998301-2 : CVE-2021-23839: OpenSSL vulnerability

Links to More Info: K61903372, BT998301

1327701-2 : Space in SNMP community/user/target name causing snmpd container restart

Links to More Info: BT1327701

Component: F5OS-C

Symptoms:
When there is a space in any SNMP community/user/target name configuration, this will cause an F5OS snmpd service restart.

Conditions:
When there is a space in an SNMP community/user/target name configuration.

Impact:
F5OS snmpd restarts.

Workaround:
Reconfigure the SNMP community/user/target without a space in the name.

Fix:
Added a space restriction in SNMP community/user/target name configuration so the user can no longer configure with a space.

1324553 : Failed to start launch platform service containers during upgrade of Standby cc★

Links to More Info: BT1324553

Component: F5OS-C

Symptoms:
The software upgrade status of the standby cc while rolling upgrade happens is stuck at "in progress".

The platform-service (docker containers) don't come up after the reboot of the stand by CC.

Conditions:
The software upgrade status of the standby cc while rolling upgrade happens is stuck at "in progress".

The platform-service (docker containers) don't come up after the reboot of the stand by CC.

The import status of the installed version in /var/import/import.json is in error state without port assignment.

Impact:
The upgrade process is stuck and we will not be able to trigger another upgrade.

Workaround:
As part of recovery/WA. Please follow these steps:

1) Copy the contents of active cc's /var/import/import.json to stand-by cc's /var/import/import.json.
2) Reboot the standby cc.

Fix:
Fix has been made to handle port assignment failure in case of communication failure between CCs while rolling upgrade is in progress.

1316097-2 : LAGs not programmed when adding VLAN to LAG

Links to More Info: BT1316097

Component: F5OS-C

Symptoms:
Traffic from a LAG is not reaching the tenant.

Conditions:
1) Add a VLAN to a LAG and add that VLAN to a tenant in the same commit.

2) Configuration read following blade reboot.

Impact:
LAGs are not programmed; traffic doesn't reach tenant.

Workaround:
Workaround for condition (1): Add the VLAN to the LAG, commit; then add the VLAN to the tenant.

Fix:
Fix usage of mutexes to prevent deadlock with LAG programming is happening in parallel with VLAN programming.

1315149-1 : Users authenticated via TACACS+ cannot log in via serial console

Links to More Info: BT1315149

Component: F5OS-C

Symptoms:
If remote authentication is configured to use TACACS+, users authenticated via TACACS+ cannot log in via the system serial console.

SELinux errors in /var/log/audit/audit.log similar to the following:

type=AVC msg=audit(1691528610.427:121): avc: denied { name_connect } for pid=13249 comm="login" dest=49 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0

Conditions:
-- TACACS+ remote authentication.
-- Attempting to log in to system via serial console.

Impact:
Only locally-defined users can log in to the system via serial console.

Workaround:
Configure the SELinux policy to allow this traffic. On a VELOS chassis, these instructions must be run on each system controller separately.

1. Connect to the F5OS system via SSH as root.

2. Examine the SELinux audit denials and confirm all of them are associated with traffic that should be allowed:

grep 'denied.*name_connect.*comm="login"' /var/log/audit/audit.log > /root/login-audit-denials.log
cat /root/login-audit-denials.log

Remove entries from the file /root/login-audit-denials.log that you do not want to allow.

3. After confirming the contents of the file /root/login-audit-denials.log, run the following commands to create and install an SELinux policy to allow that traffic:

audit2allow -M login.allowtacacs < /root/login-audit-denials.log
semodule -i login.allowtacacs.pp

Fix:
A missing SELinux exception has been added. Users authenticated via TACACS+ are now able to log in via serial console without having to manually add the exception or turning off SELinux.

1315121-5 : Key migration failure and potential corruption updating to 1.5.0 or later with deployed tenants

Links to More Info: BT1315121

Component: F5OS-C

Symptoms:
When setting a new primary key after upgrading from an older release (such as 1.1.1 or older), where tenants are deployed, to 1.5.0 or newer, the key migration may fail.

The migration failure may cause configuration database corruption for the entire system.

Conditions:
Tenants are deployed on release 1.1.1 or older. Upgrade to 1.5.0 or newer (including through intermediate upgrades, such as 1.1.1 -> 1.3.2 -> 1.5.1). Set new primary key.

Impact:
Setting a new primary key may fail. When this failure occurs, system configuration corruption may occur.

Workaround:
Mitigation to prevent failure:
- Change all tenants to the configured state
- Set a new primary key
- Wait for key migration to complete
- Return tenants to deployed state.

Recovery for corruption:
- Reset device to default configuration
- Set the primary key to the known primary key for a known-good backup
- Restore with known-good backup

Fix:
Fix known causes of database corruption on primary key migration failure. While the primary key configuration may still fail if tenants are in deployed state, it should no longer cause system corruption.

1304765 : A remote LDAP user with an admin role is unable to make config changes through the F5 webUI

Links to More Info: BT1304765

Component: F5OS-C

Symptoms:
When a remote user's GID is mapped to the F5OS system's local GID, the GID mapping is not parsed correctly by the system. If the remote GID is known to the F5 system, there is no issue. For example, a mapping of the form 9000:9000 works fine. However, mapping of the form 5555:9000, 6666:9000 etc. will not work.

Conditions:
Local GID is being mapped to a remote GID.

Impact:
The admin user mapped to a remote GID cannot access the ConfD config mode.

Fix:
Update the system to the version with the fix.

1304657-2 : tcam-manager does not support all the possible system network subnets

Links to More Info: BT1304657

Component: F5OS-C

Symptoms:
The connection from the tenant (TMM) to the tcam-manager is continuously restarted.

tcam-mgr logs show the wrong tenant-id and hence rejected connection from the tenant:

msg="INFO" MSG="Connection from client address:10.245.3.1".
msg="ERROR" MSG=" Confd access error obtaining tenant info for tenant:12291 slot:1".
msg="INFO" MSG="neuron_handle_responses: dropping resp to non-existent client".

TMM periodically logs neuron client errors, such as:

notice hudproxy_neuron_client_closed_cb: Neuron client connection terminated
notice pva_sc_frs_neuron_stopped_cb/2373: FRS SC: Neuron client stopped.
notice [DDOS Neuron]Neuron daemon stopped

Conditions:
The 'system network' configuration is changed from its default setting in F5OS.

Impact:
TCAM based features don't work.

Workaround:
Select either the default RFC6598 subnet or any of the unaffected RFC1918 subnets.

Fix:
tcam-manager now correctly calculates the tenant-id for all possible system network subnets.

1303125-1 : Tenants must be moved to 'provisioned' or 'configured' state when downgrading F5OS partition or appliance services from 1.6.0+ to versions below 1.6.0

Links to More Info: BT1303125

Component: F5OS-C

Symptoms:
Tenants must be moved to 'provisioned' or 'configured' state when downgrading F5OS partitions or appliances from 1.6.0+ to versions below 1.6.0. If there are running tenants at the time the downgrade is attempted, it will be blocked.

Conditions:
A downgrade of a VELOS partition or rSeries appliance from ISO version 1.6.0+ to <1.6.0 is attempted.

Impact:
Tenants must be moved to 'provisioned' or 'configured' for the downgrade to succeed.

Workaround:
Tenants must be moved to 'provisioned' or 'configured' for the downgrade to succeed.

Fix:
Tenants must be moved to 'provisioned' or 'configured' state when downgrading F5OS partition or appliance services from 1.6.0+ to versions below 1.6.0

1301837 : A remote admin user is not able to enter the ConfD config mode when logged in from SSH

Links to More Info: BT1301837

Component: F5OS-C

Symptoms:
When a remote user's GID is mapped to the F5OS system's local GID, the GID mapping is not parsed correctly by the system. If the remote GID is known to the F5 system, there is no issue. For example, a mapping of the form 9000:9000 works fine. However, mapping of the form 5555:9000, 6666:9000 etc. will not work.

Conditions:
Local GID is being mapped to a remote GID.

Impact:
The admin user mapped to a remote GID cannot access the ConfD config mode.

Workaround:
No workaround.

Fix:
Update the system to the version with the fix.

1296525-1 : qkview may capture log files truncated in a reverse way

Links to More Info: BT1296525

Component: F5OS-C

Symptoms:
qkview captures log files, but may truncate them if too large (greater than 100 MB). A regression was introduced such that the most recent log entries would be truncated rather than the oldest.

Conditions:
Collection of qkview.

Impact:
Log entries may be missing in qkview capture.

Workaround:
When running a qkview capture, specify the maxfilesize argument to 1000 (1 GB).

system diagnostics qkview capture maxfilesize 1000

Fix:
QKview now collects the tail end of log files.

1294581-1 : webUI header shows FQDN for IP address field instead of management IP

Links to More Info: BT1294581

Component: F5OS-C

Symptoms:
When user accesses F5OS webUI using FQDN, the header shows the FQDN for the IP address instead of showing the actual management IP address.

Conditions:
When user accesses F5OS webUI using FQDN.

Impact:
There is no impact on functionality. The IP address label on the login screen is renamed to Address. The header displays the management IP instead of the FQDN.

Workaround:
To view the management IP address, navigate to the Management IP screen.

Fix:
Login using FQDN shows the IP address on the header instead of the FQDN. Additionally, the IP address label on the login screen is renamed to Address.

1293057 : Multus ansible-playbook run could hang if blades rebooted

Links to More Info: BT1293057

Component: F5OS-C

Symptoms:
After blades are added to the Openshift cluster, Multus is installed on the blades via an ansible-playbook. If the blade/blades are rebooted during the playbook run, it is possible that the playbook run could hang, possibly for several hours. During this time, the blade will not be available in the Openshift cluster.

Conditions:
Adding a new blade, or re-adding an existing blade to the Openshift cluster, and the blade is rebooted during the install of Multus.

Impact:
Blade will not be available in the Openshift cluster and will not be able to run tenants.

Workaround:
If the blades are rebooted during the Multus install and they do not finishing joining the cluster after reboot, the active CC can fail over, which will cause the blade to be added to the cluster again.

Fix:
Orchestration manager has been updated to run the Multus playbook with a hard timeout, after which it will be retried.

1290617-1 : Display option "universal-time" is not supported

Links to More Info: BT1290617

Component: F5OS-C

Symptoms:
The display option "universal-time" is a built-in third-party command that F5OS does not support.

Conditions:
User attempts to access the built-in third-party command "universal-time."

Impact:
The correct output for "universal-time" is not displayed. Proper documentation for this third-party command also cannot be found.

Workaround:
N/A

Fix:
F5OS has suppressed this display option.

1288937-1 : Interface persists with removed VLAN

Links to More Info: BT1288937

Component: F5OS-C

Symptoms:
When a VLAN is deleted while being referenced by an interface or LAG, it cannot be de-referenced from the interface/LAG.

Conditions:
Delete the VLAN before removing the VLAN from the interface.

Impact:
Cannot add the interface to a LAG after deleting VLAN(s) that used the interface.

Workaround:
Recreate the removed VLAN, then edit the interface which shows defined VLAN, remove the defined VLAN, then remove the recreated VLAN.

Fix:
With the fix, the user will be able to view and remove the VLAN in the Add/Edit Interface/LAG screen even if the VLAN was deleted, and thus will be able to detach it from the interface/LAG.

1287685 : Intel CPU vulnerabilities CVE-2022-26343 and CVE-2022-32231

Links to More Info: K000133630, BT1287685

1286285-2 : ISO with special characters in name will not import

Links to More Info: BT1286285

Component: F5OS-C

Symptoms:
An ISO named with special characters like "()" will not be imported and gets deleted from the import directory silently.

Conditions:
Only when the ISO name contains special characters.

Impact:
User will not have any status on the imported image with a name that contains special characters.

Workaround:
No workaround.

Fix:
The "show system image" API will display the status as "Import error. File name is incorrect."

1285969-2 : Some aggregation interface names can cause ethernet interfaces in LACP aggregations to be erroneously down

Links to More Info: BT1285969

Component: F5OS-C

Symptoms:
One or more interfaces in LACP aggregations may be considered down when they should not be.

Conditions:
Internally, LACPD hashes interfaces to an integer, and some aggregation interface names hash will collide with ethernet interface name hash. Changes to the these aggregation interfaces can impact the ethernet interface.

Impact:
Traffic through the affected ethernet interface in LACP aggregations may be disrupted. This can cause either degraded performance or traffic failure for LACP aggregations that the interface is a member of.

Workaround:
Only use aggregation interface names that don't hash to the same port numbers as ethernet interfaces.

In order to determine if an existing aggregation interfaces port number conflicts with an ethernet interface, review the lacpd_interface_stat table.

For a VELOS partition, use the lacpd container on any blade in the partition to run tmctl.
For an appliance, use system_lacpd container to run tmctl.

The following example from a rSeries appliance shows the aggregation interface "vlag" with the same port number as interface 1.0

[root@appliance-1 ~]# docker exec -it system_lacpd bash

[root@appliance-1 partition]# tmctl lacpd_interface_stat -s name,port_num
name port_num
---- --------
1.0 1024
10.0 10240
2.0 2048
3.0 3072
4.0 4096
5.0 5120
6.0 6144
7.0 7168
8.0 8192
9.0 9216
mgmt 43008
vlag 1024

If an aggregation interface hashes to the same port number an Ethernet interface:

1. Delete the conflicting aggregation interface

2a. You can either restart the lacpd containers

    or

2b. Reboot the appliance, or for VELOS reboot each blade in the partition.

Fix:
Aggregation interface names will never impact ethernet interfaces in a LACP aggregation.

1285105-1 : Users are seeing prompt cannot identify you when password expires.

Links to More Info: BT1285105

Component: F5OS-C

Symptoms:
When a user uses SSH to connect to the system with an expired password, the system will show a prompt indicating it cannot identify the user.

Conditions:
User's password has expired.

Impact:
Only users whose password has expired. Impact is negligible.

Workaround:
Reset password.

Fix:
The behavior is controlled through nss-pam-ldapd interactions with sshd. Now users will see the correct message indicating that the password has expired.

1281749-2 : Hashed/encrypted passwords are getting logged

Links to More Info: K000134922, BT1281749

1280441-2 : When no parameter is given for 'system aaa tls create-self-signed-cert', encrypted key-type does not ask for passphrase

Links to More Info: BT1280441

Component: F5OS-C

Symptoms:
When requesting a self-signed-cert, if the key-type is encrypted, then a passphrase is required. However, if no parameters are supplied, the key-type is then requested as a mandatory parameter, but won't ask for passphrase if encrypted type is selected.

Conditions:
No parameters passed to the config: system aaa tls create-self-signed-cert.

Impact:
An error indicates that the passphrase wasn't supplied, but it never was asked for in these conditions.

Workaround:
Specify key-type as a parameter and then if encrypted, the passphrase will be requested.

Fix:
The key-type is no longer a mandatory field and simply defaults to RSA. There is no conflict with not passing any parameters.

1280365-1 : WebUI and shell admin access unavailable after upgrade to when one of the previously installed images is no longer present

Links to More Info: K000133253, BT1280365

Component: F5OS-C

Symptoms:
1. WebUI or CLI inaccessible via admin account (that is, ConfD is not up):
[root@appliance-1(XXXXXXXXX) log]# su admin
Failed to connect to server

2. sw-mgmt.debug file will have a line similar to this one (with image version changing depending on which image is missing):
DEBUG: Source file /var/export/chassis/import/.mounts/iso/R2R4/1.1.1-9159/m3/*-services/F5OS*.img does not exist, removing from all_sw.

3. Containers stuck in ImagePullBackOff. For example, system_network container cannot be pulled, and the following error is observed in messages log:

appliance-1 dockerd-current: time="2023-03-24T15:09:26.631359235Z" level=error msg="Not continuing with pull after error: Error: image system_network:1.4.5-f5os-a-1-4-0-candidate.2023-02-14-15-09-15.S9b340f7e not found"

Conditions:
Both of the below conditions:

1. Certain ISO image has been ungracefully removed from the /var/import/staging folder. Examples of ungraceful removals:
-- Deleted via bash (after running chattr -i <image name>)
-- Image name had parentheses in it and as per ID1273021 it is wiped out upon reboot.

2. /var/import/import.json file includes reference to removed image that is listed BEFORE the reference to currently used image.

Impact:
Device webUI is inaccessible. Cannot access ConfD. Root access is working.

Workaround:
Two workarounds:
1. Re-import the deleted image and reboot the box.
2. Remove the whole section that references the deleted image from import.json file and reboot the box.

Fix:
N/A

1280205 : A manual license install does not log success message

Links to More Info: BT1280205

Component: F5OS-C

Symptoms:
When a user is installing a license manually, the manual license installation process does not log the success message in velos.log.

Conditions:
Always occurs when license is manually installed.

Impact:
Successful installation message is not captured in velos.log.

Workaround:
N/A

Fix:
Successful log message is captured when license is manually installed.

1273845-3 : Removing or manually adding TLS Certificate & Key on webUI removes whole TLS configuration

Links to More Info: BT1273845

Component: F5OS-C

Symptoms:
Manually adding TLS Certificate & Key on webUI instead of storing through Self-Signed Certificate or removing Certificate & Key removes TLS configuration, which includes verify-client and verify-client-depth.

Conditions:
- When there is an existing Verify Client and Client Depth configuration, and user tries to remove TLS Certificate & Key on Certificate Management screen on webUI.

- When user fills the TLS Certificate & Key on Certificate Management screen on webUI.

Impact:
Verify Client and Client Depth configuration of Certificate Authentication will be changed to default values which disables verification of httpd client certificates.

Workaround:
- Remove or Add TLS Certificate & Key through CLI.
- While creating Self-Signed Certificate, set "Store TLS" field as true
- Re-add Verify Client and Client Depth after removing or manually adding TLS Certificate & Key.

1273025-3 : Once TACACS server-group is configured on a non-default port, on downgrade virt-handler pod gets into a crash loopbackoff state because of SELinux corruption

Links to More Info: BT1273025

Component: F5OS-C

Symptoms:
Virt-handler pod is crashing upon downgrading from F5OS-A 1.4.0 to F5OS-A 1.3.2, and a tenant is stuck in pending state.

Conditions:
Configure TACACS server-group on a non-default port (that is, other than port 49) and downgrade from F5OS-A 1.4.0 to F5OS-A 1.3.2.

Impact:
Tenant becomes stuck in pending state.

Workaround:
Two workarounds:

1. Configure standard port (49) for the TACACS server instead of a non-standard port. Using the standard port should not trigger these issues. Releases older than F5OS-A 1.4.0 do not correctly support any port other than 49 for the TACACS server.

2. Fix SELinux policy on the appliance:

a. cp selinux module from /usr

cp /usr/etc/selinux/targeted/active/modules/400/f5_appliance to /etc/selinux/targeted/active/modules/400/f5_appliance

b. Reboot the device

reboot

Fix:
Enforce closure of non-standard port every time configuration is updated or system is shut down. This avoids leaving ports open for which SELinux may not have exceptions.

Note this does not address the non-standard port in older releases when downgrading. Non-standard ports for TACACS are still not properly supported in the older release.

1269989-3 : tcam-manager may get stuck using 100% CPU

Links to More Info: BT1269989

Component: F5OS-C

Symptoms:
After running a QKView or tcam-dump by itself, tcam-manager does not clean up the diagnostic socket, which results in a tight loop and pegging the CPU at 100% utilization. This in turn starves other platform processes (such as dma-agent), which causes performance degradation.

Conditions:
A QKView or tcam-dump, which is included in QKView, is run.

Impact:
Performance degradation.

Workaround:
The issue can be avoided by not running QKView.

Fix:
After tcam-dump completes, the corresponding socket is properly removed.

1253713-1 : CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png

Links to More Info: K000133070, BT1253713

1249873-1 : sPVA hardware offload not working correctly on r10k

Links to More Info: BT1249873

Component: F5OS-C

Symptoms:
The DOS attack traffic is distributed unevenly on different TMMs, and some DOS attack traffic is not handed off to hardware due to a misconfigured DOS group.

Conditions:
Any DOS vector traffic going through the r10k device

Impact:
Reduced performance for DOS attack and hardware offload is not active.

Workaround:
No workaround exists for older F5OS releases. Need to upgrade to any latest F5OS version from F5OS-A 1.6.0 or later.

Fix:
Implemented per ATSE DOS group support in F5OS that enables DOS group configuration at individual hardware offload engines.

1239325-1 : Issue when Management IP address is configured to have public internet access on F5OS

Links to More Info: BT1239325

Component: F5OS-C

Symptoms:
The F5OS webUI allows web crawlers access to all content when the Management IP address is configured to have public internet access.

Conditions:
If the Management IP address is configured to have public internet access.

Impact:
This impedes the ability to satisfy internal security compliance mandates.

Workaround:
To mitigate the issue, you can manipulate the contents of the robots.txt file inside the webUI container as demonstrated below:

$ ssh root@10.238.160.60
root@10.238.160.60's password:
[root@appliance-1 ~]# docker exec -it vanquish-gui bash
[root@d6303361e100 /]# cd /app/build
[root@d6303361e100 build]# echo "User-agent: *" > robots.txt
[root@d6303361e100 build]# echo "Disallow: /" >> robots.txt
[root@d6303361e100 build]# cat robots.txt
User-agent: *
Disallow: /
[root@d6303361e100 build]# exit
exit
[root@appliance-1 ~]# exit
logout
Connection to 10.238.160.60 closed.

Fix:
Robots.txt now disallows web crawlers access to any content.

1236857-2 : F5OS OID SNMPv2-MIB::sysDescr provides meaningless information for system controller

Links to More Info: BT1236857

Component: F5OS-C

Symptoms:
After setting up snmpwalk on older version and live upgrading to another version, the snmpwalk is still showing older service version.

Conditions:
1. configure SNMP
2. upgrade system with live upgrade
3. check system version using SNMPv2-MIB::sysDescr (it will be pointing to older version)

example:
SNMPv2-MIB::sysDescr.0 = STRING: Linux 3.10.0-1160.62.1.F5.1.el7_8.x86_64 : Appliance services version <older_version>

Impact:
sysDescr will be displaying older version.

Workaround:
N/A

Fix:
This issue is fixed in latest release.

1235161-1 : Modification of STP path cost with value 0 on appliance/chassis does not work as expected

Links to More Info: BT1235161

Component: F5OS-C

Symptoms:
User is allowed to set path cost as 0 but it does participate in port role selection.
> Port role is dependent on path cost; port with lesser path cost becomes root.
> In the current issue, though port has a lesser value of path cost (0), it is not becoming root.

Conditions:
STP is enabled on F5OS enabled platforms and
> Path cost of any of the interface is set to some number
> One of the interface has default value or value 0.

Impact:
Interface with path-cost as 0 does not become root or it does not restrict user to set path cost value as 0.

Workaround:
Don not keep path-cost value as 0.

Fix:
> Default value of path-cost is modified to 1.
> Range of the path-cost is updated, it starts from 1 instead of 0.

1232313 : Blade reporting VQF and VOQ packet drops as errors

Links to More Info: BT1232313

Component: F5OS-C

Symptoms:
VQF and VOQ packet drops are being reported as errors. These are relatively normal occurrences.

Conditions:
No particular conditions.

Impact:
This accumulation of errors from drops causes the blade to be unnecessarily flagged as unhealthy. This can create confusion as to whether the blade is operating normally or not.

Workaround:
N/A

Fix:
Dropped VQF and VOQ packets are now notices, instead of errors. This prevents the blade from being put in an unhealthy state.

1231609-1 : exclude-cores "true" option still includes the core files in webUI/CLI

Links to More Info: BT1231609

Component: F5OS-C

Symptoms:
Collecting a QKView with "exclude-cores true" results in a QKView that still has core files in it.

Conditions:
If QKView is collected with "exclude core true" option.

Impact:
Core files are not excluded part of QKView file.

Workaround:
There is no workaround as cores files always included with any option.

Fix:
As "exclude-core" is a boolean type, modified the qkview.sh scripts to pass actual value as user entered.

1231237 : HAL message output for non-existing blade in velos.log

Links to More Info: BT1231237

Component: F5OS-C

Symptoms:
LOP RX timeout error messages seen in velos.log for non-existing blade.

Conditions:
As part of background-monitoring, we are running a task to monitor the power on hours of each blade. This task is creating the errors in velos.log.

Impact:
Error messages will be logged in velos.log once in every hour.

Workaround:
NA

Fix:
LopBladePresentNotification is sending slotID as 1 based index, which causes the monitoring of the subsequent blade, as diag-agent expects it to be 0 based index.

Updated LopBladePresentNotification to 0 based index.

1230609-2 : Neighbor interface description is not updated in LLDP neighbor details

Links to More Info: BT1230609

Component: F5OS-C

Symptoms:
Port Description TLV is not displayed under LLDP interface neighbors.

Conditions:
1) enable LLDP on device and on switch
2) enable port description TLV
3) set port description on interface in switch side

Impact:
No impact.

Workaround:
N/A

Fix:
Fixed code to display port description.

1226465 : Persistent alarm for "Fault detected in PSU controller health" due to PSU I2C fault in VELOS PSU controller runtime status

Links to More Info: BT1226465

Component: F5OS-C

Symptoms:
The two PSU controllers in a VELOS 8-slot chassis are redundant. Both PSU controllers have access to a shared I2C bus connected to the 4 power supplies. The AOM on the active controller selects one of the 2 PSU controllers to use for PSU management and directs all PSU accesses through that PSU controller.

When a PSU controller indicates a runtime fault, then the AOM fails over to using the other PSU controller. The PSU controller runtime status fault is recorded in the event log and asserts an alarm.

Unfortunately, this behavior leaves an active alarm for the PSU controller reporting a runtime status fault once it occurs. That PSU controller is no longer being used for PSU management, thus there is no opportunity for it to clear its own reported PSU I2C fault. The associated alarm remains active indefinitely.

Conditions:
When a VELOS PSU controller indicates a runtime status fault, then the AOM fails-over to using the other PSU controller. The PSU controller runtime status fault is recorded in the event log and asserts an alarm.

Impact:
No system impact is expected because the two PSU controllers are redundant.

The active alarm for a VELOS PSU controller runtime status fault may persist indefinitely because that PSU controller is no longer being used for PSU management.

Workaround:
The PSU controller reporting a persistent alarm for a runtime status fault can be reset to clear the alarm.

Log in to a controller as the root user and execute either of these two commands at the host prompt.

For PSU controller 1:

docker exec -it platform-hal psf call POST:lop/object/reset-device destSlot=PsuCtrl1 device=Vpc

For PSU controller 2:

docker exec -it platform-hal psf call POST:lop/object/reset-device destSlot=PsuCtrl2 device=Vpc

Fix:
Fixes to this issue are available with VELOS PSU controller firmware v2.00.806.0.1 and later:

- Automatically expire a PSU controller's PSU I2C fault runtime status fault after 120 seconds, so that the persistent alarm is cleared
- Increase the PSU I2C fault threshold from 5 to 10 consecutive faults, to reduce the chance of an unnecessary occurrence
- Write a PEL (to both CC-LOPs) on assertion and deassertion of PSU I2C channel runtime status errors, to assist with trouble-shooting similar issues

1225989-3 : TACACS users only able to access CLI, not webUI

Links to More Info: BT1225989

Component: F5OS-C

Symptoms:
A TACACS user with either admin or operator privilege is unable to log onto the webUI, but can get access through the CLI. This was found to be due to an internal file linking error.

Conditions:
Have a correctly configured TACACS authenticated user access the webUI.

Impact:
The login will not be successful, and an "Authentication failed" message will be displayed. The webUI will be inaccessible.

Workaround:
N/A

Fix:
The file link issue has been resolved, and the problem no longer exists.

1211861-1 : Configured input values of IP address fields reset to default upon switching the protocol

Links to More Info: BT1211861

Component: F5OS-C

Symptoms:
IP address fields are reset to default values.

Conditions:
When the user changes the protocol and switches back to the previously selected protocol via the "Address" field on the webUI.

Impact:
Values of IP address fields are lost as they are reset to default values.

Workaround:
Users can cancel or navigate away from the screen. When they visit the management interface screen again, the configured values will appear.

Fix:
The "Address" field in the Management Interface section has been removed, and all the IPv4 and IPv6 address fields are always displayed, thereby eliminating the need to switch protocols.

We have added 'X' buttons adjacent to the address fields that can be leveraged to put in default values in case the user does not want to configure the fields for a particular protocol.

1211777-1 : Configured input values of IP address fields reset to default upon switching the protocol

Links to More Info: BT1211777

Component: F5OS-C

Symptoms:
IP address fields are reset to default values.

Conditions:
When the user changes the protocol and switches back to the previously selected protocol via the "Address" field on the webUI.

Impact:
Values of IP address fields are lost as they are reset to default values.

Workaround:
Users can cancel or navigate away from the screen. When they visit the management interface screen again, the configured values will appear.

Fix:
The "Address" field in the Management Interface section has been removed, and all the IPv4 and IPv6 address fields are always displayed, thereby eliminating the need to switch protocols.

We have added 'X' buttons adjacent to the address fields that can be leveraged to put in default values in case the user does not want to configure the fields for a particular protocol.

1211673-1 : Default tenant disk size is based on tenant image type

Links to More Info: BT1211673

Component: F5OS-C

Symptoms:
There is no impact on functionality.
Previously, default tenant disk size was 77GB regardless of image type.

After the fix:

T1 type image - 22GB
T2 type - 45GB
T4 - 142GB
ALL - 82GB

Based on image type, default storage size will be used.

Conditions:
Tenants are created with default disk size of 77Gb although their image size is different.

Fix: create tenant disk based on image type.

Impact:
No functionality impact

Workaround:
No Functionality impact.

Fix:
No Functionality impact.

1211465 : Partition openshift tokens may go invalid, causing tenants to not start after configuration or reboot

Links to More Info: BT1211465

Component: F5OS-C

Symptoms:
Tenants not coming up correctly after upgrade or blade reboot.

The tenants will be stuck in ContainerCreating in the "oc get pods --all-namespaces" output

partition-2 virt-launcher-velos1-cf-gslb-2-gksrp 0/1 ContainerCreating 0 46m <none> blade-2.chassis.local <none>
partition-2 virt-launcher-velos1-cf-rprxy1-1-jcw9k 0/1 ContainerCreating 0 46m <none> blade-1.chassis.local <none>
partition-2 virt-launcher-velos1-cf-rprxy2-2-gl7kw 0/1 ContainerCreating 0 46m <none> blade-2.chassis.local <none>
partition-2 virt-launcher-velos1-cloud-rprxy1-1-kwg4b 0/1 ContainerCreating 0 46m <none> blade-1.chassis.local <none>

If this condition is hit, the token can validated to be bad from the CC shell with the following command:

oc get pods -n partition-<#> --token="`cat /tmp/omd/tokens/partition-<#>/tokens/partition-<#>-saToken`"

e.g.

[root@controller-1 ~]# oc get pods -n partition-6 --token="`cat /tmp/omd/tokens/partition-6/tokens/partition-6-saToken`"
NAME READY STATUS RESTARTS AGE
lldpd-6d4458d967-xfs7d 0/1 Pending 0 7m
stpd-6f844d8d65-wf6s8 0/1 Pending 0 7m
tmstat-rsync-65c9cfb8b9-m2j7j 0/1 Pending 0 7m
[root@controller-1 ~]#

If the token is bad, an error will happen.

[root@controller-1 ~]# oc get pods -n partition-3 --token="`cat /tmp/omd/tokens/partition-3/tokens/partition-3-saToken`"
No resources found.
error: You must be logged in to the server (Unauthorized)
[root@controller-1 ~]#

Conditions:
This is related to deleting and re-creating partitions, and then upgrading or rebooting blades, but does not happen every time. There may be other conditions that can cause this.

Impact:
Tenants will not start correctly, causing an outage.

Workaround:
The workaround is to remove the token files from the /tmp/omd/tokens/partition-<#>/tokens directory.

e.g., rm /tmp/omd/tokens/partition-1/tokens/partition-1-saToken

orchestration-manager will then regenerate the token file with the correct partition token.

Fix:
N/A

1211025-2 : Firmware update interrupted during OS install★

Links to More Info: BT1211025

Component: F5OS-C

Symptoms:
Firmware update can be interrupted by docker container issues.

Conditions:
Random container issue restarts all containers.

Impact:
If firmware is being updated in that moment, the firmware update will fail and it could cause problems to normal system operation.

Workaround:
Ask the support team to update the LOP firmware.

Fix:
Docker container failure handles routine checks if firmware is being updated and waits until the update is done before handling the failure.

1210577 : Supportability: the confd_cmd utility is now included in the system controller container

Links to More Info: BT1210577

Component: F5OS-C

Symptoms:
Occasionally F5 Support might ask for confd_cmd commands to be run. This fix makes the confd_cmd utility easier to access.

Conditions:
Running F5OS. A request from F5 Support to run confd_cmd.

Impact:
It is difficult to run confd_cmd commands for troubleshooting purposes.

Fix:
The confd_cmd utility is now included in the system controller container.

1210073 : Observing "Building LLDP PDU Failed!" error messages in partition's VELOS log continuously

Links to More Info: BT1210073

Component: F5OS-C

Symptoms:
Observing "Building LLDP PDU Failed!" error messages in partition's VELOS log continuously.

[root@controller-2 IMAGES]# tail -f /var/F5/partition2/log/velos.log |grep Err
2022-12-15T16:22:07.718412+00:00 100.65.18.3 blade-3(p2) lldpd[9]: priority="Err" version=1.0 msgid=0x6001000000000009 msg=": Building LLDP PDU Failed! : Unable to obtain System Serial Number" func="buildPktBuf".
2022-12-15T16:22:08.719292+00:00 100.65.18.3 blade-3(p2) lldpd[9]: priority="Err" version=1.0 msgid=0x6001000000000009 msg=": Building LLDP PDU Failed! : Unable to obtain System Serial Number" func="buildPktBuf".
2022-12-15T16:22:37.733326+00:00 100.65.18.3 blade-3(p2) lldpd[9]: priority="Err" version=1.0 msgid=0x6001000000000009 msg=": Building LLDP PDU Failed! : Unable to obtain System Serial Number" func="buildPktBuf".
2022-12-15T16:22:38.733361+00:00 100.65.18.3 blade-3(p2) lldpd[9]: priority="Err" version=1.0 msgid=0x6001000000000009 msg=": Building LLDP PDU Failed! : Unable to obtain System Serial Number" func="buildPktBuf".
2022-12-15T16:23:07.751908+00:00 100.65.18.3 blade-3(p2) lldpd[9]: priority="Err" version=1.0 msgid=0x6001000000000009 msg=": Building LLDP PDU Failed! : Unable to obtain System Serial Number" func="buildPktBuf".
2022-12-15T16:23:08.751963+00:00 100.65.18.3 blade-3(p2) lldpd[9]: priority="Err" version=1.0 msgid=0x6001000000000009 msg=": Building LLDP PDU Failed! : Unable to obtain System Serial Number" func="buildPktBuf".
2022-12-15T16:23:37.770928+00:00 100.65.18.3 blade-3(p2) lldpd[9]: priority="Err" version=1.0 msgid=0x6001000000000009 msg=": Building LLDP PDU Failed! : Unable to obtain System Serial Number" func="buildPktBuf".
2022-12-15T16:23:38.771927+00:00 100.65.18.3 blade-3(p2) lldpd[9]: priority="Err" version=1.0 msgid=0x6001000000000009 msg=": Building LLDP PDU Failed! : Unable to obtain System Serial Number" func="buildPktBuf".
2022-12-15T16:24:07.795989+00:00 100.65.18.3 blade-3(p2) lldpd[9]: priority="Err" version=1.0 msgid=0x6001000000000009 msg=": Building LLDP PDU Failed! : Unable to obtain System Serial Number" func="buildPktBuf".
2022-12-15T16:24:08.796913+00:00 100.65.18.3 blade-3(p2) lldpd[9]: priority="Err" version=1.0 msgid=0x6001000000000009 msg=": Building LLDP PDU Failed! : Unable to obtain System Serial Number" func="buildPktBuf".

Conditions:
So far this case has only been observed in an upgrade (1.3.0 -> 1.5.0), downgrade (1.5.0 -> 1.3.2), upgrade (1.3.2 -> 1.5.1) scenario.

Impact:
When this occurs, the LLDP PDUs will fail to be constructed due to missing chassis serial number resulting in loss of LLDP functionality.

Workaround:
The following steps will resolve this issue:

1. On the active CC 'docker restart vcc-chassis-manager'
2. Restart LLDP pod for all active partitions

1209749 : Core file generated for cc-lacpd.vcc-lacpd

Links to More Info: BT1209749

Component: F5OS-C

Symptoms:
A core file for cc-lacpd.vcc-lacpd is generated.

Conditions:
Occurs occasionally when creating a new interface of type ieee_8023adLag.

Impact:
Controller LACPD restarts and recovers. During the restart, mgmt backplane links between the system controllers and blades may go down for a second or less.

Workaround:
Do not create interfaces of type ieee_8023adLag on the controllers.

Fix:
A core dump no longer occurs when creating an interface of type ieee_8023adLag.

1209669 : BIG-IP Next fails to come up intermittently upon system power cycle/reboot

Links to More Info: BT1209669

Component: F5OS-C

Symptoms:
Every tenant gets its own storage space and F5OS applies the right permissions for BIG-IP Next to access the necessary paths to generate certs/database/etc. When the system goes for a reboot, F5OS will have to remount the storage path from volume. But when it does, F5OS is skipping those permissions back, hence tenant containers are failing to access the path and go for a crash loop.

Conditions:
When the system goes for power cycle or blade reboot.

Impact:
The tenant will not be available functionally or pass any traffic since the majority of containers are in the restart loop due to permission issues.

Workaround:
Please run the following commands from the blade shell

setfacl -Rdm u:7053:rwx /mnt/disks/<tenant-name>/
setfacl -Rm u:7053:rwx /mnt/disks/<tenant-name>/

Fix:
Containers and pods.

1209077 : Unable to remove unused ISOs or services if used by openshift

Links to More Info: BT1209077

Component: F5OS-C

Symptoms:
Even if an imported version of a controller service says it is not in use in ConfD, it is possible under certain conditions for Openshift to still depend on that version of services. In such cases, it will not be possible to remove that version of services until Openshift is re-installed.

Conditions:
Openshift was rebuilt on a version of the controller OS earlier than 1.5.0, and user attempts to remove services that openshift relies on after rebuild.

Impact:
Unable to remove some ISOs and services that indicate they are unused.

Workaround:
Rebuild openshift cluster.

Fix:
Added more informative removal messages for case where removal is blocked due to openshift usage.

1208825-1 : The default value of virtual disk size is 77GB and user is not allowed to have a tenant with disk size smaller than 77GB on the webUI

Links to More Info: BT1208825

Component: F5OS-C

Symptoms:
Depending on the tenant image type, the virtual disk requirements vary. Although the user can make necessary changes if the required disk size is greater than 77GB, they cannot make it lesser than 77GB on the webUI.

Conditions:
Deploying a tenant with image types that have virtual disk size requirement lesser than 77GB, such as T1 and T2 type images.

Impact:
The tenant will be not deployed with the virtual disk size as required for the tenant.

Workaround:
Users can edit the tenant from the CLI and update the virtual disk size as required, and can manage this tenant from the CLI.

Fix:
With the fix, there will be no inline validation for lower or upper limit on the Virtual Disk Size input field on the webUI form, and the default value is set to 0. If and when the configuration is saved with the default value, it will scale up to the minimum default Virtual Disk space required for that specific image.

1207977 : Packet loss on VELOS due to congestion caused by interfaces that are down or disabled

Links to More Info: BT1207977

Component: F5OS-C

Symptoms:
An interface that is down or disabled can cause dropped packets on another port due to internal congestion. This leads to bi-directional packet loss that affects tenants.

The packet drops due to VOQ congestion can be seen in the vqf_voq tmctl table in the cos_fill_drop column.

Conditions:
VELOS chassis.
One or more interfaces on a blade in a partition is down or disabled.

Packets generated internally like lldp packets being sent to a down or disabled interface.

Impact:
Congestion occurs, which causes packet loss that also affects tenants.

Workaround:
The mitigation is to disable sources of internally generated packets which are sent to a down or disabled interface.
This can be done by disabling LLDP on a down or disabled interface.

Fix:
This change will disable queueing packets to a down or disabled interface queue. This will prevent the internal congestion and dropped packets.

1207537-1 : Chassis partition ConfD may fail to start completely during controller rolling upgrade

Links to More Info: BT1207537

Component: F5OS-C

Symptoms:
Following a controller rolling upgrade, one or both of the chassis partition controller instances may fail to start completely.

This can be seen by running the "show partitions" command. Normal status is that one controller instance will show "running-active" and one will show "running-standby". If any other status is shown (running, offline, failed, or no status), then the database is not operating correctly.

Conditions:
At database startup, it is possible for a chassis partition to hang retrieving the database primary key. The presence of this defect confirmed by observing this message at the end of the partition devel.log file:

ERR> 6-Jan-2023::17:51:49.205 partition1 confd[109]: confd encryptedStrings command timed out after 300000 ms inactivity

Impact:
One or both instances of the chassis partition control plane are not operating. This will prevent the chassis partition rolling upgrade, and may stop tenant traffic.

Workaround:
If the chassis partition is in this state, it can be recovered by disabling the partition, waiting for both instances to transition to "disabled", and then re-enabling. The error state is unlikely to occur unless the partition startup happens during a controller failover.

1207485 : LACP daemon restarts when changing lag-type of the aggregation

Links to More Info: BT1207485

Component: F5OS-C

Symptoms:
LACP daemon restarts. The system will be unable to process LACPDUs until LACP daemon starts up again.

Conditions:
The issue occurs from changing the lag-type of an aggregation interface that does not have an associated LACP interface.

Impact:
All LACP link aggregations may go down and be unable to process traffic for a short time. The down time, if it occurs, should be less than a few seconds.

Workaround:
Only change an aggregation's lag-type while an associated LACP interface exists.

Fix:
LACP daemon will not restart when changing an aggregation's lag-type while an associated LACP interface does not exist.

1205345-1 : RADIUS remote authentication uses internal system IP address as system identifier in requests

Links to More Info: BT1205345

Component: F5OS-C

Symptoms:
When configured for RADIUS remote authentication, the F5OS systems send internal system IP address as Network Access Server (NAS) system identifier (NAS-IP-Address or NAS-IPv6-Address), rather than a system management IP.

On VELOS systems, the NAS-IPv6-Address will be a link-local IPv6 address in fe80::/64.

On rSeries appliances, the NAS-IP-Address will be an address in the internal address range (RFC6598 by default), e.g. 100.65.60.2.

Conditions:
RADIUS remote authentication for system users.

Impact:
RADIUS authentication servers may ignore or reject authentication requests due to an unknown system identifier in the requests.

Workaround:
None.

1200665-1 : During an upgrade from 1.3 to 1.5.1, a core file may be created from the diag-agent

Links to More Info: BT1200665

Component: F5OS-C

Symptoms:
A core file can be generated by the diag-agent during the upgrade process from 1.3 to 1.5.1.

Conditions:
Upgrade of F5OS-C from 1.3 to 1.5.1.

Impact:
A Linux core file is generated by the diag-agent service. The service will automatically restart. No functional impact is visible.

Workaround:
No workaround; the service will restart automatically and function normally.

1195517 : Determining the serial console baud rate configuration

Component: F5OS-C

Symptoms:
The current serial console baud rate configuration can be reported by the AOM command menu "I --- Display chassis information" option.

For example:

System controller 1 information:
<snip>
    Console baud rate : 19200, 8-N-1
<snip>

Conditions:
Use the AOM command menu "I --- Display chassis information" option to report the current serial console baud rate configuration.

Impact:
Use the AOM command menu "I --- Display chassis information" option to report the current serial console baud rate configuration.

Workaround:
None

Fix:
The current serial console baud rate configuration can be reported by the AOM command menu "I --- Display chassis information" option.

1195361 : Message displayed to show user the status of Images is not informative enough

Links to More Info: BT1195361

Component: F5OS-C

Symptoms:
Displays message "No Images available.." and then on hover tooltip message asks user to import a image irrespective of the images actually present in the system.

Conditions:
One of the controller is in faulted or unhealthy state.

Impact:
Creates confusion to the user if images are available to import and use but controllers are in unhealthy state.

Workaround:
Check the controller status and see if they are available.

Fix:
Updated the message to display the status of images and controllers available. The message is updated to "No software images available for upgrade" and tooltip is updated to "Please import a software image and ensure both Controllers are available".

1194321 : WS-2022-0280 - Command Injection in moment-timezone before 0.5.35

Component: F5OS-C

Symptoms:
Command Injection in moment-timezone before 0.5.35.

Impact:
F5OS-C 1.6.0 is affected by WS-2022-0280

Workaround:
N/A

Fix:
The dependency, moment-timezone, has been updated to the recommended version.

1194313 : WS-2022-0284 - Cleartext Transmission of Sensitive Information in moment-timezone

Component: F5OS-C

Symptoms:
Cleartext Transmission of Sensitive Information in moment-timezone

Impact:
F5OS-C 1.6.0 is affected by WS-2022-0280

Workaround:
NA

Fix:
The dependancy moment-timezone causing the issue is updated to recommended version.

1194305 : CVE-2022-37601 - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack

Component: F5OS-C

Symptoms:
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Impact:
F5OS-C 1.6.0 is affected by CVE-2022-37601

Workaround:
N/A

Fix:
The package has been updated to a non-vulnerable version.

1194297 : CVE-2022-37601 - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack

Component: F5OS-C

Symptoms:
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
loader-utils has been updated to an unaffected version.

1194277 : CVE-2022-37601 - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils

Component: F5OS-C

Symptoms:
Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
webpack loader-utils has been updated to an unaffected version.

1194269 : CVE-2022-29078 - The ejs package 3.1.6 for Node.js allows server-side template injection

Component: F5OS-C

Symptoms:
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
The ejs package has been updated to an unaffected version.

1194265 : WS-2021-0153 - Arbitrary Code Injection vulnerability was found in ejs before 3.1.6

Component: F5OS-C

Symptoms:
Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
ejs has been updated to an unaffected version.

1190985 : WebUI server error when opening entry for added NTP server created with FQDN

Links to More Info: BT1190985

Component: F5OS-C

Symptoms:
When the user creates an NTP server with FQDN, the NTP server data table on the time settings screen shows the resolved IP address instead of the FQDN. If the user clicks on the hyperlinked IP address in order to launch the edit screen for the NTP server, the webUI throws an error as a record with the IP address is not found.

Conditions:
For an NTP server created with FQDN.

Impact:
The edit screen for the NTP server does not launch.

Workaround:
If the user replaces the IP address in the browser URL with the FQDN of the NTP server, they are able to view the Edit screen and make the required changes.

Fix:
WebUI will list the FQDN in the data table instead of the IP address.

1190369-1 : Terminal window not reflecting configured hostname

Component: F5OS-C

Symptoms:
The title of the terminal window does not have the configured hostname.
Currently, all open windows with root login either from PuTTY or any application display as appliance-1.

Conditions:
Connecting to the device using ssh clients like PuTTY.

Impact:
This causes difficulty for a user trying to juggle multiple open SSH sessions during a maintenance window.

1190321-1 : F5OS - "system config hostname" change not reflected in SNMP MIB

Links to More Info: BT1190321

Component: F5OS-C

Symptoms:
Configure hostname using CLI:

appliance-1(config)# system config hostname <name>
appliance-1(config)# commit
Commit complete.

Check system name in SNMPv2-MIB:

appliance-1# show running-config SNMPv2-MIB system sysName
SNMPv2-MIB system sysName appliance-1.chassis.local

Hostname configuration is not reflecting to SNMPv2-MIB.

Conditions:
Configure hostname using CLI:

appliance-1(config)# system config hostname <name>
appliance-1(config)# commit
Commit complete.

Check system name in SNMPv2-MIB:

appliance-1# show running-config SNMPv2-MIB system sysName
SNMPv2-MIB system sysName appliance-1.chassis.local

Hostname configuration is not reflecting to SNMPv2-MIB.

Impact:
Configured hostname will not be synced in SNMPv2-MIB.

Workaround:
Configure same hostname for SNMPv2-MIB:

appliance-1(config)# SNMPv2-MIB system sysName f5-stsu-kzps
appliance-1(config)# commit
Commit complete.
appliance-1# show running-config SNMPv2-MIB system sysName
SNMPv2-MIB system sysName f5-stsu-kzps

Fix:
Hostname synced with SNMPv2-MIB sysName.

1189013 : Race condition in platform bringup can result in incorrect Openshift images in local registry after upgrade

Links to More Info: BT1189013

Component: F5OS-C

Symptoms:
After upgrade to F5OS-C controller OS version 1.5.x, it is possible for the docker registry from which the Openshift platform pulls container images to have the wrong contents. This can result in necessary images to be missing from the registry, and lead to failures in Openshift cluster bringup after a cluster re-install.

Conditions:
Upgrading F5OS-C controller OS from a pre-1.5.x version to 1.5.x and triggering a cluster re-install after upgrade.

Impact:
Openshift cluster does not come up after re-install.

Workaround:
1. Remove the controller ISO version used to USB install the system. This version can be determined by running the following in a bash shell on either system controller:

grep ^version: /var/platform-services/VERSION | cut -d' ' -f2

2. Reboot both system controllers.

Fix:
Fix for race condition in platform bringup that can result in incorrect Openshift images in local registry after upgrade.

1188761-1 : Updates to openssl to resolve CVE-2019-1563 and CVE-2019-1547

Links to More Info: K97324400, BT1188761

1188469-1 : Updates to Openssl to resolve CVE-2020-1968

Links to More Info: K92451315, BT1188469

1188057-1 : Inactivity-timeout for Console

Component: F5OS-C

Symptoms:
Console session is not expiring after certain time.

Conditions:
Log into system using console.
This console session will remain active for a long time.

Impact:
Log into system using console.
This console session will remain active for a long time.

Workaround:
N/A

Fix:
We have introduced timeout API for console and ssh connection timeout. If a session is active longer than its configured timeout value and has had no interactions, then that session will be automatically terminated.

appliance-1(config)# system settings config sshd-idle-timeout 40
appliance-1(config)# commit
Commit complete.
appliance-1# show system settings state
system settings state sshd-idle-timeout 40

1187189-1 : Tenants fail to start after bare metal install

Links to More Info: BT1187189

Component: F5OS-C

Symptoms:
If the system reboots without an ISO imported after bare metal install, it will try to set up the port 2000 registry as a mirror of itself, which is not correct and results in the registry being empty. Because of this, the tenants are not being deployed.

Conditions:
In bare metal install ISO is not imported.

Impact:
Tenants will not deploy.

Workaround:
Import the version of the ISO that matches the version of the image used to perform the bare metal installation.

Fix:
When patch release is being installed, the correct 'active version of services' is taken which makes the registry not empty. Hence the tenants will be deployed without any issue.

1186173 : Radius server secret-key should not be empty

Links to More Info: BT1186173

Component: F5OS-C

Symptoms:
On add server screen of radius server group, the secret key field is not a mandatory field, which allows the user to add a server without any secret key.

Conditions:
User created a server group of type radius and tries to add a server in that group.

Impact:
If no secret key is provided by user as the field is not mandatory, the timeout value is read as a secret key for server, which is not correct.

Workaround:
User can provide a secret key even though it is not mandatory on the webUI.

Fix:
Secret key field is made a mandatory field now, so the user must enter a secret key before saving the form.

1186161 : Radius server secret key should not be empty

Links to More Info: BT1186161

Component: F5OS-C

Symptoms:
When setting up a Radius server without specifying a secret key, an entry for the server is made that has a missing secret key, thus it creates an invalid configuration file.

Conditions:
Normal

Impact:
The system has an invalid configuration.

Workaround:
Don't make an entry without a secret key.

Fix:
In the fixed version, if no secret key is entered, then the configuration files are not generated.

1185701-3 : 'system aaa' command in ConfD to fail with "Error: application communication failure"

Links to More Info: BT1185701

Component: F5OS-C

Symptoms:
System fails to change password and renders system in a degraded state where user management no longer works.
System fails to provide proper user feedback to the user about failed password changes.

Conditions:
This policy option is causing the problem:
system aaa password-policy config retries 5

Impact:
F5OS user password cannot be changed.

Workaround:
Do not change the configuration from default.
system aaa password-policy config retries 5

Fix:
N/A

1185557-1 : Upgrading to F5OS-A v1.3.1 requires increasing the minimum tenant Virtual Disk Size to 77GB from 76GB of to allow editing of existing tenants in the webUI

Links to More Info: BT1185557

Component: F5OS-C

Symptoms:
After upgrading to F5OS-A v1.3.1 from an earlier version, when you attempt to edit the attributes and parameters of an existing tenant, the Save button on the screen will not become selectable.

Conditions:
Applies to upgrading from an earlier F5OS-A version to F5OS-A v1.3.1 and preexisting configured, provisioned, or deployed tenants are present.

Impact:
If the Virtual Disk Size for any of the preexisting tenants is not increased to a minimum Virtual Disk Size of 77GB you will be unable to edit and save the tenant configuration via the webUI.

Workaround:
Increase the minimum tenant Virtual Disk Size to 77GB on the Add/Edit Tenant screen in addition to any other configuration elements and the Save button will become enabled. Alternatively, tenants can be edited via the CLI interface.

Fix:
Subsequent versions of F5OS will provide an inline validation warning that will be displayed near the Virtual Disk Size webUI element calling attention that the Virtual Disk Size minimum is insufficient if it is set to any value below 77GB.

1185497 : Tenant health in the partition shows additional entries that are not part of the tenant configuration

Links to More Info: BT1185497

Component: F5OS-C

Symptoms:
When the admin upgrades the system software from 1.3.x to 1.5.0, the platform updates the tenant's table with additional entries that are not running as part of the tenant's original configuration.

Conditions:
Power cycle or system software upgrades from 1.3.x to 1.5.0.

Impact:
There will not be any impact on the critical functionality of the tenant, and traffic continues to work. However, it does show some unwanted information in the health which could be confusing.

Workaround:
Toggling the affected tenant's running state from "Deployed" to "Provisioned" and back to "Deployed" will fix the state of the tenant in the table.

Fix:
During the power cycle/system upgrade, the platform re-populates the tenant oper status from Openshift and publishes it to Partition. If the REST response of the tenants from Openshift is incomplete, the platform is populating entries under the wrong key/value. As a result, the partition tenant's table ends up with some unwanted entries.
It is a cosmetic issue and will not impact any tenants.

1184529-1 : Intermittent ingress broadcast traffic failure for tenants on shared VLAN

Links to More Info: BT1184529

Component: F5OS-C

Symptoms:
Traffic on the affected VLAN does not function correctly.

Affected tenants are able to respond to ARP requests or other broadcast traffic. Pings may intermittently fail.

On an affected F5OS rSeries appliance, even though the VLAN is shared between multiple tenants, the VLAN is missing from the software rebroadcaster, as observed by looking at:

docker exec system_tmstat_zmq tmctl -Sd blade rbcast_vlan_stat

Conditions:
-- Multiple tenants configured with access to the same VLAN.
-- The VLAN is assigned to multiple interfaces, and then removed from one interface.

Impact:
Traffic on the affected VLAN does not function correctly. Inbound broadcast traffic is not delivered to tenants.

Workaround:
If a system is already affected, deleting and re-adding the VLAN to an interface or trunk will resolve the issue.

Fix:
This issue no longer occurs.

1184525 : Updating libraries on F5OS-C to resolve CVEs

Component: F5OS-C

Symptoms:
F5OS-C 1.5.0 is vulnerable to the following CVEs:
CVE-2021-42581
CVE-2021-23436
CVE-2021-3757
CVE-2020-15256
CVE-2021-23434
CVE-2022-0686
CVE-2022-0691
CVE-2021-42740
CVE-2021-26707
CVE-2021-44906
CVE-2022-1650
CVE-2021-37701
CVE-2021-37713
CVE-2021-32804
CVE-2021-37712
CVE-2021-32803
CVE-2018-19827
CVE-2018-11694
CVE-2018-11698
CVE-2020-7660
These CVEs affect the following packages:
url-parse
shell-quote
merge-deep
minimist
json-schema
eventsource
node-tar
LibSass
serialize-javascript
Ramda
immer
object-path

Impact:
F5OS-C 1.5.0 is affected by the listed CVEs.

Fix:
Dependencies have been upgraded to non-vulnerable versions.

1184421 : Correcting /etc/etcd/dump_etcd.sh script

Links to More Info: BT1184421

Component: F5OS-C

Symptoms:
/etc/etcd/dump_etcd.sh was wrongly run inside the OMD container. This needs to be run from host-os to collect the correct status.

Conditions:
N/A

Impact:
/etc/etcd/dump_etcd.sh script was wrongly run.

Workaround:
The script was corrected to run from host-os.

Fix:
Corrected /etc/etcd/dump_etcd.sh to run from host-os to collect the correct status.

1183489-1 : System generated events will be logged in platform.log, which is sent to remote logging

Component: F5OS-C

Symptoms:
All the system-generated events are displayed using "show system events" and these events were not sent to remote logging.

Conditions:
N/A

Impact:
None

Workaround:
All the system events are logged and displayed using "show system events" and the system alarms are displayed using "show system alarms".

Fix:
The system events are logged in platform.log. The platform.log has the capability to send it for remote logging.

1182605 : Boot marker logs do not provide enough information

Links to More Info: BT1182605

Component: F5OS-C

Symptoms:
Boot marker logs should provide version and product information in the log.

Conditions:
After a reboot.

Impact:
It can be difficult to determine which version of VELOS a system was booting into.

Fix:
The boot marker logs were updated to show product and OS version information.

1173853-2 : Packet loss caused by failure of internal hardware bus

Links to More Info: BT1173853

Component: F5OS-C

Symptoms:
All or 50% of from-network packets arriving at a front panel port are dropped in hardware prior to delivery to tenant(s) running on the CPU. Packet loss is caused by CRC errors on an internal bus connecting two hardware components leading to eventual failure of the bus.

Conditions:
Issue occurs randomly, but is most commonly seen soon after bootup when packets first start to be handled by fastL4 hardware acceleration, hardware per-virtual server syn cookie protection, or AFM hardware protection.

Impact:
Total loss of from-network to CPU packets on r5900, r5800, and r5600 appliances, and either total loss or loss of 50% of from-network to CPU packets on r10900, r10800, and r10600 appliances. The r4800, r4600, r2800, and r2600 appliances are unaffected.

Workaround:
Reboot the appliance and disable fastL4 acceleration, per-virtual syn cookie hardware protection, and AFM hardware protection before re-enabling ingress traffic.

Fix:
This issue has been corrected.

1173329 : The chassis partition webUI should show the partition name on the application header

Component: F5OS-C

Symptoms:
Partition name is not shown on application header.

Conditions:
N/A

Impact:
Users find it difficult to differentiate between multiple sessions.

Workaround:
The partition name is visible on the tab title and dashboard screen.

Fix:
Partition name is added to the application header on the chassis partition webUI.

1173061 : etcd database may be corrupted in certain failure scenarios

Links to More Info: BT1173061

Component: F5OS-C

Symptoms:
/etc/etcd/dump_etcd.sh might show that the etcd instance native to system controller #1 or #2 does not come up after an upgrade.

This displays in the output of /etc/etcd/dump_etcd.sh and might occur for the .3.51 or .3.52 node:

failed to check the health of member 25fa6669d235caa6 on https://100.65.3.52:2379: Get https://100.65.3.52:2379/health: dial tcp 100.65.3.52:2379: connect: connection refused
member 25fa6669d235caa6 is unreachable: [https://100.65.3.52:2379] are all unreachable

This can cause a longer OpenShift outage if the system controller containing the healthy instance is rebooted, and complete outage if the system controller containing the healthy instance is lost.

Conditions:
This can happen if both system controllers are rebooted at the same time.

Impact:
The local etcd instance on the affected system controller will not work correctly, compromising the high availability (HA) of the OpenShift cluster. The cluster will continue to work correctly while both system controllers are up.

Workaround:
The only workaround is to rebuild the OpenShift cluster by running "touch /var/omd/CLUSTER_REINSTALL" from the shell as root on the active system controller. This will cause all running tenants to be taken down during the cluster reinstall, which takes 90+ minutes.

Fix:
This is fixed in F5OS-C-1.5.1 and later.

With this fix, the impacted etcd instance will be recovered automatically, restoring full high availability support in etcd.

1169341 : Using MAC Masquerade in a BIG-IP tenant causes traffic issues when re-deploying the tenant

Links to More Info: BT1169341

Component: F5OS-C

Symptoms:
If the tenant has configured MAC Masquerade, when the tenant is moved to a Configured or Provisioned state, then back to Deployed, the tenant may experience loss of traffic.

Conditions:
The tenant has configured MAC Masquerade and redeploys the tenant.

Impact:
The tenant may experience loss of datapath traffic.

Workaround:
N/A

Fix:
Using MAC Masquerade in a BIG-IP tenant no longer causes traffic issues.

1168229-1 : Apache vulnerability CVE-2021-40438

Links to More Info: K01552024, BT1168229

1167821-2 : Tcpdump may not capture large packets

Links to More Info: BT1167821

Component: F5OS-C

Symptoms:
The tcpdump utility may not capture packets larger than 1371 bytes.

Conditions:
Large packets, chassis platform.

Impact:
Troubleshooting network issues by running tcpdump in the partition may not work effectively.

1167761-1 : Directory indexing enabled for management webUI

Links to More Info: BT1167761

Component: F5OS-C

Symptoms:
Directory indexing is enabled for management webUI.

Conditions:
When the management IP is followed by the name of any directory that is contained in the webUI, the build directories and file contents are visible on the browser.

Impact:
The webUI build directories and file contents are visible on the browser.

Workaround:
None

Fix:
Disabled directory indexing.

1166009 : VELOS high availability (HA) cluster goes into active/active after upgrade★

Component: F5OS-C

Symptoms:
VELOS high availability (HA) cluster goes into active/active after upgrade.

Conditions:
After upgrading.

Impact:
As the two nodes are in active/active, a failover cannot be performed.

Workaround:
Workaround: https://docs.f5net.com/display/~boli/Workaround+for++the+%27f5-avcl-keepalive%27+subsystem+status+is+%27ACTIVE%27+on+standby+node+after+VELOS+HA+standby+upgrade

Fix:
N/A

1165973 : Application error while using the CLI command "show components"

Links to More Info: BT1165973

Component: F5OS-C

Symptoms:
The user receives an error message using the CLI (show components -> Error: application error) when there is a faulty sensor in the hardware.

Conditions:
When the system has the faulty sensor.

Impact:
Application error seen in the ConfD CLI while trying to execute "show components". The webUI is affected as well.

Workaround:
N/A

Fix:
We have added a check at diag-agent to not throw the application error; it will show data for the healthy components.

1162233 : Mixed front panel port speed configurations are unsupported on F5OS-C v1.5.0

Links to More Info: BT1162233

Component: F5OS-C

Symptoms:
Attempting to set the blade front panel ports into a 100:10/25G or 40:10/25G configuration will result in a non-functional data path. The blade may appear to be linked at the physical layer, but no traffic will pass through the blade until the front panel port speed configuration is the same for both ports (for example, 2x100g, 2x40G, 2x 4x10G).

Conditions:
Setting a mixed speed configuration on the front panel ports (for example, one port at 100G and the other at 4x10G, or one port at 40G and the other at 4x10G).

Impact:
No traffic will pass through the blade.
Tenants will not deploy.

Workaround:
If mixed front panel port speeds are required, update to the next version when it becomes available.

Fix:
If mixed front panel port speeds are required, update to the next version when it becomes available.

1161761-1 : Egress traffic is dropped on interface 1/1.1

Links to More Info: BT1161761

Component: F5OS-C

Symptoms:
Egress traffic on interface 1/1.1 is dropped. If that interface is configured as part of a LAG with LACP enabled, the interface will remain in an LACP_DEFAULTED state.

Conditions:
-- F5OS-C partition using the blade in slot 1.
-- The port group for the interfaces in slot 1 are configured in 4x25GbE or 4x10GbE mode.

Impact:
All traffic that the system tries to transmit out of interface 1/1.1 is dropped.

Workaround:
Do not use interface 1/1.1 in affected software versions.

Fix:
Do not use interface 1/1.1 in affected software versions.

1161597 : Wrong route table names in host-config qkview file

Links to More Info: BT1161597

Component: F5OS-C

Symptoms:
Wrong routing policy tables used to collect the data from the vcc-host-config in controller qkview.

vcc-host-config - ip route list table mgmt-floating
Error: argument "mgmt-floating" is wrong: table id value is invalid

vcc-host-config - ip -6 route list table mgmt-floating
Error: argument "mgmt-floating" is wrong: table id value is invalid

The actual table names are "mgmt-floating4" and "mgmt-floating6".

Conditions:
Qkview data collection from vcc-host-config at the controller.

Impact:
Qkview is unable to collect the expected data.

Workaround:
None

1161557 : BIG-IP tenants created before F5OS-C 1.5.1 or F5OS-A 1.3.0 may be allocated a smaller disk than required

Links to More Info: BT1161557

Component: F5OS-C

Symptoms:
If the BIG-IP tenant disk space is fully used by creating multiple software volumes within the tenant, it will generate disk errors.

Conditions:
- A tenant originally deployed from an “ALL-F5OS” tenant image (i.e., BIGIP-15.1.6.1-0.0.10.ALL-F5OS.qcow2.zip.bundle) originally created from one of the following:
 -- 14.1.5 or above in the 14.1.x branch of code
 -- 15.1.6.1 or above in the 15.1.x branch of code

- The tenant is configured to use 76G of disk space (the default)

Impact:
Software installs within the tenant may fail.

Workaround:
Beginning in F5OS-A 1.3.0, the system detects the minimum size of a disk created from a tenant image file, and enforces that minimum on newly-created tenants.

If a customer has a tenant affected by this issue and upgrades their system to F5OS-A 1.3.0 or later, set the tenant to "configured", and then deploy the tenant again.

If the disk size is not right, the system will show the minimum size, then adjust the tenant disk size to what is advised by the system or larger.

From 1.4.0, user does not need to adjust the size unless the user needs a bigger size.
The right/minimum size will be auto-allocated when the state is changed.

Fix:
The tenant disk size will be detected and auto-allocated.

Behavior Change:
There are two behaviors.

1.3.x: If the disk size is smaller than it has to be, it warns the user and doesn't start the tenant until the user specifies the right/minimum size.

1.4.0: It auto increases the size to the right/minimum size if the user didn't specify the disk size.

1161153 : Alerts not generated in ConfD when dma-agent is unhealthy

Links to More Info: BT1161153

Component: F5OS-C

Symptoms:
Alerts not generated in ConfD alarms and events when dma-agent health is unhealthy.

Conditions:
Only when dma-agent service reports health as unhealthy and severity critical.

Impact:
No alerts will be displayed in ConfD, but health will be displayed in ConfD "show system health".

Workaround:
N/A

Fix:
Alerts and events will be generated and visible in ConfD.

1156601 : Adding ConfD status command's output to QKView logs

Component: F5OS-C

Symptoms:
ConfD --status command's output was not collected as part of QKView.

Conditions:
N/A

Impact:
ConfD status is needed in QKView logs for debugging during an issue.

Workaround:
Added the command output to QKView.

Fix:
ConfD --status output is added to QKView logs.

1154789 : Unexpected flow type logs

Links to More Info: BT1154789

Component: F5OS-C

Symptoms:
fpgamgr docker logs will display lines such as:

hdp_cap_fc_get: Unexpected flow type (17) in HDP_CAP_FC_CAP_11_REG

Conditions:
These lines can appear at any time, triggered with various under-the-hood API calls that need to determine hardware capabilities. Please note that despite the appearance of the log message, this isn't tied to the usage of ePVA (or lack thereof).

Impact:
No impact, these logs are purely cosmetic.

Workaround:
There is no workaround. However, these lines are purely cosmetic and can safely be ignored.

Fix:
N/A

1154625 : The Tenant Deployments column on the tenant images screen is not reflecting exact purpose of that column

Links to More Info: BT1154625

Component: F5OS-C

Symptoms:
The Tenant Deployments column on the tenant images screen on the VELOS chassis partition webUI is currently showing the comma separated slot numbers on which the tenant is deployed. If the image is not used for any deployment, a string 'Not In Use' is shown.

Conditions:
There should be a deployed tenant using the tenant image we are viewing information for.

Impact:
The name "Tenant deployments" on the column is confusing the user, as it indicates that the column will show the count of tenants that are deployed using that image.

Workaround:
NA

Fix:
The column name is changed to "In Use" and the column will now show value "True" or "False" indicating if a tenant is deployed using that image.

1154573 : The "hdp_dmq_stat" table is missing data for several statistics

Links to More Info: BT1154573

Component: F5OS-C

Symptoms:
The TMCTL "hdp_dmq_stat" table is missing data for the following counters:

hdp_dmq_stat/tpg_txpkts
hdp_dmq_stat/tpg_badifh_drop_cnt
hdp_dmq_stat/tpg_unsup_tag_drop_cnt

Conditions:
Always.

Impact:
No valid data for the affected counters.

Workaround:
None

Fix:
Correctly fill in the table columns with the counter values.

1154089 : After a controller upgrade, Kubevirt pods fail to upgrade due to leftover pods stuck in Unknown state

Links to More Info: BT1154089

Component: F5OS-C

Symptoms:
Tenants will not move to a running state.

Conditions:
After a controller upgrade, it is possible that some of the Kubevirt pods from the previous software version can remain in an Unknown state. With these leftover pods, the Kubevirt install script will fail to install the newer Kubevirt pods.

Impact:
Tenants are not running.

Workaround:
Manually delete the leftover Kubevirt pods in the Unknown state and rerun the Kubevirt install script.

Fix:
Kubevirt pods will update as expected.

1146181 : User logon/logoff logs in audit logs, to be sent via remote syslog

Component: F5OS-C

Symptoms:
The user logon/logoff logs were not sent via remote syslog.

Conditions:
Releases prior to version 1.6.0.

Impact:
The user logon and logoff logs will not be sent to remote syslog.

Workaround:
NA

Fix:
audit.log is included in remote syslog, so all the user logon and logoff logs can be sent to remote syslog.

1146109 : Cannot display license information in VELOS partition webUI

Component: F5OS-C

Symptoms:
User does not have a way to see the system's license details when they are on the partition webUI.

Conditions:
User tries to see licensing info on the partition webUI.

Impact:
No way to view licensing information on the partition webUI.

Workaround:
N/A

Fix:
A new licensing navigation option has been added to the partition webUI. Clicking on it will show the system's licensing information.

1146013 : VELOS floating IP may not work properly with IPv4 prefix-length other than /24, /16, or /8

Links to More Info: BT1146013

Component: F5OS-C

Symptoms:
When a VELOS device is configured with a prefix-length other than /24, /16, or /8 for IPv4 management addresses, the system may fail to install correct routes for handling reply traffic sourced from the floating management address.

One of the two following situations may occur:

1. The floating management address will not be accessible from other devices on the same local network (cannot ping the floating management IP from the standby system controller).

2. The floating management address will not be accessible from another range of IPs, because the system thinks those addresses are link-local.

For instance, if a device is assigned an IP address of 198.51.78.88/26:

[root@controller-1 ~]# ip route show table mgmt-floating4
default via 198.51.100.126 dev mgmt-floating
198.51.100.0/26 dev mgmt-floating scope link

The system will not be accessible from devices with IP address 198.51.100.0 through 198.51.100.63.

Conditions:
-- VELOS controller
-- Management network with an IPv4 management address configured, and management network prefix-length other than /24, /16, or /8.

Impact:
Floating system controller management IP may not be able to reply to traffic from all IPs.

Workaround:
On active system controller (and after any reboot or system controller failover), fix the routing rules. Log in to the active system controller as root and run the following commands:

CORRECT_NETWORK=$(ip route show table main | grep mgmt-floating | cut -f1 -d' ')
WRONG_ROUTE=$(ip route show table mgmt-floating4 | grep 'scope link')
ip route delete table mgmt-floating4 $WRONG_ROUTE
ip route add table mgmt-floating4 $CORRECT_NETWORK dev mgmt-floating

Fix:
The system correctly handles IPv4 management addresses with a prefix-length other than /24, /16, and /8.

1145753-1 : QKView obfuscation step can cause excessive disk usage

Links to More Info: BT1145753

Component: F5OS-C

Symptoms:
QKView performs the obfuscation steps for capturing files, which can create temporary files the same size as the captured files. If a sufficiently large file is captured, this may cause a disk full error.

Conditions:
QKView captures a very large file and obfuscates it.

Impact:
System may be unusable.

Workaround:
Before executing QKView, scan the system for extraordinarily large log files and delete them. One example is telemetry.db.

Fix:
This bug fix truncates the file to a maximum size of 0.5 GB (or a size defined by the maxfilesize argument) before performing obfuscation. This limits the chance for a disk full error.

1144633 : System controller components can hang during controller rolling upgrade

Links to More Info: BT1144633

Component: F5OS-C

Symptoms:
System controller components can hang during controller rolling upgrade, resulting in failure to start the partitions correctly, and other incorrect operation.

Partition instance state may show as "failed", "offline", or "running", rather than the normal "running-active"/"running-standby".

This can also cause imported ISO images to not synchronize across controllers following an upgrade.

Conditions:
Performing a system controller rolling upgrade from a version prior to 1.5.0, to version 1.5.0.

Impact:
Partition instances may not reach the normal state of running-active/running-standby, and will not operate correctly.

Workaround:
If the system is in this state, it can be fixed by rebooting both system controllers, in sequence. Failover/go-standby is not sufficient; both controllers must be restarted to clear the issue.

The problem can be avoided by performing an out-of-service upgrade, using the "out-of-service true" option with the system controller "system image set-version" command.

Fix:
The system controller components no longer hang during the rolling upgrade.

1144177 : CLI idle-time is not persistently configurable

Component: F5OS-C

Symptoms:
The default CLI idle-timeout is set in a non-user-modifiable configuration file, and must be set each time the user logs in.

Conditions:
The user desires to set an persistent idle-timeout to a value other than the pre-set default, or to disable it.

Impact:
User cannot select a default idle-timeout other than the predefined default.

Workaround:
None.

Fix:
A configuration setting has been added to the configuration database as "system settings config idle-timeout" so that the administrator can configure a default idle-timeout for the CLI. The setting applies to the particular system instance (controller, partition, or appliance).

Behavior Change:
Administrator can configure the default CLI timeout value, so that it applies to all user sessions.

1143841 : TACACS+ remote authentication for SSH does not work when server listens on non-default port

Links to More Info: BT1143841

Component: F5OS-C

Symptoms:
If remote authentication is configured to use TACACS+ and the servers use a port other than 49 (the default port for TACACS), users will not be able to authenticate via SSH.

SELinux errors in /var/log/audit/audit.log similar to the following:

type=AVC msg=audit(1660923433.566:3728): avc: denied { name_connect } for pid=20995 comm="sshd" dest=4949 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:munin_port_t:s0 tclass=tcp_socket permissive=0

Conditions:
-- rSeries appliance running F5OS-A, or VELOS system controller; this issue does not affect VELOS chassis partitions
-- TACACS+ remote authentication
-- TACACS+ server listening on a port other than 49

Impact:
Unable to authenticate when connecting via SSH.

Workaround:
Configure the SELinux policy to allow this traffic. On a VELOS chassis, these instructions must be run on each system controller separately.

1. Connect to the F5OS system via SSH as root.

2. Examine the SELinux audit denials and confirm all of them are associated with traffic that should be allowed:

grep denied.*name_connect.*sshd /var/log/audit/audit.log > /root/ssh-audit-denials.log
cat /root/ssh-audit-denials.log

Remove entries from the file /root/ssh-audit-denials.log that you do not want to allow.

3. After confirming the contents of the file /root/ssh-audit-denials.log, run the following commands to create and install an SELinux policy to allow that traffic:

audit2allow -M sshd.allowtacacs < /root/ssh-audit-denials.log
semodule -i sshd.allowtacacs.pp

1143769-1 : Updating LDAP configuration on Auth Settings screen on the webUI having no TLS key updates it to empty string.

Links to More Info: BT1143769

Component: F5OS-C

Symptoms:
When the LDAP configuration on Auth Settings is updated via the webUI, with TLS key not previously configured, it is updated to be an empty string. This is resulting in empty string encryption.

Conditions:
Add/Modify LDAP configuration on Auth Settings screen.

Impact:
TLS key is set to empty string and is encrypted.

Workaround:
One of the following:

-- Use the F5OS CLI to modify authentication settings, rather than using the webUI.

-- Use the webUI to edit authentication settings only when the TLS key is already configured, meaning, there is an encrypted value already present in TLS key field.

Fix:
Updating LDAP configuration when the TLS key is not configured will not create a TLS key with empty string.

1141753-1 : User manager containers should not mount /var/log/tally as /tmp

Component: F5OS-C

Symptoms:
Unnecessary files left in /var/log.

Conditions:
When qkview is captured.

Impact:
Unnecessary files left in /var/log and collected by qkview as a result of a container using /var/log/tally as a temporary space.

Workaround:
N/A

Fix:
User manager does not mount /var/log/tally anymore.

1141661 : LDAP groups configurable with custom gidNumber to role mappings

Component: F5OS-C

Symptoms:
In prior releases, the group ID number representing authentication roles was hard-coded to certain values. This could cause problems since an external authentication system (for example, LDAP) may have conflicting group IDs.

Conditions:
External authentication system (e.g. LDAP, AD, or radius) where a group ID number conflicts with the hard-coded role IDs (for example, 9000).

Impact:
This could cause difficulty configuring a user with specific role assignments in an external authentication system.

Workaround:
Reconfigure group IDs in external system such that the hard-coded group ID numbers match the role numbers required by the F5 system.

Fix:
Added configuration to allow the administrator to specify the group ID number in use by the external system to identify user roles. The external number will be mapped to the F5 role based on this setting.

1141577-2 : WebUI crashes when a new SSL/TLS private key is generated

Links to More Info: BT1141577

Component: F5OS-C

Symptoms:
The webUI crashes when a new SSL/TLS certificate is created in the Certificate Management tab.

The HTTP server has to restart to read the newly-created private keys (encrypted or un encrypted) from a configuration file. Before the HTTP server restarts, all active client connections will be closed. This will cause the webUI to crash, and the server will be unreachable temporarily.

Conditions:
No configuration changes required.

Impact:
The webUI crashes and the TCP connection with the HTTP server will be closed.

Workaround:
The user has to reestablish the connection to the server after waiting a few seconds.

Fix:
No fix required.

1141293 : F5OS will not import system images copied with WinSCP

Links to More Info: BT1141293

Component: F5OS-C

Symptoms:
F5OS will not import system images copied into /var/import/staging/ using WinSCP. The file will be present on the filesystem, but the system will not process and validate them.

On older software versions (prior to F5OS-C 1.3.0 and F5OS-A 1.1.0), the image will remain stuck in an "In Queue" state.

Conditions:
Importing F5OS system images (F5OS-C controller and chassis partition images and F5OS-A system images) to /var/import/staging/.

Impact:
The images cannot be used for F5OS software installs.

Workaround:
After importing the images, log in to the F5OS device as root and run touch against the newly-uploaded files. For instance:

    touch /var/import/staging/F5OS-C-1.4.0-4112.CONTROLLER.iso

Fix:
F5OS will correctly import system images copied with WinSCP.

1141137 : Qkview collects redundant log files

Links to More Info: BT1141137

Component: F5OS-C

Symptoms:
Qkview collects most log files as part of its main collection, but some containers have been specified to collect log files specific to the operation of that container.

Conditions:
Execute
system diagnostics qkview capture

Impact:
Redundant log files collected use extra storage space and bandwidth for transmission.

Fix:
Redundant log files have been scrubbed from container collection.

1140537 : DMA-Agent system logs preserved through system reboots

Links to More Info: BT1140537

Component: F5OS-C

Symptoms:
The dma-agent log file is deleted and recreated every time the system is rebooted, this makes investigating dma-agent related issues difficult if the system had restarted since the problem occurred.

Conditions:
Accessing dma-agent system logs.

Impact:
Difficult in investigating or debugging dma-agent system logs.

Workaround:
Do not reboot the system in which dma-agent logs need to be investigated.

1137889 : CLI "show interfaces summary" command doesn't provide a summary

Links to More Info: BT1137889

Component: F5OS-C

Symptoms:
The "show interfaces" command is quite cluttered when displaying the state of both physical and virtual (aggregate) interfaces, making it difficult to get a high-level summary of all interfaces.

The "show interfaces interface full" command displays a confusing subset of interface states, when the intent of "full" was to display all state fields, including the duplicate "name" column.

Conditions:
The administrator attempts to use the "show interfaces" command to diagnose networking problems.

Impact:
Difficult to diagnose interface configuration/connectivity problems.

Workaround:
None

Fix:
The new "summary" option for "show interfaces" displays a brief subset of the most important interface state information.

appliance-1# show interfaces interface state summary
                                     OPER
NAME TYPE MTU ENABLED STATUS
---------------------------------------------
1.0 ethernetCsmacd 9600 true UP
2.0 ethernetCsmacd 9600 true UP
3.0 ethernetCsmacd 9600 true UP
4.0 ethernetCsmacd 9600 true UP
5.0 ethernetCsmacd 9600 true UP
6.0 ethernetCsmacd 9600 true UP
7.0 ethernetCsmacd 9600 true UP
8.0 ethernetCsmacd 9600 true UP
mgmt ethernetCsmacd - true UP

1137841-1 : Configuring auth server-group and server requires duplicate name/address values

Component: F5OS-C

Symptoms:
When configuring a server-group from the CLI, users were forced to enter the config name and/or the config address multiple times to successfully configure the server-group.

Conditions:
User is attempting to configure an auth server-group using the CLI.

Impact:
Configuration was unnecessarily complex and error prone.

Workaround:
Explicitly enter the config name or config address to complete the configuration of the server-group.

Fix:
Server-group only requires the config name and/or config address to be entered once to successfully configure the object.

1137725-1 : nslcd start/run script may fail or log alarming messages

Links to More Info: BT1137725

Component: F5OS-C

Symptoms:
The script that watches and restarts the nslcd process could sometimes fail to do so, and would sometimes log messages that appeared alarming.

Conditions:
Changing authentication settings that affect nslcd.

Impact:
The messages were benign, but the occasional failure to restart nslcd on config change could cause authentication changes to fail to propagate to the running process.

Workaround:
Restarting the name-service-ldap container is likely to solve the issue.

Fix:
The nslcd start/run script was rewritten to minimize alarming log messages and reliably start and restart the process when expected.

1137689-1 : iHealth accepts QKView files to upload without any file extension

Links to More Info: BT1137689

Component: F5OS-C

Symptoms:
QKView files without any extension failed to upload into iHealth.

Conditions:
If the QKView files are generated without any extension.

Impact:
iHealth report invalid file extension.

Workaround:
Generate QKView files with extension.

Fix:
Allow to upload QKView files to iHealth without any extension.

1137669-3 : Potential mis-forwarding of packets caused by stale internal hardware acceleration configuration

Links to More Info: BT1137669

Component: F5OS-C

Symptoms:
Because configuration entries added to the internal ePVA hardware acceleration tables may become stuck, packets arriving from front panel ports may be handled by stale entries resulting in unexpected forwarding behavior. The stale entries may also prevent TMM from offloading new connections to ePVA.

Conditions:
The most likely cause for entries to become stuck is either a reboot of tenant or restart of TMM while it has active connections offloaded to ePVA without also rebooting the entire appliance.

Impact:
Packets may be forwarded to unexpected destinations, and/or new connections are unable to be offloaded to ePVA.

Workaround:
Don't reboot or restart TMM without also rebooting the entire appliance.

Fix:
Packets are behaving as expected.

1137637 : System is not configured to use user-specified NTP servers by default

Component: F5OS-C

Symptoms:
The default configuration of a VELOS system is for external NTP to be disabled. This means that even if user-specified NTP servers are configured, they will not be used until the overall NTP feature is enabled. Additionally, the overall NTP enablement value is not reflected in the output of 'show running-config system ntp' in controller ConfD.

Conditions:
System is running with default NTP configuration and user configures an external NTP server.

Impact:
Behavior is confusing or concerning to users who do not realize that they need to enable NTP for their configuration to take effect.

Workaround:
To work around the issue, users must enable external NTP:

syscon-1-active(config)# system ntp config enabled
syscon-1-active(config)# commit
Commit complete.

Fix:
System is configured to use user-specified NTP servers by default, and reports NTP enablement value in running config.

1137601 : Convey warning to user when user tries to change root user password with appliance mode enabled

Links to More Info: BT1137601

Component: F5OS-C

Symptoms:
There are no issues in functionality. This is to show extra information whenever the user tries to change the root user password on Users screen on the webUI, and the appliance mode is enabled. The CLI shows a message, and webUI will also show the same message in the form of popup.

Conditions:
Whenever the user tries to change the root user password on the Users screen on the webUI while appliance mode is enabled, a warning popup shows up with the same information.

Impact:
This does not impact the functionality.

Fix:
Enable appliance mode and change the root user password on the Users screen, a popup shows up with the information "The password has changed but appliance mode is enabled that blocks root login."

1137361-1 : Enabling LDAP may produce a log message with the usage help for the kill command

Links to More Info: BT1137361

Component: F5OS-C

Symptoms:
If the nslcd process is being restarted but was not previously running, this message could be issued.

Conditions:
The nslcd process is being restarted because of a configuration change but was not previously running.

Impact:
Alarming log messages. Potential failure to restart nslcd, resulting in failures in remote authentication.

Workaround:
Restarting the name-service-ldap container is likely to resolve the issue.

Fix:
The nslcd run/start script was rewritten to make it more robust, while reducing the chance for unnecessarily alarming log messages.

1137333 : Help text for LDAP TLS certificate check has been clarified

Component: F5OS-C

Symptoms:
The help text for LDAP tls_reqcert was not clear. This has been rectified.

appliance(config)# system aaa authentication ldap tls_reqcert
Possible completions:
  allow Session proceeds with or without server certificate, including a bad one.
  demand Session terminates immediately if a bad or no certificate is provided.
  hard This keyword is equivalent and semantically the same as demand.
  never The client will not request or check any server certificate.
  try Equivalent to allow, but the session is terminated if a bad certificate is provided.

Impact:
Help text was confusing.

Fix:
Help text has been improved.

1137309-1 : NSLCD does not restart if it dies or exits

Links to More Info: BT1137309

Component: F5OS-C

Symptoms:
If the NSLCD process is terminated for any reason, the process is not restarted.

Conditions:
LDAP authentication is enabled and the NSLCD process is terminated or unexpectedly exits.

Impact:
LDAP authentication will be unavailable.

Workaround:
The process can be restarted by manually restarting the container using the command docker restart name-service-ldap.

Fix:
The NSLCD process will now restart if it is terminated.

1137125 : ConfD history command displaying the LDAP bind-pw and tls-key in clear text

Component: F5OS-C

Symptoms:
If the LDAP bindpw, tls-key are configured through the ConfD, then the history command is displaying this sensitive information in clear text.

Conditions:
Configuring the LDAP bind password, tls-key from ConfD.

Impact:
Displaying sensitive data in ConfD history command.

Fix:
Hiding the LDAP bind-pw and tls-key values.

1136829 : Blank server error popup appears over unauthorized popup for operator user

Links to More Info: BT1136829

Component: F5OS-C

Symptoms:
When an operator user performs any operation that makes a REST call that is unauthorized for the operator role, a blank server error popup appears behind the unauthorized popup.

Conditions:
When the logged in user is in an operator role and performs an unauthorized action.

Impact:
A blank server error popup is seen behind an unauthorized popup, which is unnecessary.

Workaround:
NA

Fix:
Tested that only the unauthorized popup is visible when the operator user performs any unauthorized action.

1136725-1 : An iptables CLI error

Links to More Info: BT1136725

Component: F5OS-C

Symptoms:
An iptables command error:
[root@appliance(appliance.chassis.local) ~]# iptables -L
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

Conditions:
When a parallel iptables query is happening, this error displays.

Impact:
The iptables can get disturbed.
User may not be able to view the iptables.

Workaround:
During iptables listing, it uses DNS and reverse DNS lookup if "-n" option is not used, which will make iptables hold the lock for longer durations.

Fix:
Added "-n" option in all places where iptables listing is happening.

1136633 : Utils-agent "Failed to delete inactive download sessions" error on startup

Links to More Info: BT1136633

Component: F5OS-C

Symptoms:
After booting a device, an error message of "Failed to download inactive download session" is observed in the error logs.

Conditions:
Immediately after booting.

Impact:
Error logs are observed after booting.

Workaround:
N/A

Fix:
The log is fixed in the utils-agent to log the data only if the data is not deleted properly.

1136597-1 : LDAP user with admin and operator role gets only operator permissions

Links to More Info: BT1136597

Component: F5OS-C

Symptoms:
An LDAP user configured with groups for both admin and operator roles only receives operator permissions.

Conditions:
LDAP user configured with gidNumber assignments for both admin and operator roles.

Impact:
A user with this config would be assigned only operator permissions.

Workaround:
Only configure the gidNumber for the desired role in LDAP for the user. Do not configure multiple roles for the same user.

Fix:
There was an error in the NACM rules for ConfD config. The role logic has been fixed.

1135865-1 : Remotely authenticated user who is a member of multiple roles that include invalid roles is not allowed to log in

Links to More Info: BT1135865

Component: F5OS-C

Symptoms:
Users on systems have a role assigned to them. This role is one of a predefined set which includes the admin role. A remote user with multiple roles, some of which are not in this predefined set, is configured on a remote authentication server (LDAP, tacplus or RADIUS). Such a user was treated different based on mode of access (GUI or ssh) and the remote authentication method. Sometimes the user can log in, sometimes not.

Conditions:
A user has to configured on a remote authentication server (LDAP, tacplus or RADIUS) with multiple group IDs, some of which are not assigned to any role in our system.
That remote authentication method has to be configured as an authentication method on our system.
User supplies the correct password and tries to log in. The user may or may not be allowed into the system, depending on method of access and remote authentication method.

Impact:
When a remote user has multiple roles which include invalid roles, the behavior of the system was inconsistent.

Workaround:
Removing the invalid group ID from the remote server will fix the issue.

Fix:
When a remote user belongs to multiple roles, some of which are invalid ones, only the valid roles are considered for authorization. Also, this is consistently done across methods of access (GUI, ssh, etc.) and across all remote authentication methods (LDAP, tacplus, RADIUS, etc.).

1135861-1 : LDAP authentication mishandling

Component: F5OS-C

Symptoms:
Under certain circumstances when LDAP authentication is configured, a remote user may not be authorized correctly when logging into the command line.

Conditions:
An improperly configured user profile.
LDAP configured on F5OS.

Impact:
Authorization does not occur as expected.

Workaround:
Restrict access to the management port to trusted users.

Fix:
LDAP authorization works as expected.

1135853 : Openshift kubelet-server and kubelet-client certificates expire after 365 days

Links to More Info: BT1135853

Component: F5OS-C

Symptoms:
See https://support.f5.com/csp/article/K64001020

The kubelet-server and kubelet-client certificates on each blade and controller expire after 365 days and are not automatically renewed when they expire.

When the blade kubelet-server and kubelet-client certificates expire, the blade(s) will go offline in the openshift cluster, and be re-added to the Openshift cluster by the orchestration-manager daemon. This will cause a tenant outage.

On the active system controller, messages appear similar to the following example, indicating the certificates are expired:

controller-2.chassis.local dockerd-current[4212]: E0809 19:48:01.601509 1 authentication.go:62] Unable to authenticate the request due to an error: [x509: certificate has expired or is not yet valid, x509: certificate has expired or is not yet valid]

The systemd journal on the system controller logs messages similar to the following example:

controller-2.chassis.local origin-node[19920]: E0808 08:35:03.754013 19930 certificate_manager.go:326] Certificate request was not signed: timed out waiting for the condition

Conditions:
Any system where the Openshift cluster was installed with a release of 1.5.0 or earlier.

Impact:
The blade(s) will go offline in the Openshift cluster and be re-added to the Openshift cluster by the orchestration-manager daemon. This will cause a tenant outage, and the tenants may not restart correctly after the blades have been re-added to the cluster.

Workaround:
The renew_nodes.sh script mentioned in K64001020 can be used to renew the kubelet-server and kubelet-client certificates for one more year. It is not possible to renew these certificates for more than a year without rebuilding the Openshift cluster.

At 2 years, other certificates in the Openshift cluster will expire, so it is necessary to rebuild the Openshift cluster with the fix for this issue.

Fix:
Openshift has been updated to use a certificate expiration time of 10 years, and new Openshift containers have been added to releases with this fix. To make use of these new containers with longer certificate expiration times, it is necessary to rebuild the Openshift cluster.

Warning messages have been added to the “show cluster cluster-status” output on the system controller CLI that warn when certificates are within 90 days of expiring, and when the Openshift cluster needs to be rebuilt to take advantage of the new containers with the longer certificate expiration times.

syscon-1-active# show cluster cluster-status
cluster cluster-status summary-status "Openshift cluster is healthy, and all controllers and blades are ready. WARNING: 1 or more Openshift certificates expiring within 90 days. WARNING: Manual Openshift cluster rebuild necessary to update containers."

INDEX STATUS
--------------------------------------------------------------------------------------------------------------------
15 2023-08-20 12:03:09.773660 - WARNING: Openshift cluster needs manual rebuild to upgrade to latest version.
16 2023-08-20 12:05:05.373785 - WARNING: Openshift certificates expiring within 90 days.

The Openshift cluster can be rebuilt after upgrading to a release containing the fix by issuing a “touch /var/omd/CLUSTER_REINSTALL” command from the shell on the active system controller. This rebuild will take 90+ minutes and will cause a tenant outage. Once the cluster rebuild is complete, all chassis partitions should be disabled and re-enabled, and all tenants should be cycled to provisioned and back to deployed to ensure they have restarted correctly after the cluster rebuild. At this point all certificates in the cluster will have a 10 year expiration.

Once the Openshift cluster is rebuilt using this fix, it is not possible to downgrade without rebuilding the Openshift cluster after the downgrade. This is due to the new Openshift containers not being available after the downgrade. If a downgrade is done before the Openshift cluster is rebuilt, there will not be any issues.

1135849-2 : telemetry.db grew to 50G and caused error "database disk image is malformed"

Links to More Info: BT1135849

Component: F5OS-C

Symptoms:
As we received multiple RAS events continuously while monitoring, the telemetry.db size grew to 50G.

Conditions:
If the hardware is in issue state, we can see more events getting generated, which will increase the telemetry.db size.

Impact:
File system will not be accessible as telemetry.db is consuming more space.

Workaround:
Delete the telemetry.db file and restart the platform-monitor service.

Fix:
This fix truncates the telemetry.db to a size of 500 MB or less.

1135661-1 : Ability to configure LDAP chase-referrals option

Component: F5OS-C

Symptoms:
By default, our LDAP implementation was set to chase LDAP referrals. This could be expensive and make lookups very slow in large organizations with multiple layers of LDAP servers.

Conditions:
LDAP enabled in very large LDAP organizations with multiple levels of servers.

Impact:
The default of chasing referrals in the above conditions could result in slow LDAP lookups and timeouts.

Fix:
A chase referrals option was added to LDAP configuration. The default is still enabled, but now it can be easily disabled:
system aaa authentication ldap chase-referrals false

1135281 : Blank LDAP tls_key causes error

Links to More Info: BT1135281

Component: F5OS-C

Symptoms:
When using the CLI or older webUI, it was possible to enter an "empty" tls_key. This would cause nslcd to be incorrectly configured.

Conditions:
LDAP configured. Blank LDAP tls_key entered:
system aaa authentication ldap tls_key ""

Impact:
A blank tls_key would fail to work correctly when configuring authentication or talking to the LDAP server.

Workaround:
Explicitly set the bind password to unset:
no system aaa authentication ldap tls_key

Fix:
Fixed authentication so any form of "empty" tls_key results in the tls_key being unset.

1135233 : Updating LDAP configuration on Auth Settings screen on the webUI fails to preserve the existing bind password

Links to More Info: BT1135233

Component: F5OS-C

Symptoms:
When the LDAP configuration on Auth Settings is updated via webUI, the unchanged/existing bind password is replaced by an empty string, resulting in LDAP authentication failure.

Conditions:
Modify existing LDAP configuration on Auth Settings screen.

Impact:
Bind password is not preserved.

Workaround:
One of the following:

-- Use the F5OS CLI to modify authentication settings, rather than using the webUI.

-- When editing authentication settings in the webUI, always re-enter the bind password.

Fix:
Updating LDAP configuration preserves existing/unchanged bind password, will not result in LDAP authentication failure.

1135181 : Controller rolling upgrade may cause blades to reboot into partition "none", deleting tenant data

Links to More Info: BT1135181

Component: F5OS-C

Symptoms:
System controller components can hang during controller rolling upgrade, resulting in failure to start the partitions correctly, and other incorrect operation.

Partition instance state may show as "failed", "offline", or "running", rather than the normal "running-active"/"running-standby".

If switchd hangs in during rolling upgrade, this will cause failure messages when blades reboot.

Conditions:
Performing a system controller rolling upgrade to version F5OS-C 1.5.0 from an earlier version.

Impact:
Tenant instance data (the virtual disk image) may be deleted from the blades if the blades are rebooted while this issue is occurring.

Workaround:
The problem can be avoided by performing an out-of-service upgrade, using the "out-of-service true" option with the system controller "system image set-version" command.

If a VELOS chassis has already undergone a rolling upgrade to F5OS-C 1.5.0, reboot both system controllers to get them back into a stable state.

If blades in a partition were affected, reboot those blades after rebooting the system controllers. The tenant instance data cannot be recovered, and must be recreated and/or restored from a UCS backup.

Fix:
The system controller components no longer hang during the rolling upgrade.

1134957-1 : ldapsearch not available to use on F5OS devices

Component: F5OS-C

Symptoms:
ldapsearch is a crucial utility for troubleshooting LDAP remote authentication. However, it wasn't available on any F5OS devices, and therefore, couldn't be utilized.

Conditions:
The utility could not be found searching on the base OS using the command: "find / -name '*ldapsearch*'"

It also could not be found within the name-service-ldap container, using the command: "docker exec -it name-service-ldap ldapsearch"

Impact:
Troubleshooting is made more difficult.

Fix:
ldapsearch has now been installed and can be accessed using the name-service-ldap container. To do this, you can run the command: "docker exec -it name-service-ldap bash".

1134901 : CVE-2020-7774 - The package y18n before 3.2.2, 4.0.1 and 5.0.5, allows unsafe operations.

Component: F5OS-C

Symptoms:
The package y18n before 3.2.2, 4.0.1 and 5.0.5, allows unsafe operations.

Conditions:
This affects the package y18n before 3.2.2, 4.0.1, and 5.0.5.

Impact:
N/A

Workaround:
None

Fix:
'y18n' has been upgraded to v4.0.3.

1134745 : CVE-2016-9121 - go-jose before 1.0.4 suffers from an invalid curve attack

Component: F5OS-C

Symptoms:
go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making it vulnerable to an invalid curve attack.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
go-jose has been upgraded to a non-vulnerable version

1134657 : USB information not available in QKView

Component: F5OS-C

Symptoms:
USB information was not available in QKView.

Impact:
SEs do not have sufficient data to diagnose USB issues.

Workaround:
Execute the lsusb command and record results.

Fix:
The lsusb command is now executed as part of QKView collection.

1134625 : webUI session timeout popup referring to browser time instead of server time

Links to More Info: BT1134625

Component: F5OS-C

Symptoms:
If the browser time is not in parity with the server time then the session timeout popup is showing up early (before the token expires) or sometimes not showing up even when the token actually expires.

Conditions:
When the user browser and the server times are not in sync.

Impact:
The user sees incorrect session timeout popup or does not see session timeout popup when the token actually expires.

Workaround:
NA

Fix:
This issue is fixed and verified that the timer for the popup is set correctly.

1133633 : QKView captures shadow file without password hashes

Component: F5OS-C

Symptoms:
QKView captures shadow file with password hashes.

Conditions:
QKView capture.

Impact:
Password hashes can be used to reverse engineer the password.
It is not easy and could takes months or years but still a concern.

Fix:
QKView clips out password hash from the file.

1132973-1 : Live upgrade to F5OS-A-1.3.0 will not work if STP is not configured correctly.

Links to More Info: BT1132973

Component: F5OS-C

Symptoms:
System database compatibility checks will fail with STP misconfigurations.

Conditions:
Live upgrades to F5OS-A-1.3.0 will not work if STP is not configured correctly.

Impact:
System database compatibility checks will fail.

Workaround:
STP cannot be enabled on individual LAG members. To perform a live upgrade to F5OS-A-1.3.0, the user must correct the STP configurations by removing the STP from the interface which is assigned to aggregation-id.

1132745-1 : Improve user readability during file upload on partition or controller

Component: F5OS-C

Symptoms:
When the user starts uploading a tenant image file, the file transfer status in the image import status table displays after a few seconds rather than immediately.

Conditions:
On the tenant images screen, when the user has started a file upload from his local machine.

Impact:
User is notified of file upload status after some time, which might lead the user to think that file upload has not started until he sees the status.

Workaround:
None.

Fix:
A new banner was added at the top of the page saying "File upload is initializing, the transfer status will appear momentarily.", which appears as soon as the user starts the file upload. After a few seconds the message on the banner will change to "File upload in progress, please do not refresh the page.", informing user that refreshing the page will cancel the upload process.

1132733 : LDAP config tried to configure blank bind password

Links to More Info: BT1132733

Component: F5OS-C

Symptoms:
When using the CLI or older webUI, it was possible to enter an "empty" password. This would cause nslcd to be incorrectly configured.

Conditions:
LDAP configured. Blank LDAP bind password entered:
system aaa authentication ldap bindpw ""

Impact:
A blank password was highly unlikely to be the intended result and would fail to work correctly when configuring authentication or talking to the LDAP server.

Workaround:
Explicitly set the bind password to unset:
no system aaa authentication ldap bindpw

Fix:
Fixed authentication so any form of "empty" password results in the password being unset.

1132605-1 : Copied ISO file does not have the immutable bit set after F5OS USB install

Links to More Info: BT1132605

Component: F5OS-C

Symptoms:
When performing a USB install, F5OS creates the ISO file used for installation under /var/import/staging. Under certain conditions, this newly created ISO file is missing the immutable bit, allowing the file to be potentially modified or deleted while it is in use.

Conditions:
Perform a USB install of F5OS.

Impact:
New ISO file is missing the immutable bit (should show up as an 'i' in the chattr output).

   [root@appliance-1 ~]# lsattr /var/import/staging/
   -------------e-- /var/import/staging/F5OS-A-1.1.0-7645.R5R10.iso

This results in risk of the ISO file being deleted or modified while in use.

Workaround:
If the imported ISO file is still present in /var/import/staging, set the immutable bit on it, for example:

    chattr +i /var/import/staging/R5R10.1.1.1-9159.iso

If the imported ISO file is missing, that is, because it was deleted or renamed:

1. Put a copy of the ISO file on the rSeries appliance named precisely the same as the original file was, for example:

    Copy the ISO file to the rSeries appliance, but name it "R5R10.1.1.1-9159.iso" and put it in /var/import/staging/

2. Set the immutable bit on the file:

    chattr +i /var/import/staging/R5R10.1.1.1-9159.iso

3. Reboot the device.

Fix:
N/A

1132485 : Controller sync can enter an erroneous double standby configuration in rare circumstances★

Links to More Info: BT1132485

Component: F5OS-C

Symptoms:
Under rare circumstances, the controller sync daemon (which is responsible for mirroring data between active and standby controllers) can end up in a "double standby" configuration. This results in an interruption in proper controller synchronization, and can result in negative impacts such as controller software import or upgrade failure.

Conditions:
Controller sync daemon on both active and standby controllers is configured to "standby" mode.

Impact:
Controller sync does not work until corrected, which can result in a number of negative side effects such as import and live upgrade failures.

Workaround:
On the active controller, run:

echo get_state | nc -U /var/ccsync.unix

If output is "standby", run:

echo stop | nc -U /var/ccsync.unix
echo start_active | nc -U /var/ccsync.unix

Fix:
Fixed intermittent issue where controller sync could enter an erroneous double standby configuration.

1128973 : System fails to log-rotate some log files

Links to More Info: BT1128973

Component: F5OS-C

Symptoms:
The system fails to log-rotate some files:

/var/F5/partition<partition ID>/log/httpd/*
/var/F5/partition<partition ID>/log/trace/*
/var/F5/partition<partition ID>/log/webui/*


Files named similar to the following in the partition's log directory:

localhost:8008.access.1.1.1.1.1.1.1.1.1.1.1.1

Conditions:
VELOS chassis partition.

Impact:
After files grow to a size where they are eligible for log rotation, the system fails to log-rotate them properly, resulting in files with a large number of trailing ".1"s.

Workaround:
None

1128877-1 : Mount command added to QKView collection

Links to More Info: BT1128877

Component: F5OS-C

Symptoms:
Mount command was not provided in QKView diagnostics file.

Conditions:
Always.

Impact:
Mount data is currently collected, but may be missing data provided by the mount command.

Workaround:
Run mount command on system and copy results from device.

Fix:
Mount command will be executed in QKView.

1128785 : DMA-Agent unable to update states if the FPGA enters a reboot-required state

Links to More Info: BT1128785

Component: F5OS-C

Symptoms:
The dma-agent is unable to update system diagnostic statistics tables regarding system traffic and tenant traffic.

Conditions:
When the FPGA enters a reboot-required state, the main dma-agent process is stuck and unable to continue updating statistics.

Impact:
With out these statistics being updated the source of the FPGA lock up is difficult for service and field engineers to diagnose.

Workaround:
None

1128765 : Data Mover lock-up causes major application traffic impact and tenant deploy failures

Links to More Info: BT1128765

Component: F5OS-C

Symptoms:
Major impact to BIG-IP tenant virtual server traffic. PoolMember health monitors fluctuate up and down, or remain down. LACP LAGs may go down.

Depending on which Data Mover (DM) is impacted, a subset of the BIG-IP tenant TMMs will no longer transmit packets. The LACP daemon will be unable to transmit its PDUs.

/var/F5/partition<n>/log/velos.log contains messages like these at the time the problem started:

  blade-1(p1) dma-agent[10]: priority="Alert" version=1.0 msgid=0x4201000000000129 msg="Health monitor detected DM Tx Action Completion ring hung." ATSE=0 DM=2 OQS=3.
  blade-1(p1) dma-agent[10]: priority="Info" version=1.0 msgid=0x4201000000000135 msg="Health monitor DM register dump requested.".
  blade-1(p1) dma-agent[10]: priority="Info" version=1.0 msgid=0x4201000000000137 msg="Health monitor DM register dump complete." FILE="agent-dump-1666310215.txt".


In the BIG-IP tenant, the tmctl sep_stats table shows high counts for tx_send_drops2 or tx_send_drops3 (over 10,000). In the output below, all of the TMMs with SEP devices on DM 2 are impacted, unable to transmit packets.


  # tmctl sep_stats --select=iface,dm,sep,atse_socket,tx_send_drops2,tx_send_drops3
  iface dm sep atse_socket tx_send_drops2 tx_send_drops3
  ------ -- --- ----------- -------------- --------------
  1/0.1 2 0 0 1180470 <-- 80068 <--
  1/0.10 2 9 0 0 33046 <--
  1/0.11 0 10 0 0 0
  1/0.2 0 1 0 0 0
  1/0.3 1 2 0 0 0
  1/0.4 2 3 0 0 33714 <--
  1/0.5 0 4 0 0 0
  1/0.6 1 5 0 0 0
  1/0.7 2 6 0 0 32980 <--
  1/0.8 0 7 0 0 0
  1/0.9 1 8 0 0 0

In the F5OS Partition CLI, the following command will show a high count of tx-action-ring-full drops. In the output below, DM 2 on blade-1 is impacted:

  default-1# show dma-states dma-state state dm-packets dm-packet * 2-3 tx-action-ring-full
                    TX ACTION
  NAME DM QOS RING FULL
  --------------------------------
  blade-1 0 2 0
           0 3 0
           1 2 0
           1 3 0
           2 2 65890377811 <--
           2 3 328664822594 <--
  merged 0 2 0
           0 3 0
           1 2 0
           1 3 0
           2 2 65890377811 <--
           2 3 328664822594 <--


After encountering this, subsequent attempts to deploy a tenant may fail until the blade is recovered, since the locked-up Data Mover is unable to free the memory it is holding for the impacted tenants.

Conditions:
Although the exact conditions are unknown, the problem is more likely to occur when standard virtual servers are configured to mirror traffic to the peer BIG-IP.

While L7 connection mirroring increases the risk, it is not a necessary condition.

Impact:
Significant or total loss of application traffic for BIG-IP tenant instances running on the affected blade. This impact could also affect tenant instances on other blades if the LACP LAGs are marked down.

Subsequent attempts to launch a new tenant or to stop and then start an existing one may fail.

Workaround:
To recover a device, determine which blade is affected by looking at the start the following dma-agent log message in /var/F5/partition<n>/log/velos.log:

  blade-1(p1) dma-agent[10]: priority="Alert" version=1.0 msgid=0x4201000000000129 msg="Health monitor detected DM Tx Action Completion ring hung." ATSE=0 DM=2 OQS=3.
  ^^^^^^^

Then, reboot the blade. This will shut down all tenant instances on the blade. Once the blade boots up, the tenants should run and pass traffic normally.

If the blade cannot be rebooted immediately, it may be possible to mitigate the problem for a multi-slot tenant by disabling the impacted slot to steer traffic to the remaining slots that are still healthy:

  # An example of disabling BIG-IP tenant slot 1
  tmsh modify sys cluster default members { 1 { disabled } }

Reducing the use of connection mirroring, especially for standard virtual servers, should reduce the likelihood of encountering this issue.

Fix:
This issue no longer occurs.

1126677 : Inconsistencies with time zones displayed in controller and log files

Component: F5OS-C

Symptoms:
System logs on F5OS systems are logged in a mix of the user's configured time zone (when available: controller/appliance) and UTC, depending on which log file you look at.

Conditions:
If user has a time zone configured that is different from UTC, the logs may show different times for log messages.

Impact:
Troubleshooting and tracing issues can be difficult, as the time zones used in different logs do not match.

Workaround:
N/A

Fix:
Fixed all controller, partition, and blade docker images to be cognizant of the relevant configured time zone for either the chassis or the partition. When a partition is created, it defaults to the configured chassis time zone, but is independently configurable thereafter.

1125505 : LOP communication may stop working on a system controller after failover

Links to More Info: BT1125505

Component: F5OS-C

Symptoms:
Various services may become unresponsive or not work correctly when communicating with the LOP.

Conditions:
This can happen rarely during failover of a system controller.

Impact:
Any functionality that interacts with the LOP could be impacted.

Workaround:
Reboot the affected system controller.

Fix:
Resolve a platform-hal LOP communication lockup that can occur due to a race condition.

1125349 : Changing the root password in appliance mode unlocks the root account

Links to More Info: BT1125349

Component: F5OS-C

Symptoms:
If the password of root is changed in appliance mode, it disables appliance mode.

Conditions:
Appliance mode is enabled.
Root password is changed using set-password API.

Impact:
Appliance mode is disabled.

Workaround:
Toggle appliance mode to enable it again.

Fix:
Appliance mode is not disabled and displays a message: "Info: The password has changed but appliance mode is enabled that blocks root login."

1124721 : LACPD process can restart due to some configuration changes

Links to More Info: BT1124721

Component: F5OS-C

Symptoms:
LACPD process restarts when any aggregation interface's lag-type is changed.

Conditions:
Configure any aggregation interface's lag-type to either STATIC or LACP.

Impact:
Existing LACP aggregations may go down and drop packets for a few seconds as the LACPD process starts back up.

Fix:
Configuring an aggregation interface's lag-type does not restart the LACPD process. Traffic will continue to pass as expected.

1123329-1 : F5OS sends LLDP PDUs with an erroneous VLAN tag.

Links to More Info: BT1123329

Component: F5OS-C

Symptoms:
LLDP PDUs transmitted by rSeries and VELOS platforms are erroneously encapsulated with a VLAN tag (VLAN ID 1).

Conditions:
LLDP is enabled and the TLV advertisement state of interfaces is configured for "tx" or "txrx".

Impact:
Since LLDP PDUs are expected to arrive as untagged frames, the peer switch may drop the frame. If so, it will not list the rSeries/VELOS device as an LLDP neighbor and it will not show any LLDP packets received on those interfaces.

Workaround:
N/A

Fix:
With the fix, F5OS internally generates egress LLDP PDUs with the default VLAN tag 4095, which the hardware strips as the frame egresses, resulting in an untagged frame on the wire.

1122829 : Bash history does not include timestamps for commands

Component: F5OS-C

Symptoms:
Bash 'history' does not include timestamps.

Conditions:
User is logged into a bash shell and runs the 'history' command.

Impact:
It is unclear when bash commands in 'history' were run.

Workaround:
N/A

Fix:
Bash history now includes timestamps for commands.

1122081-1 : BIG-IP tenants created before F5OS-C 1.5.1 or F5OS-A 1.3.0 may be allocated a smaller disk than required

Links to More Info: BT1122081

Component: F5OS-C

Symptoms:
If the BIG-IP tenant disk space is fully used by creating multiple software volumes within the tenant, it will generate disk errors.

Conditions:
- A tenant originally deployed from an “ALL-F5OS” tenant image (i.e., BIGIP-15.1.6.1-0.0.10.ALL-F5OS.qcow2.zip.bundle) originally created from one of the following:
 -- 14.1.5 or above in the 14.1.x branch of code
 -- 15.1.6.1 or above in the 15.1.x branch of code

- The tenant is configured to use 76G of disk space (the default)

Impact:
Software installs within the tenant may fail.

Workaround:
Beginning in F5OS-A 1.3.0, the system detects the minimum size of a disk created from a tenant image file, and enforces that minimum on newly-created tenants.

If a customer has a tenant affected by this issue and upgrades their system to F5OS-A 1.3.0 or later, set the tenant to "configured", and then deploy the tenant again.

If the disk size is not right, the system will show the minimum size, then adjust the tenant disk size to what is advised by the system or larger.

From 1.4.0, user does not need to adjust the size unless the user needs a bigger size.
The right/minimum size will be auto-allocated when the state is changed.

Fix:
The tenant disk size will be detected and auto-allocated.

Behavior Change:
There are two behaviors.

1.3.x: If the disk size is smaller than it has to be, it warns the user and doesn't start the tenant until the user specifies the right/minimum size.

1.4.0: It auto increases the size to the right/minimum size if the user didn't specify the disk size.

1117649-3 : rSeries Appliance inoperable after powering down from Linux while configured for Appliance mode

Links to More Info: K22954168, BT1117649

Component: F5OS-C

Symptoms:
If the rSeries device is powered down from Linux (for example, using 'halt -p', 'poweroff', or the 'shutdown' command) while in Appliance mode, the device becomes permanently disabled.

In this state, nothing external can be done to power on the Linux host, for example, cycling power, accessing the LCD Power on option, or pressing the Power button.

Trying to access the AOM menu from the serial console reports the following message:
 AOM Command Menu - disabled for security purposes.

Conditions:
-- Appliance mode is enabled (this is the state the 'appliance-setup-wizard' sets when it runs to completion).

-- The host is powered down (for example, using 'halt -p', 'poweroff', 'shutdown now', 'shutdown -P now', or 'shutdown -h now')

Impact:
The AOM command menu is not available to power on the host. A power cycle of the appliance does not power on the host.

The disabled appliance must be replaced.

Workaround:
***Important!***

If the BIG-IP rSeries appliance is configured for Appliance mode, do not power off the device using commands such as 'halt -p', 'poweroff', or 'shutdown'.

Instead, run 'halt' and then remove power from the system (for example, unplug, remove power brick, remove power from rack).

Note: If you have already encountered this issue, contact F5 Support :: https://www.f5.com/services/support to request an RMA. For more information, refer to K12882: Overview of the F5 RMA process :: https://support.f5.com/csp/article/K12882 .

Fix:
Appliance mode no longer disables the AOM menu, allowing access to power on the host command with console access to the appliance.

1117645-1 : Customer security policy requires disabling basic authentication

Component: F5OS-C

Symptoms:
F5OS by default enables basic authentication, meaning it allows users to perform create/modify/delete Restconf operations using basic authentication.

Conditions:
This is observed when the user tries to perform Restconf operations(except initial login) on F5OS using a username/password (basic authentication).

Impact:
This basic authentication violates some of the customer security policies.

Workaround:
N/A

1116869-3 : Tcpdump on F5OS does not capture packets of certain sizes

Links to More Info: BT1116869

Component: F5OS-C

Symptoms:
When using tcpdump on the F5OS host, packets of certain sizes may not be captured via tcpdump.

Conditions:
Tcpdump packets less than 1501 bytes and greater than 1483 bytes as well as several other ranges are affected by this issue.

Impact:
Tcpdumps may be incomplete.

Fix:
Packets of certain sizes are no longer dropped.

1116169-1 : WebUI does not inform users that file transfer status may take some time to return depending on various factors like network speed

Component: F5OS-C

Symptoms:
The webUI does not inform users that file transfer status may take some time to return depending on various factors like network speed, which could lead to some confusion.

Conditions:
Occasional delay in fetching file transfer status due to network speed and other factors.

Impact:
Missing clarity on file transfer success/failure.

Workaround:
If the user is not able to see the file transfer status immediately they will be able to see it automatically within 15 seconds, as there is continuous polling for the API.

Fix:
Informative text on the file import/export displays to align user expectations.

1113225 : The tcam-mgr neuron client disconnects

Links to More Info: BT1113225

Component: F5OS-C

Symptoms:
A tenant's neuron client connection to the tcam-mgr either disconnects without any indication to the tenant, or continually tries to re-establish this connection

Conditions:
When a tenant has greater than 512 virtual addresses with a wildcard virtual address (one that spans a vast domain of addresses), then the tenant restarts or the tenant's wildcard domain is not protected as would be expected.

Impact:
The protection for the client when not using Fast L4 will not be properly established.

Workaround:
Configure less than 512 virtual addresses or rely on software-only protection.

Fix:
The tcam-mgr can now receive and buffer any number of messages in a burst, and the disconnect will not happen.

1109345-1 : Intel CPU updates to resolve CVE-2022-21131, CVE-2022-21136, CVE-2022-21151, and CVE-2021-33117

Links to More Info: K43541501, BT1109345

1108309 : CVE-2021-33124, CVE-2021-33123 Intel BIOS vulnerabilities

Links to More Info: K55051330, BT1108309

1107613-2 : Enhance the LACP LAG data shown under the interface to take into account lacp state of the LACP LAG member

Links to More Info: BT1107613

Component: F5OS-C

Symptoms:
The data shown under the /interfaces/interface oper-state and lag-speed does not take into account the lacp state for LACP LAGs.
Prior to this change, the oper-status and speed were computed only based on port oper-data.
This was the original design, with the assumption that the user will collect data from lacp state and aggregate the two outputs.

Conditions:
Configuration of LACP LAGs.

Impact:
User has to collect output from two different sources to get accuracy on LACP LAG speed and oper status.

Workaround:
n/a

Fix:
After the fix, the LACP LAG data shown under the interfaces/interface takes into account both oper-status and lacp_state when computing the speed and LAG oper-status.

1104745 : Request for a webUI option to clear/reset the STP mode configuration

Component: F5OS-C

Symptoms:
On the webUI STP Configuration screen, the user does not have an option to clear STP mode once they have selected an STP mode.

Conditions:
User should have selected an STP mode.

Impact:
Once the STP mode is selected, the user does not have an option on the webUI to clear the selection.

Workaround:
None

Fix:
Added a new disabled option in STP mode selection. Selecting it will clear the previous STP mode selection.

1103773 : Interface stp_state is blocking even if the interface doesn't belong to any RSTP instance

Links to More Info: BT1103773

Component: F5OS-C

Symptoms:
Traffic outage when RSTP is enabled but there are no interfaces added to RSTP tree.

Conditions:
RSTP is enabled but there are no interfaces added to RSTP tree.

Impact:
Traffic outage.

Workaround:
Disable the RSTP.

1102765 : Blade is not in the Ready status in the cluster

Links to More Info: BT1102765

Component: F5OS-C

Symptoms:
Blade does not join the cluster.

[root@controller-2 ~]# oc get nodes
NAME STATUS ROLES AGE VERSION
blade-1.chassis.local NotReady compute 3h v1.11.0+d4cacc0
blade-2.chassis.local Ready compute 3h v1.11.0+d4cacc0
controller-1.chassis.local Ready infra,master 3h v1.11.0+d4cacc0
controller-2.chassis.local Ready infra,master 3h v1.11.0+d4cacc0

service failure messages on the blade console

May 11 00:11:28 blade-2.chassis.local platform-deployment[13130]: Job for var-mnt-chassis.mount failed. See "systemctl status var-mnt-chassis.mount" and "journalctl -xe" for details.

Conditions:
It happens intermittently and rarely on up/downgrade.

Impact:
The blade cannot join the cluster and cannot run any tenant.

Workaround:
Reboot the blade through the chassis partition CondfD.
CLI command:
cluster nodes node blade-X reboot
Where X is the slot number of the blade to reboot.

Fix:
When the symptom is detected, the monitoring script resets the blade NIC driver.

1102497-1 : Allow for encrypted key with passphrase

Component: F5OS-C

Symptoms:
Currently all OpenSSL keys are of type unencrypted which means that no passphrase is needed to use them. Although the keys are encrypted in ConfD, there is an insecure element in that the keys reside on the filesystem in the clear.

Conditions:
Always.

Impact:
There is no support for encrypted keys with a passphrase.

Fix:
With this new option added, keys with a passphrase are supported.

1101237-2 : When configured for SNMP, the system does not properly report a sysObjectID for the F5OS system

Links to More Info: BT1101237

Component: F5OS-C

Symptoms:
F5OS systems may not be detected by some management systems due to the wrong sysObjectID configuration in SNMP.

Conditions:
SNMP

Impact:
F5OS systems may not be detected by some management systems due to the wrong sysObjectID configuration in SNMP.

Fix:
The sysObjectIDs are correct now.

1100861-2 : System aaa primary-key state not returning both hash and status

Links to More Info: BT1100861

Component: F5OS-C

Symptoms:
Requesting both hash and status by the query command "system aaa primary-key state" fails.

Conditions:
When no key-migration has been performed.

Impact:
Requesting the status fails.

Workaround:
Perform a key migration.

Fix:
The fix allows the query of the system state and there is no failure, returning "NONE" if no key-migration was known to the system.

1096737-1 : zlib vulnerability CVE-2018-25032

Links to More Info: K21548854

1096729 : IP Fragments are disaggragated incorrectly

Links to More Info: BT1096729

Component: F5OS-C

Symptoms:
IP fragments are all sent to TMM0. They should be distributed to all TMMs.

Conditions:
IP fragment traffic.

Impact:
Higher than normal amount of traffic being sent to TMM0.

Fix:
Fixed in code.

1092037-1 : CVE-2021-4155 Linux Kernel Vulnerability

Links to More Info: K71080411

1091853 : CVE-2022-23308: libxml2 vulnerability

Links to More Info: K32760744, BT1091853

1090925 : Cannot repeat a call for QKView status with the ConfD command

Component: F5OS-C

Symptoms:
The ConfD command "system diagnostics qkview status" provides information only for the current QKView being gathered, but will only run once. The "repeat" option is not available for use.

Conditions:
When running "system diagnostics qkview status | <TAB>" to see a list of available output modifiers.

Impact:
The "repeat" modifier is not present when using tab autocomplete.

Workaround:
You can do a repeat manually by repeatedly calling "system diagnostics qkview status" until you have the information you are looking for.

Fix:
Running "show system diagnostics qkview state status | repeat <# of seconds>" will automatically call the status command every given number of seconds. You must type "ctrl+c" to manually exit out of this repeat call; otherwise, it will continue indefinitely.

1089037 : Dnsmasq configuration blocks resolution of names in .local domains

Links to More Info: BT1089037

Component: F5OS-C

Symptoms:
DNS resolution of names in .local domains will be blocked by the dnsmasq configuration.

Conditions:
Some domain names are in the .local domain.

Impact:
Name resolution of hostnames in the .local domain will not work correctly.

Workaround:
None

Fix:
Dnsmasq configuration has been updated to remove overly restrictive local=/local/ entry.

1085925 : SSH connection cannot be allowed/blocked based on source IP address

Component: F5OS-C

Symptoms:
There is no command in F5OS-A or F5OS-C that can be used to allow SSH connection only from specific (or range) IP addresses.

SSH connections are allowed from all source IP addresses.

Conditions:
F5 rSeries or VELOS platform

Impact:
Malicious users might be able to connect (SSH) to F5OS-A or F5OS-C device.

Workaround:
None

Fix:
The existing command "system allowed-ips allowed-ip ..." is enhanced to support SSH. The command can be used to specify source IP addresses that can establish SSH connection.

1085473 : Let OMD's controller-level QKView capture information for all kubevirt pods, regardless of which blade they are running on

Links to More Info: BT1085473

Component: F5OS-C

Symptoms:
Because the pods are running on the blades, the controller-level QKView does not collect any kubevirt log information, and the partition-level QKViews are not always guaranteed to collect kubevirt logs.

Conditions:
Before this fix:

controller-level qkview(No kubevirt logs have been collected)

partition-level qkview(It is not guaranteed that kubevirt logs have been collected)

Impact:
VELOS QKViews do not always collect desired data, potentially resulting in more requests for information in addition to QKView files.

Workaround:
Use command to check information manually:

step 1: Query all the pods in kubvirt namespace and print the first item in the line(pod name)

oc get pods -n kubevirt -o wide|grep -v NAME| awk '{print$1}'

step 2: Get all information about the pod you want

oc -n kubevirt describe pod/<pod name>

Fix:
Let OMD's controller-level QKView capture information for all kubevirt pods, regardless of which blade they are running on.

1085149 : Customer requires auth token session to be configurable

Component: F5OS-C

Symptoms:
The restconf token session was not configurable in both F5OS-C and F5OS-A.

Conditions:
F5OS-C or F5OS-A webUI.

Impact:
The customer experienced a fixed session timeout within one hour and the customer has to log in again to the webUI session.

Workaround:
N/A

Fix:
This issue is fixed in F5OS-C 1.6.0 and F5OS-A 1.3.0. Now the token session timeout is configurable for up to one day.

1084485 : INTEL-SA-00527 - Intel BIOS Vulnerabilities on VELOS CX410

Links to More Info: K08173228

1084481 : INTEL-SA-00527 - Intel BIOS Vulnerabilities on VELOS BX110

Links to More Info: K08173228

1083077-3 : LACP trunks are not configured automatically in BIG-IP tenant running on F5OS chassis/appliances

Links to More Info: BT1083077

Component: F5OS-C

Symptoms:
When an LACP trunk is configured on an F5OS chassis/appliance and only the native VLAN is attached, the LACP trunk will not be automatically configured on the BIG-IP tenant.

Conditions:
This behavior is observed only when the LACP trunk is attached to a native VLAN.

Impact:
LACP trunk configuration will not be applied to the BIG-IP tenant automatically when only a native VLAN is attached to it on the platform.

Workaround:
Configure the LACP trunk in the BIG-IP tenant manually.

Fix:
LACP trunks are now configured automatically in BIG-IP tenant running on F5OS chassis/appliances, as expected.

1081281 : Multi-node BIG-IP tenants may fail to cluster after rolling upgrade

Links to More Info: BT1081281

Component: F5OS-C

Symptoms:
BIG-IP tenant instances may fail to cluster after a rolling upgrade, due to the CHASSIS_SERIAL_NO being set incorrectly in the config-map that is used to deploy the tenant instance.

This can be seen in the "show tmsh sys cluster" output on the tenant showing the slots in a failed state:

root@(localhost)(cfg-sync Standalone)(/S1-green-P::Active)(/Common)(tmos)# show sys cluster
 
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 10.238.133.200/24
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 07/21/22 01:10:47
 
  -------------------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed high availability (HA) Clusterd Reason
  -------------------------------------------------------------------------------------------
  | 1 :: :: available enabled true active running Run
  | 2 :: :: offline enabled false unknown shutdown Slot Failed
  | 3 :: :: offline enabled false unknown shutdown Slot Failed
  | 4 :: :: offline enabled false unknown shutdown Slot Failed
  | 5 :: :: offline enabled false unknown shutdown Slot Failed
  | 6 :: :: offline enabled false unknown shutdown Slot Failed
  | 7 :: :: offline enabled false unknown shutdown Slot Failed
  | 8 :: :: offline enabled false unknown shutdown Slot Failed

This condition can verified by display the config map for a tenant instance and verifying that the CHASSIS_SERIAL_NO field is empty.

e.g.

From the system controller shell:

oc get cm -n partition-1 <tenant_name>-<blade_#>-configmap -o json | egrep CHASSIS

Bad Entry:
# oc get cm -n partition-1 bigiptenant1-1-configmap -o json | egrep CHASSIS; done
        "CHASSIS_SERIAL_NO": "",

Good Entry:
oc get cm -n partition-1 bigiptenant1-2-configmap -o json | egrep CHASSIS; done
        "CHASSIS_SERIAL_NO": "chs414616s",

Conditions:
This can happen during a rolling upgrade if the CHASSIS_SERIAL_NO field is not read correctly and the tenant instance is restarted as part of the rolling upgrade. This is an intermittent issue.

Impact:
If this issue occurs, one more instance of the tenant may not communicate correctly, which can cause some or all of the data plane to not function correctly, causing an outage.

Workaround:
1.) Set tenant(s) state to provisioned for BIG-IP, or configured for BIG-IP Next.
2.) Once the tenant(s) have stopped, disable the partition.
3.) Re-enable the partition.
4.) Set tenant(s) state back to deployed.

Fix:
N/A

1080041-1 : Newly installed license is getting replaced with old license after performing config-restore

Links to More Info: BT1080041

Component: F5OS-C

Symptoms:
When database config restore is performed, the system license was getting replaced with a license that is present in the backed up database file.

Conditions:
Config-restore is overwriting the system license.

Impact:
The system license will be removed and replaced with different license.

Workaround:
N/A

Fix:
The database operations like config-restore and reset-to-default do not remove the system license. When the database config-backup is performed, the license file won't be backed up into the backup file.

1078277 : Timing issue with blade reboot during partition startup

Links to More Info: BT1078277

Component: F5OS-C

Symptoms:
A timing issue occurs when a user creates multiple partitions and adds multiple slots to those partitions. When a user creates and configures multiple pieces of hardware in a short amount of time, the later partitions/blades don’t always get the correct values.

Conditions:
1. Create multiple partitions and assign multiple separate slots to each partition, initially disabled.
2. Wait for all the blades to reboot completely.
3. Set the blade's software version to a different version.
4. Enable all the partitions from step 1 in a single commit.
5. Wait for the blades to reboot and for the partitions to start.

Impact:
Some partitions/blades might have the wrong version after upgrading.

Workaround:
Reboot each blade with the wrong version manually after the partition is enabled.

Fix:
The timing issue has been resolved.

1074093-1 : Admin console is displayed when SSH login with a new root user★

Links to More Info: BT1074093

Component: F5OS-C

Symptoms:
Non-root user is allowed to get root role. If any such user exist, they get an admin console instead of root console.

Conditions:
A new non-root user is created with root role.
Example :
appliance-1(config)# system aaa authentication users user user_test config username user_test role root

Impact:
non-root user with role root is restricted.

Note: In case of live upgrade from previous to current release, any non-root user with root role may cause upgrade to fail (as non-root users with root role are restricted), and you will need to either delete these users or do a bare metal install before performing a live upgrade.

Fix:
Current fix prevents creation of a non-root user with root role.

1072105 : Unable to deploy more than two instances on single blade in VELOS chassis

Links to More Info: BT1072105

Component: F5OS-C

Symptoms:
Deployment fails attempting to deploy more than two instances on a single blade in a VELOS chassis.

Conditions:
Attempting to deploy more than two instances on a single blade

Impact:
Deployment of the third instance fails.

This release supports only two instances on a single blade.

Workaround:
None

1055789 : Apache vulnerability CVE-2021-40438

Links to More Info: K01552024, BT1055789

1053793 : QKView list and status results are difficult to parse

Component: F5OS-C

Symptoms:
The QKView list and status commands return output that can be difficult to read.

Example 1 :: running the command: system diagnostics qkview list:

frodo# system diagnostics qkview list
result {"Qkviews":[{"Filename":"appliance-1.qkview","Date":"2022-06-15T22:59:57.704997979Z","Size":320434703},{"Filename":"cancelme.tar.canceled","Date":"2022-04-28T17:22:10.411870757Z","Size":3734340},{"Filename":"duplicate.qkview","Date":"2022-08-10T20:40:10.966027168Z","Size":490039715},{"Filename":"test.qkview","Date":"2022-06-15T23:21:23.068041954Z","Size":321199668},{"Filename":"test2.qkview","Date":"2022-07-13T19:01:32.712663042Z","Size":416706874},{"Filename":"teststatus.qkview","Date":"2022-08-23T23:27:19.283797639Z","Size":530892644}]}

resultint 0


This output is easier to parse:

FILENAME SIZE CREATED ON
------------------------------------------------------------------
teststatus.qkview 530892644 2022-08-23T23:27:19.283797639Z
duplicate.qkview 490039715 2022-08-10T20:40:10.966027168Z
test2.qkview 416706874 2022-07-13T19:01:32.712663042Z
test.qkview 321199668 2022-06-15T23:21:23.068041954Z
appliance-1.qkview 320434703 2022-06-15T22:59:57.704997979Z
cancelme.tar.canceled 3734340 2022-04-28T17:22:10.411870757Z

Example 2 :: running the command: system diagnostics qkview status:

result {"Busy":false,"Percent":100,"Status":"complete","Message":"Completed collection.","Filename":"teststatus.qkview"}

resultint 0


This output is easier to parse:
system diagnostics qkview state status capture-in-progress false
system diagnostics qkview state status percentage 100
system diagnostics qkview state status status-msg "Completed collection."
system diagnostics qkview state status filename teststatus.qkview

Conditions:
- Running "system diagnostics qkview list" within the CLI
- Running "system diagnostics qkview status" within the CLI

Impact:
Formatting of output makes troubleshooting more difficult.

Workaround:
None

Fix:
QKView output formatting is improved and easier to read, utilizing new commands.

To see a list of QKView files, use the following command within the CLI:
show system diagnostics qkview state files

To see the current status of a captured QKView, use the following command within the CLI:
show system diagnostics qkview state status

1052821 : Apache HTTPD vulnerability CVE-2021-34798

Links to More Info: K72382141, BT1052821

1049737 : F5OS: Some members in LACP trunks may not stand up

Links to More Info: BT1049737

Component: F5OS-C

Symptoms:
When configuring an LACP trunk (aggregate link), if the trunk has interfaces on multiple blades, some members of the trunk may not join the trunk, and the peer layer-2 switch may produce warnings stating that the LACP members are not all on the same remote device.

In addition, after enabling debug logging for the lacpd daemon, messages will be seen from both blades that indicate the value of "actor_oper_key". These values should be the same for all the ports within the same LACP trunk, but in this situation, the debug output may show different values for ports on different blades.

Conditions:
- VELOS chassis
- LACP trunk with member interfaces on multiple blades

Impact:
One or more ports in the LACP trunk (aggregate link) will not be able to join the trunk.

Workaround:
Restart the LACPD container on each blade in the affected partition.

For example, if the partition consists of slots 1 and 2, log in as root to the controller, and run the following command:

   for i in 1 2; do ssh blade-$i docker restart lacpd ; done

1044645 : openssl: Read buffer overruns processing ASN.1 strings

Links to More Info: K19559038, BT1044645

1034093-8 : protobuf vulnerability: CVE-2021-3121

Component: F5OS-C

Symptoms:
A flaw was found in github.com/gogo/protobuf before 1.3.2 that allows an out-of-bounds access when unmarshalling certain protobuf objects.

Conditions:
- Unmarshalling protobuf objects

Impact:
This flaw allows a remote attacker to send crafted protobuf messages, causing panic and resulting in a denial of service. The highest threat from this vulnerability is to availability.

Workaround:
N/A

Fix:
Protobuf updated to mitigate CVE-2021-3121

• The F5 Networks Technical Support website: http://www.f5.com/support/
• The MyF5 website: https://my.f5.com/manage/s/
• The F5 DevCentral website: http://devcentral.f5.com/

Generated: Tue Oct 17 16:20:11 2023 UTC

©2023 F5, Inc. All rights reserved.