Tenants that reference a version of imported software with mismatched ports may attempt to pull images from the wrong registry port, resulting in tenant failure or starting up with the wrong version of platform software images.
Workaround:
It is possible to fix the port mismatch by removing and re-importing the images with mismatched port assignments.
Fix:
Fixed issue where platform registry ports could become mismatched depending on import timing
1055329 : VLAN shared between two tenants might not pass traffic to tenant with non-default CMP hash.
Links to More Info: BT1055329
Component: F5OS-C
Symptoms:
If two tenants on a VELOS chassis are configured with a shared VLAN, one tenant might not pass traffic if it has a non-default CMP hash configured for that VLAN.
Conditions:
-- VELOS chassis
-- Configure a VLAN shared between two or more tenants
-- In one tenant, configure a non-default CMP hash for the VLAN
Impact:
No connectivity.
Workaround:
After configuring a non-default cmp hash, run
`docker restart partition_sw_rbcast`
on each blade.
Fix:
Fixed operation of shared VLAN when cmp hash is not the default.
1055189-1 : Optical transceiver tuning values for OPT-0048 updated to reduce errors
Links to More Info: BT1055189
Component: F5OS-C
Symptoms:
OPT-0048 might show intermittent errors.
Conditions:
OPT-0048 optical transceiver inserted into r10000 or r5000 appliance.
Impact:
System displays intermittent optical transceiver errors.
Workaround:
None
1054837 : Vcc-ConfD may fail to start new child process
Links to More Info: BT1054837
Component: F5OS-C
Symptoms:
The error message
<err> Oct 13 13:41:40 vcc_install_versions_failed: Vcc-ConfD-RU: popen failed => Resource temporarily unavailable
occasionally appears in the /var/log_controller/cc-confd log.
Conditions:
Running system controller rolling upgrade.
Impact:
Presently the only known impact is the message appearing in the log.
Fix:
Vcc-ConfD processes started by popen are properly terminated with pclose.
1054021 : Tcpdump on VELOS chassis blade or rSeries appliance cores when line-dma agent layer below it fails
Links to More Info: BT1054021
Component: F5OS-C
Symptoms:
Line-dma agent is the underlying layer of tcpdump in the VELOS/rSeries family of chassis and appliance products
When it is not running, or if it cores or is otherwise not available and a client wants a tcpdump capture, tcpdump may core.
Conditions:
-- line-dma-agent is not functional at start, or at some later point in time during the tcpdump capture
-- a client requests a tcpdump capture
Impact:
Packet capture will be affected and will not work
Fix:
Tcpdump does not core anymore, and will retry line-dma-agent connection when clients ask for capture
1052941-2 : Hardware-fault alarm not cleared.
Links to More Info: BT1052941
Component: F5OS-C
Symptoms:
A hardware-fault alarm triggered by RAS unknown type errors is not cleared after the errors are resolved.
Conditions:
This occurs with hardware fault alarms due to RAS unknown type. The alarm is not cleared after the issue is resolved.
Impact:
Hardware-fault alarm with severity warning will be displayed and is not cleared.
Fix:
Fixed the issue that prevents RAS unknown errors from being cleared from the diagnostics report.
1051269-1 : Chassis partition ConfD cluster disk usage threshold feature not functioning as expected
Links to More Info: BT1051269
Component: F5OS-C
Symptoms:
When there is an update in cluster disk usage threshold configuration, the change is not reflected in the state data.
default-1(config)# cluster disk-usage-threshold config critical-limit 91
default-1(config)# commit
default-1# show cluster disk-usage-threshold state critical-limit
cluster disk-usage-threshold state critical-limit 97
Conditions:
When you connect a cluster to ConfD during a firmware update and the disk-usage-threshold is updated at the same time, updates will be missed.
Impact:
Some changes to the chassis partition might not be performed, or they might not be reflected in the state data.
Fix:
Modified the cluster disk threshold subscriber to not use a shared access object in ConfD.
1050761 : System logs this error at startup: SDK error during device programming
Links to More Info: BT1050761
Component: F5OS-C
Symptoms:
During startup of the 'fpgamgr' container, this error is logged in velos.log: "SDK error during device programming." API="f5sw_port_spn_state_get" code=-1 error="parameter error"."
Conditions:
System startup or fpgamgr restart.
Impact:
Error log message with no functional impact.
Workaround:
None
Fix:
Fixed API call to prevent an error.
1050677 : Disk I/O stats inaccurate in snmpwalk for chassis partition
Links to More Info: BT1050677
Component: F5OS-C
Symptoms:
Disk I/O stats is inaccurate in snmpwalk.
Conditions:
This occurs when running snmpwalk on a chassis partition.
Impact:
Inaccurate disk I/O stats info in snmpwalk
Workaround:
None
Fix:
Disk I/O stats is now accurate in snmpwalk.
1047129 : Partition_tmstat_merged container core on shutdown
Links to More Info: BT1047129
Component: F5OS-C
Symptoms:
When the partition_tmstat_merged container is shutting down and it receives a message from the same container on another blade in the partition, it might crash with a core.
Conditions:
Container is shutting down and also receives a message from another blade.
Impact:
Crashes with a core file, with no other impact. You can safely ignore and remove the core file.
Workaround:
Remove core file.
Fix:
Race condition on shutdown fixed so that if message is received on shutdown, it is handled properly.
1046765 : Tenant Data path will not work correctly on downgrade to controller version 1.1.x&start;
Links to More Info: BT1046765
Component: F5OS-C
Symptoms:
After a system controller downgrade to version 1.1.x, the tenant datapath will not operate correctly.
Conditions:
The KubeVirt software version does not downgrade to the correct KubeVirt software version needed in the 1.1.x controller release.
Impact:
The tenant will launch correctly, but the datapath will be broken because of a dma-agent protocol mismatch.
Workaround:
1. In one root command shell window, run this command to delete the current version of KubeVirt software pods.
[root@controller-2 ~]# oc delete -f /tmp/omd/scripts/kubevirt-velos.yaml
2. In another root command shell window, run this command to clear the KubeVirt namespace and install the new version of KubeVirt pods.
[root@controller-2 kubevirt]# /usr/share/omd/kubevirt/omd-kubevirt-velos-install.sh /usr/share/omd/kubevirt/
Fix:
The tenant datapath should now work properly after a downgrade.
1046217 : Database import fails after database reset
Links to More Info: BT1046217
Component: F5OS-C
Symptoms:
An attempt to import database using "file import" in the confd/config folder fails. During a database reset operation, the config folder is deleted, which causes an import to fail
Conditions:
When a database reset is performed before performing an import operation.
Impact:
Database import fails.
Workaround:
None
Fix:
File import operation now creates configs folder, if missing.
1045253 : Errors related to LCD module show up in logs.
Links to More Info: BT1045253
Component: F5OS-C
Symptoms:
The system controller log file can contain errors related to failed communication with the LCD module.
controller-2 platform-monitor[1]: priority="Err" msg="Action Error" name="LCD Sensor Monitor" inputId="1f156c2b-0db1-11ec-bdd4-024264410634" index=0 message="unable to get LCD sensor info" interface="zmq-input"
Conditions:
The error message shows up when the LCD module is restarting due to initial system startup or a firmware update.
Impact:
The error message is not system critical and can be safely ignored.
Workaround:
N/A
Fix:
N/A
1045177 : Stale interfaces are left behind upon portgroup mode change from 100GB to 40GB
Links to More Info: BT1045177
Component: F5OS-C
Symptoms:
In some situations, stale interfaces are left behind in the config cdb when the portgroup mode changes from 100GB to 40GB, 4x25GB, or 4x10GB. This causes the l2-agent on the blade to exit.
Conditions:
-- reset-to-defaults/backup/restore
OR
-- live install
-- change the portgroup mode from 100GB to 40GB
-- commit
Impact:
The interfaces corresponding to portgroups are not present and stale interfaces are left behind.
Workaround:
Steps for mitigation:
1) Verify the issue is caused by the lack of pgindex in cdb:
a) From config mode in a chassis partition, create a backup file
(config)# system database config-backup name test
b) Look for pgindex in the /var/F5/partition{id}/configs/test:
grep pgindex /var/F5/partition{number}/configs/test
c) If no entries are found, this is the issue.
2) Remove the slots corresponding to the impacted chassis partition from the system controller configuration and commit.
3) Re-add the slots corresponding to the impacted chassis partition from the system controller configuration and commit.
4) From the chassis partition CLI, ensure the system redundancy shows the blade is present and operational
5) from the chassis partition CLI, change the portgroup mode from 100GB to 40GB and commit (example below):
(config)# portgroups portgroup 1/1 config mode MODE_40GB; top
(config)# portgroups portgroup 1/2 config mode MODE_40GB; top
(config)# commit
6) Wait for the blades to resync by monitoring 'show system redundancy'.
At this point the interfaces should be republished matching the new 40GB mode.
Fix:
Proper interfaces are now published when portgroup mode is changed.
1044557-1 : Output from the image removal command is confusing and reveals extraneous details
Links to More Info: BT1044557
Component: F5OS-C
Symptoms:
When running commands such as "image <controller|partition> remove iso <version>", the error output contains the following message, among other details:
"Error: unexpected response back from API: 1"
Conditions:
The output occurs after you run a command to remove system controller or chassis partition images that are in use. A typical example is when you are trying to remove an ISO that uses OS/service artifacts.
Impact:
The error message from these commands is unhelpful to the user and reveals internal implementation details.
Workaround:
None
Fix:
The fix is present in F5OS-C version 1.2.2. The error message is replaced by one of the following (or another more helpful message if more specific information is available):
"Error: failed to remove controller image; may be in use"
"Error: failed to remove partition image; may be in use"
1044317 : dagd core
Links to More Info: BT1044317
Component: F5OS-C
Symptoms:
Dagd crashes and leaves a core file.
Conditions:
The exact conditions, especially from a user point of view, are not yet known.
Impact:
Traffic is disrupted while dagd restarts.
Workaround:
None
Fix:
Made dagd more robust against system conditions.
1044257 : Removal of old chassis partition images might cause tenant issues after blade reboot&start;
Links to More Info: BT1044257
Component: F5OS-C
Symptoms:
After upgrading the system to F5OS-C version 1.1.4, when you remove old chassis partition images from the system, tenants might not start up correctly after a reboot of the blade hosting the chassis partition.
Conditions:
This might occur if the tenant was started after the system was upgraded to an interim release (such as F5OS-C 1.1.1, 1.1.2, 1.1.3), after originally running F5OS-C version 1.1.0.
Impact:
Tenants will not start correctly, will not pass traffic, or be accessible on their management interfaces.
Workaround:
To work around this issue:
1. Upgrade the system controller to F5OS-C1.1.4.
2. Wait for the system controller upgrade to complete.
3. Upgrade the chassis partition(s) to F5OS-C 1.1.4.
4. Wait for chassis partition upgrade(s) to complete.
5. Configure all tenants to return to the "Provisioned" state.
6. Wait for all tenants to stop.
7. Configure all tenants back to the "Deployed" state.
8. Remove the old chassis partition and system controller software versions.
Fix:
N/A
1044249 : On initial installation, blades fail to PXE boot after chassis startup
Links to More Info: BT1044249
Component: F5OS-C
Symptoms:
On initial installation, blades fail to PXE boot after the chassis powers on.
Other symptoms:
1. When trying to deploy a tenant on a single blade or when multiple blades are bundled for the same chassis partition in the Chassis Partition webUI (TENANT MANAGEMENT > Tenant Deployments), the "Running Version" remains "Unavailable" indefinitely.
2. Blades are not available for login or other activity from the CLI.
Conditions:
Multiple factory-fresh blades are powered up.
Impact:
Blades fail to PXE boot. This means they failed to load an initial image and cannot join a cluster.
Workaround:
On both system controllers, reboot the system controller or restart the image server container.
Type this command to restart the image server on each system controller:
docker restart vcc-image-server
Fix:
N/A
1044117-2 : KubeVirt pods are not reinstalled after recovering cluster using internal debug setting&start;
Links to More Info: BT1044117
Component: F5OS-C
Symptoms:
While reinstalling the OpenShift cluster by configuring an internal debug flag, the KubeVirt pods were not reinstalled. Without these pods, the tenant will not operate.
Conditions:
When a cluster reinstall was initiated by configuring the internal debug flag, an internal variable was not being reset which prevented the KubeVirt pods to be installed.
Impact:
The tenant will not operate.
Workaround:
In a bash console shell, run this command:
systemctl restart orchestration_manager_container.service
Fix:
Fix is in release F5OS-C v1.2.2.
1043909 : Inconsistencies in disk threshold limits.&start;
Links to More Info: BT1043909
Component: F5OS-C
Symptoms:
Inconsistencies are being observed while configuring disk threshold limits.
default-2# show cluster disk-usage-threshold state
cluster disk-usage-threshold state warning-limit 85
cluster disk-usage-threshold state error-limit 90
cluster disk-usage-threshold state critical-limit 97
cluster disk-usage-threshold state growth-rate-limit 10
cluster disk-usage-threshold state interval 60
No checks are implemented to raise an exception if you attempt to set a critical limit to a value less than error/warning limit.
Conditions:
The problem is seen only while upgrading to F5OS-C 1.3.0 and when you configure the disk threshold limits against the constraints.
Impact:
Upgrade can fail if the constraints introduced in F5OS-C version 1.3.0 are violated.
Workaround:
Configure the critical limit > error and warning limit
error limit > warning limit or set to default values before upgrading to F5OS-C 1.3.0.
From the chassis partition CLI:
-------------------------
default-2(config)# cluster disk-usage-threshold config critical-limit 90
default-2(config)# cluster disk-usage-threshold config error-limit 85
default-2(config)# cluster disk-usage-threshold config warning-limit 80
default-2(config)# commit
Commit complete.
1042845 : Unable to remove platform services versions that appear unused
Links to More Info: BT1042845
Component: F5OS-C
Symptoms:
Under certain circumstances, a version of controller or partition services might appear "not in use" in CLI/webUI tables, but removal of that version is still blocked because other parts of the service package are still in use by other system components.
Conditions:
1. Attempt to remove an (apparently CLI) version of controller or partition services via ConfD or webUI.
2. Other components on the system still silently depend on that version of services, even though CLI/webUI output does not reflect this.
Impact:
Unable to remove versions of software that appear unused, and the cause is unclear.
Workaround:
N/A
Fix:
Removal of platform services that appear "unused" is no longer blocked by hidden higher-level component dependencies.
1042785-1 : Configuring spanning tree protocol (STP) while disabled might display incorrect state
Links to More Info: BT1042785
Component: F5OS-C
Symptoms:
While STP is disabled, configuring a field such as MSTP max-hop causes the the enabled-protocol to display an incorrect value.
Conditions:
Delete the enabled-protocol configuration field.
Delete another STP configuration field such as MSTP max-hop
Impact:
The STP enabled-protocol display is incorrect.
Workaround:
To mitigate, do not configure STP while it is not enabled.
Fix:
Configuring STP while it is disabled will no longer lead to an incorrect display.
1042273 : ETCD-HA Instance might not initialize correctly after PXE booting the system controller
Links to More Info: BT1042273
Component: F5OS-C
Symptoms:
The ETCD-HA instance might not initialize correctly after PXE booting a system controller and re-installing that system controller into the OpenShift cluster. When the instance initializes incorrectly and one of the system controllers is down, the OpenShift API does not operate correctly.
Conditions:
PXE boot of a system controller in a running OpenShift cluster.
Impact:
When the instance initializes incorrectly and one of the system controllers is down, the OpenShift API does not operate correctly.
Workaround:
None
Fix:
The orchestration-manager now correctly re-initializes the ETCD-HA instance when a system controller is PXE booted and then added to the OpenShift cluster.
1042253-1 : System controller upgrade from F5OS-C 1.2.0-10357 to 1.2.1-10301 intermittently fails&start;
Links to More Info: BT1042253
Component: F5OS-C
Symptoms:
The upgrade proceeds to the point where both system controllers boot to the new image, but neither system controller becomes active.
Conditions:
When this issue is observed, the output of the "show full-configuration system redundancy config mode" command is something other than the default (auto).
Impact:
Neither system controller becomes active, and the ability to configure the system controllers is compromised.
Workaround:
Restarting both Vcc-ConfD containers (or a reboot of both system controllers) should clear the problem.
Fix:
Intermittent loss of active system controller when upgrading from F5OS-C 1.2.0-10357 to 1.2.1-10301 is now fixed in F5OS-C 1.2.1.
1041381 : Tcpdump capture might not include broadcast and multicast egress (generated by the system and being sent out) when "--dls true" option is used
Links to More Info: BT1041381
Component: F5OS-C
Symptoms:
When DLS feature is enabled using the "--dls true" option, broadcast and multicast packets generated by the host CPUs of the system and egressing out of the VELOS system will not be part of the capture.
The default mode when no "--dls" option is specified is "--dls false", which functions correctly.
Conditions:
The 'DLS' feature of tcpdump is enabled by explicitly invoking packet capture with the non-default mode "--dls true".
Impact:
Capture will not be complete and will not contain the egressing broadcast and multicast packets.
Workaround:
Use the default mode (no "--dls" option specified) or explicitly turn off dls mode ("--dls false").
1039085 : Chassis partition config restore operation might cause the system to stop processing FDB files
Links to More Info: BT1039085
Component: F5OS-C
Symptoms:
In rare cases, a chassis partition "config-restore" operation might cause a race condition that locks up a platform component. This causes forwarding database (FDB) files to no longer be processed and can affect traffic processing.
Conditions:
Running a "config-restore" operation on the chassis partition CLI. This issue is more likely to occur when the number of tenants increases.
Impact:
FDB files will no longer be processed. Traffic processing can be impacted due to missing FDBs.
Workaround:
1. Restart the network manager on both system controllers:
- "docker restart partition<partition_number>_network_manager"
2. Redeploy all tenants.
1038557-1 : Chassis partition merged stats only reflect one blade when tmstat-rsync service moves to another blade
Links to More Info: BT1038557
Component: F5OS-C
Symptoms:
A few show stats commands such as 'show qos state' that report stats for all blades in a chassis partition might report only the stats from a single blade when the tmstat-rsync service moves from one blade to another blade.
Conditions:
The tmstat-rsync service has moved to a blade other than the initial blade it was running on, and a show command that combines stats from all the blades in a chassis partition is run.
Impact:
A few show stats commands will only report data from a single blade.
Workaround:
Restart the tmstat-rsync service so it runs back on the initial blade.
1037749 : Switch daemon crashes occasionally on shutdown
Links to More Info: BT1037749
Component: F5OS-C
Symptoms:
Shutting down the system sometimes causes the switch daemon to crash.
Conditions:
This occurs rarely during system shutdown.
Impact:
A core file is saved to /var/shared/core/container/.
Workaround:
None.
Fix:
This has been fixed in F5OS-C 1.2.2 and F5OS-C 1.3.
1037673 : Vcc-lacpd on a system controller can crash and leave a core file while restarting
Links to More Info: BT1037673
Component: F5OS-C
Symptoms:
Vcc-lacpd on a system controller crashes, leaving behind a core file and a system log indicating a crash occurred. After the crash, the daemon recovers within a few seconds.
Conditions:
The crash only occurs during a restart of vcc-lacpd. Most commonly, a restart will occur during a system controller software update, using the "go-standby" command, or from a fatal error.
Impact:
The internal mgmt network to all blades may go down for a few seconds. Traffic running on tenants will be unaffected.
Workaround:
Limit failover scenarios on the system controllers, such as use of the system controller "go-standby" command or system controller software updates.
Fix:
Vcc-lacpd no longer leaves a core file under these conditions.
1037525 : Some of the PCie AER severity and types are incorrect in the diagnostic monitoring
Links to More Info: BT1037525
Component: F5OS-C
Symptoms:
Some AER (Advanced Error Reporting) error type and severity events are displayed incorrectly in the diagnostics monitoring.
Conditions:
If an AER error occurs, the decoding of the error type and severity as reported in the diagnostic might be incorrect.
Impact:
AER errors in diagnostic monitoring could be interpreted incorrectly as a 'Fatal' error.
Workaround:
As there is not a complete mitigation for this, the AER errors are correctly logged in the system logs and can be confirmed by timestamp and device to obtain the correct information
Fix:
Fixed an issue with incorrect diagnostics reporting.
1035353-1 : Missing controller images in show image controller CLI operation
Links to More Info: BT1035353
Component: F5OS-C
Symptoms:
After a software upgrade, the images displayed when running the "show image controller" command shows only active system controller images. The standby controller images are missing in "show image controller" CLI command. This is very occasional and won't happen always.
Conditions:
Using CLI/RESTCONF command operations for show image controller
Impact:
User won't see the standby controller images when running the "show image controller" command.
Workaround:
Reboot the standby controller from the CLI using the "system reboot controllers controller standby" command. This resolves the issue and brings the controller images back into the CLI display.
1034993-1 : Key-migrationd service might crash if server elements are incomplete
Links to More Info: BT1034993
Component: F5OS-C
Symptoms:
The key-migrationd service crashes after defining some server-group information for Radius/LDAP servers.
Conditions:
This might occur after not fully defining system > aaa > server-groups >server-group item, and then attempting to read the item.
Impact:
Core file is created and key-migration malfunctions.
Workaround:
Remove the partially-defined server group or fully define all server-group items.
Fix:
The key-migration now works without crashing.
1034481 : When using IPv6 on floating management address and DHCP, it is possible to get different IP addresses on failover
Links to More Info: BT1034481
Component: F5OS-C
Symptoms:
When running IPv6 and using DHCP to assign the floating management address, a chassis failover event might cause the IP address to be changed.
Conditions:
Running IPv6, using DHCP for floating management address and failing over a system controller. IPv4 and static IPv6 addresses are unaffected.
Impact:
Services will not be available on the floating management address as expected, and the interface will map to an unexpected IPv6 address.
Workaround:
None
1034169 : QKView reports status of "partial file recorded" when out of disk space
Links to More Info: BT1034169
Component: F5OS-C
Symptoms:
When QKView attempts to create a QKView file and there is insufficient disk space, the status recorded is "partial file recorded". The actual cause is low disk space, and no QKView is collected in this case. The recorded status should indicate so.
Conditions:
Run the QKView collection with less than 1 GB of available disk.
Impact:
Cosmetic.
Workaround:
N/A
Fix:
The status now indicates: Out-of-disk. Unable to create QKView file.
1033817 : webUI is affected due to /api/data/f5-cluster:cluster/nodes/node taking more than 25 seconds to complete
Links to More Info: BT1033817
Component: F5OS-C
Symptoms:
The 'show cluster nodes node' command takes more than 25 seconds to complete.
Conditions:
This happens on a chassis that is not fully populated.
Impact:
The get api /api/data/f5-cluster:cluster/ takes more time, resulting in slow page load times in the webUI.
Workaround:
None
Fix:
Modified diag-agent partition to check that the blade is in a ready status before contacting it for disk-usage information. This reduces the timeout.
1033813 : Chassis partition 'show interfaces' command can be slow
Links to More Info: BT1033813
Component: F5OS-C
Symptoms:
A 'show interfaces' command or the corresponding RESTCONF API request that includes 'show interfaces interface state counters' or 'show interfaces interface ethernet state counters' might take a long time to execute.
Conditions:
When a blade was present in the chassis partition, but is either physically removed or powered off, but the slot is not removed from the partition configuration.
When running 'show interfaces interface state counters' command for an aggregate (trunk), a delay will also be observed.
Impact:
The webUI screen refresh is slow (2 to 8 seconds per missing blade), or the CLI 'show' command takes a long time to return.
Workaround:
Use the system controller webUI or CLI to remove the non-existent blade from the chassis partition.
Fix:
Fixed an issue causing the "show interfaces" command to be slow when a blade is removed.
1032697 : Confusing message displays when running "file delete"
Links to More Info: BT1032697
Component: F5OS-C
Symptoms:
When running the "file delete" command, a confusing error message displays:
syscon-1-active# file delete file-name log/host/ansible.log
Only /mnt/var/confd/configs/ /var/shared/ configs/ diags/shared/ paths are allowed for Delete file operation on system controller CLI.
Conditions:
When attempting a file delete operation from a directory that does not have delete permission.
Impact:
The error message lists the actual paths along with the virtual paths on which delete is supported.
Workaround:
N/A
Fix:
When performing a file delete operation, only virtual paths are now listed.
1032341 : ConfD Encryption key gets rewritten intermittently
Links to More Info: BT1032341
Component: F5OS-C
Symptoms:
The key should always return the same value and hash, unless it is changed via key-migration.
The reading of memory (EEPROM) will sometimes return "resource temporarily unavailable," which is treated as an error instead of simply doing a retry.
Conditions:
The EEPROM might be busy because of use by other components.
Impact:
The encryption key changes, thus invalidating all currently-encrypted items, thus requiring re-entry of these.
Workaround:
Re-enter all encrypted items and hope that the "resource temporarily unavailable" does not occur.
Fix:
Fixed an issue where the system no longer considers "resource temporarily unavailable" as an error unless it happens ten times in a row. The system does a retry and if that works, the system avoids setting a new key.
1022729 : Management port issues with instance names containing lacpd, lldpd, stpd, or tmstat-rsync
Links to More Info: BT1022729
Component: F5OS-C
Symptoms:
The management port stops working when instance names contain any of the following: lacpd, lldpd, stpd, or tmstat-rsync.
Conditions:
Instances whose names include any of the following:
- lacpd
- lldpd
- stpd
- tmstat-rsync
Impact:
Management port no longer works.
Workaround:
Avoid naming instances using any of the following:
- lacpd
- lldpd
- stpd
- tmstat-rsync
Fix:
You can now successfully name instances using strings containing the following:
- lacpd
- lldpd
- stpd
- tmstat-rsync
1022589 : New blank blades inserted into system can wind up in a reboot loop and possibly be damaged
Component: F5OS-C
Symptoms:
Blades fresh from manufacturing do not contain an OS image. If not made part of a chassis partition with an os image defined, when inserted, they will wind up in a continuous reboot loop. There is potential that this might cause damage to blade components if allowed to continue for an extensive period of time.
As systems shipped from factory include all slots in the default chassis partition and that partition is set up with a partition image already configured, this condition should only be possible when blades are added in the field, and the site has added chassis partition definitions that do not have OS images set.
Conditions:
Freshly-manufactured blade installed in a system slot that is not part of a chassis partition with a defined ISO image.
Impact:
Potential drive media damage if the reboot loop is allowed to continue for an extended period of time.
Workaround:
Options to mitigate:
1. Install an os image on the new blade.
2. Power down the blade using AOM until ready to load an image.
The simplest method to install an os image is to be sure the installation slot is part of a chassis partition definition that includes a set os image. By default the blade will PXE boot that image.
1008549 : iHealth indicates multiple unhealthy and critical states for empty PSU bays
Links to More Info: BT1008549
Component: F5OS-C
Symptoms:
The component health for empty PSU bays in the VELOS chassis is shown as unhealthy along with an iHealth critical severity.
Conditions:
This issue occurs on a VELOS chassis that has one or more PSUs not populated.
Impact:
The chassis health of empty PSU bays are shown has unhealthy in iHealth.
Fix:
Modified diag-agent service so that it does not mark an unhealthy state for PSUs that are not present in the chassis.
1008433 : VQF hot signal asserted warnings
Links to More Info: BT1008433
Component: F5OS-C
Symptoms:
A PEL log entry occurs indicating an FPGA HOT signal asserted:
Warning | AOM | 5 | Na | VQF hot thermal event
Conditions:
This issue happens at system startup.
Impact:
If the issue occurs during system startup, it is an erroneous error message and can be safely ignored.
Workaround:
N/A
Fix:
Fixed an erroneous FPGA HOT signal that occurs during system startup.
1005025 : Orchestration-manager cores on standby system controller during cluster bringup
Links to More Info: BT1005025
Component: F5OS-C
Symptoms:
A core file from orchestration-manager might be created on the standby system controller during cluster bringup.
Conditions:
This might occur intermittently during cluster bringup.
Impact:
A core file is generated, but orchestration-manager will restart and will not cause any issues with system function.
Workaround:
None
1004049 : The "show system mgmt-ip" command displays "Application Timeout" on the active system controller
Links to More Info: BT1004049
Component: F5OS-C
Symptoms:
On a system where the standby system controller is rebooting, running the 'show system mgmt-ip' command from the CLI might display an "Application Iimeout" error.
Conditions:
-- Standby system controller is rebooting.
-- Run the 'show system mgmt-ip' command from the CLI.
Impact:
This problem is limited to the system controller management IP address only.
Workaround:
The command fails the very first time the command runs while the standby controller is rebooting. After it fails the first time, the command displays output in subsequent retries.
Fix:
The 'show system mgmt-ip' command now works while the standby system controller is rebooting.
Known Issues in F5OS-C v1.3.x
F5OS-C Issues
| ID Number | Severity | Links to More Info | Description |
| 1076705-2 | 2-Critical | Etcd instance might not start correctly after upgrade&start; | |
| 1073305 | 2-Critical | Upgrade to F5OS-C 1.3.0 failed to upgrade chassis partition | |
| 1053905 | 2-Critical | After upgrading system controller to v1.2.2, there could be traffic outage&start; | |
| 1050565-2 | 2-Critical | KubeVirt pods might not be installed after upgrading from F5OS-C v1.2.1 to v1.3.0&start; | |
| 1102753-1 | 3-Major | Removing platform software via restconf returns a proxy error | |
| 1100713-1 | 3-Major | After a partition upgrade, a tenant in Provisioned state may show inconsistent CLI status&start; | |
| 1073581-1 | 3-Major | Removing a 'patch' version of services might remove the associated 'base' version as well | |
| 1071209-1 | 3-Major | BT1071209 | Files greater then 1000 MiB are truncated in QKView |
| 1056037 | 3-Major | BT1056037 | If any tenant is in the 'deployed' state, you cannot downgrade the chassis partition to F5OS-C 1.1.4. |
| 1035589-2 | 3-Major | BT1035589 | Source address for TACACS+ server group configuration does not work |
| 1028385-1 | 3-Major | Link aggregation names with spaces | |
| 1056273 | 4-Minor | Tcpdump log level is set to default {INFO} after upgrading | |
| 1045261-1 | 4-Minor | Vcc-partition-software-manager logs extraneous chassis partition update records |
Known Issue details for F5OS-C v1.3.x
1102753-1 : Removing platform software via restconf returns a proxy error
Component: F5OS-C
Symptoms:
When removing platform software (controller or partition ISO) via the restconf API, the API returns a '502 Proxy Error'. The image is still removed despite the error message.
Conditions:
Removing the platform software via restconf.
Impact:
A misleading and concerning error message is reported.
Workaround:
The restconf API can still be used, since the removal succeeds despite the error. Alternatively, remove the image via the GUI or ConfD CLI.
1100713-1 : After a partition upgrade, a tenant in Provisioned state may show inconsistent CLI status&start;
Component: F5OS-C
Symptoms:
After a partition upgrade from 1.3.1 to 1.3.2, if the running-state of a tenant is configured in Provisioned state, the operational status of the tenant may oscillate between "Ready to deploy" and "Allocating resources to tenant is in progress" state in the partition CLI status.
Conditions:
A race condition exists after an partition upgrade that may display an inaccurate tenant operational state when the tenant is configured as Provisioned.
Impact:
The tenant state constantly changes.
Workaround:
Configure the running-state of the tenant to Deployed.
1076705-2 : Etcd instance might not start correctly after upgrade&start;
Component: F5OS-C
Symptoms:
/etc/etcd/dump_etcd.sh might show that the etcd instance native to system controller #1 or #2 does not come up after an upgrade.
This displays in the output of /etc/etcd/dump_etcd.sh and might occur for the .3.51 or .3.52 node:
failed to check the health of member 25fa6669d235caa6 on https://100.65.3.52:2379: Get https://100.65.3.52:2379/health: dial tcp 100.65.3.52:2379: connect: connection refused
member 25fa6669d235caa6 is unreachable: [https://100.65.3.52:2379] are all unreachable
This can cause a longer OpenShift outage if the system controller containing the healthy instance is rebooted, and complete outage if the system controller containing the healthy instance is lost.
Conditions:
This is caused by a previous mount failure of the drbd file system, which causes a corruption of the etcd instance on the standby system controller. This is seen very infrequently.
Impact:
The local etcd instance on the affected system controller will not work correctly, compromising the high availability (HA) availability of the OpenShift cluster. The cluster will continue to work correctly while both system controllers are up.
Workaround:
Rebuild the OpenShift cluster by running "touch /var/omd/CLUSTER_REINSTALL" from the CLI on the active system controller. This will cause all running tenants to be taken down during the cluster reinstall, which takes 50+ minutes.
1073581-1 : Removing a 'patch' version of services might remove the associated 'base' version as well
Component: F5OS-C
Symptoms:
Removing a 'patch' version (X.Y.Z, Z>0) of a platform ISO or services might, under certain conditions, lead to the unexpected removal of the 'base' version (X.Y.0) associated with that patch.
Conditions:
1. A 'patch' ISO is imported when the 'base' associated with the patch is not already imported (Ex. An F5OS-C 1.2.2 ISO is imported, and F5OS-C1.2.0 is not already imported).
2. Some time later, the F5OS-C 1.2.2 ISO is removed. This also removes the 1.2.0 services.
Impact:
F5OS-C removes software that wasn't explicitly chosen to be removed.
Workaround:
To work around this issue, import the 'base' version ISO (X.Y.0) before importing any patches. If this is done, removal of a 'patch' will not remove the 'base'. If a 'base' was already removed accidentally, re-importing the 'base' ISO will also make it available again.
1073305 : Upgrade to F5OS-C 1.3.0 failed to upgrade chassis partition
Component: F5OS-C
Symptoms:
Upgrading VELOS from F5OS-C 1.2.2 to 1.3.0 caused partition containers to go in crashbackoffloop back. This can be checked by running this command:
oc get pods --all-namespaces |grep -i crash
Conditions:
After upgrading to F5OS-C 1.3.0, tenant datapath interfaces do not come up.
Impact:
Traffic is impacted.
Workaround:
Restarting the chassis partition, that is, disabling and enabling the chassis partition fixes the issue.
1071209-1 : Files greater then 1000 MiB are truncated in QKView
Links to More Info: BT1071209
Component: F5OS-C
Symptoms:
QKView is unable to collect an untrunucated velos.log file that has been rotated.
Conditions:
Rotated copy of the velos.log file is greater than 1000 MiB.
Impact:
Logs are not complete in QKView making it difficult to troubleshoot issues.
Workaround:
Collect the log files manually.
1056273 : Tcpdump log level is set to default {INFO} after upgrading
Component: F5OS-C
Symptoms:
Tcpdump log severity level is not retained after upgrading.
Conditions:
Tcpdump log severity is set to something other than INFORMATIONAL prior to upgrading.
Impact:
Severity level changes to INFO after upgrading.
Workaround:
Reset the severity level after upgrade.
controller-1(config)# system logging sw-components sw-component tcpdumpd-manager config severity DEBUG
controller-1(config-sw-component-tcpdumpd-manager)# commit
Commit complete.
1056037 : If any tenant is in the 'deployed' state, you cannot downgrade the chassis partition to F5OS-C 1.1.4.
Links to More Info: BT1056037
Component: F5OS-C
Symptoms:
An attempt to downgrade chassis partition services to versions older than F5OS-C 1.4.0 fails with this error:
"Partition database upgrade compatibility check failed."
The validation logic prior to F5OS-C 1.4.0 does not permit tenants to be in the 'deployed' state during the schema change.
Conditions:
Tenant is in a 'deployed' state.
Impact:
You cannot downgrade partition services for this chassis partition to F5OS-C 1.1.x, 1.2.x, or 1.3.x from any higher version.
Workaround:
1. In the partition manager CLI or webUI, change the running-state for all tenants to 'configured' or 'provisioned'.
2. Perform the downgrade for the chassis partition.
3. When the chassis partition downgrade is complete, return the tenants to the 'deployed' state.
1053905 : After upgrading system controller to v1.2.2, there could be traffic outage&start;
Component: F5OS-C
Symptoms:
After upgrading the system controller to version 1.2.2, a traffic outage occurs.
Conditions:
System controller is upgraded to version 1.2.2 and the partition is not upgraded to version 1.2.2
Impact:
Network traffic through BIG-IP tenants is disrupted.
Workaround:
Upgrade the partition to version 1.2.2.
1050565-2 : KubeVirt pods might not be installed after upgrading from F5OS-C v1.2.1 to v1.3.0&start;
Component: F5OS-C
Symptoms:
After an upgrade from F5OS-C v1.2.1 to v1.3.0 the OpenShift KubeVirt pods might not be installed.
Conditions:
During the upgrade from F5OS-C 1.2.1 to 1.3.0, the script that installs the OpenShift KubeVirt pods might fail to install the pods.
Impact:
The tenants might not operate.
Workaround:
On the active system controller, run this command:
systemctl restart orchestration_manager_container.service
1045261-1 : Vcc-partition-software-manager logs extraneous chassis partition update records
Component: F5OS-C
Symptoms:
Following a fresh F5OS-C software install, the vcc-partition-software-manager repeatedly logs the following extraneous records:
********
<info> Dec 2 21:46:48 publish_image_thread: Controller-2 Images state not changed.
<notice> Dec 2 21:48:25 main: retrying after failed operation
<info> Dec 2 21:48:25 main: configuration updated; num_part: 2
<notice> Dec 2 21:48:26 main: cc.out_of_service_install(false) cc.install_stage(IDLE) ha_mode(HA_MASTER) skip_notify(true) last_failed(true)
********
Conditions:
Installing F5OS-C software.
Impact:
There is no functional impact, as the chassis partition configurations are not actually being changed or updated, but the lof records fill up the velos.log over time with unnecessary noise.
Workaround:
These messages can be safely ignored.
1035589-2 : Source address for TACACS+ server group configuration does not work
Links to More Info: BT1035589
Component: F5OS-C
Symptoms:
Attempting to set the source-address for a TACACS+ server group configuration might fail or does not work as expected.
Conditions:
Attempt to configure source-address for TACACS+ server group.
Impact:
No functional impact, as the source-address isn't used.
Workaround:
The source-address is not used by the TACACS+ client. Do not configure source-address.
1028385-1 : Link aggregation names with spaces
Component: F5OS-C
Symptoms:
BIG-IP Next exhibits erroneous behavior for a LAG when it is created with a name that contains spaces.
Conditions:
The LAG name contains spaces.
Impact:
BIG-IP Next cannot successfully handle a LAG with spaces in the name. The LAG is not recognized.
Workaround:
Refrain from using names with spaces.
&start; This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
