2106705-1 : CVE-2025-22868: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws

Component: F5OS-C

Symptoms:
A flaw was found in the golang.org/x/oauth2/jws package in the token parsing component. This vulnerability is made possible because of the use of strings.Split(token, ".") to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of . characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.

Conditions:
Occurs when an affected version of the golang.org/x/oauth2/jws package is present and used for JWT token parsing.

Impact:
The affected service may experience elevated memory usage or degraded performance when handling specific input data.

Workaround:
NA

Fix:
The issue has been addressed by removing the unused golang.org/x/oauth2/jws service from F5OS.

2078485-1 : ServiceCatalogInstall status may show as failed in "show cluster"

Links to More Info: BT2078485

Component: F5OS-C

Symptoms:
Due a race condition on update the apiserver certificate during upgrade, the ServiceCatalogInstall status in the "show cluster" output may show as failed.

Conditions:
This can happen on upgrade from a pre 1.8.1-EHF-6 release to 1.8.1-EHF-6.

Impact:
The ServiceCatalogInstall status in the "show cluster" output will show as failed, and several pods may show in error state.

Workaround:
As the root user from the active controller:
docker exec orchestration_manager sed -i.bak s/force=0/force=1/ /usr/omd/scripts/check_apiserver_certs.sh; sleep 300; docker exec orchestration_manager sed -i.bak s/force=1/force=0/ /usr/omd/scripts/check_apiserver_certs.sh

This will cause orchestration-manager to re-run the certificate updates, which will re-run the ServiceCatalogInstall playbook and fix the status in show cluster

Fix:
Orchestration-manager has been updated to wait until rolling upgrade is done before updating the apiserver certificate.

2078301-3 : dagd may crash if a malicious message is sent from the tenant

Links to More Info: K000156796, BT2078301

2063565-3 : CVE-2022-23219: glibc: Stack-based buffer overflow in sunrpc clnt_create via a long pathname

Links to More Info: K52308021

2063545-3 : CVE-2022-23218: glibc: Stack-based buffer overflow in svcunix_create via long pathnames

Links to More Info: K52308021

2063201-2 : Authentication of LDAP Remote user in AD server may fail

Links to More Info: BT2063201

Component: F5OS-C

Symptoms:
LDAP Remote user authentication in F5OS may fail when the Unix attributes is set to false.

Conditions:
If LDAP authentication is configured with an Active Directory (AD) server, remote users will not be able to authenticate successfully on F5OS.

Impact:
Remote user may not be able to login to F5OS.

Workaround:
None

2050801-1 : CVE-2017-16539 docker: The DefaultLinuxSpec function does not block /proc/scsi pathnames

Component: F5OS-C

Symptoms:
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.

Conditions:
The Docker engine version is earlier than 1.13.1 and
Docker containers are started with capabilities that allow write access to /proc/scsi/scsi.

Impact:
Containers with sufficient privileges could potentially remove SCSI devices from the host system, resulting in data loss or device unavailability.

Workaround:
NA

Fix:
This vulnerability is not present in Docker version v1.13.1 or later.

2050793-1 : CVE-2024-36623 moby: Race Condition in Moby's streamformatter Package

Component: F5OS-C

Symptoms:
A flaw was found in Moby's streamformatter package. This vulnerability allows data corruption or application crashes via multiple concurrent write operations triggered by a race condition

Conditions:
NA

Impact:
Users may experience data inconsistencies or unexpected termination of the application when concurrent write operations are invoked under specific runtime conditions.

Workaround:
NA

Fix:
This issue has been addressed with a fix

2049845-1 : OPT-0056 100G link intermittently fails to come up after reboot or hot plug insertion due to incorrect Media Side FEC programming

Component: F5OS-C

Symptoms:
An OPT-0056 100G link intermittently fails to come up after a reboot or hot plug insertion.

Conditions:
Having an OPT-0056 100G link and after a system reboot or hot plug inserts the optic into the system.

Impact:
Intermittent link issues.

Workaround:
None

2047717-2 : PlatformStatsBridge process crash

Links to More Info: BT2047717

Component: F5OS-C

Symptoms:
The PlatformStatsBridge process crashes on SIGSEGV, creates a core file. The associated Docker container goes into "Exited" state.

SNMP failures and webUI errors occur, indicating the server or underlying service is unreachable.

Conditions:
Issue occurs occasionally, when an snmp request tries fetching diskUsagePercentage on platform stats.

Impact:
The Docker container does not restart automatically as expected.

Workaround:
None

Fix:
The support for diskUsagePercentage MIB has been reverted.

2046597-2 : Setting the primary key on VELOS will intermittently cause a failover and primary key inconsistency

Links to More Info: BT2046597

Component: F5OS-C

Symptoms:
When performing a "system aaa primary-key set" operation, sometimes the controller will fail over prior to updating the database values, resulting in an inconsistent decryption key. The set key operation remains in 'IN_PROGRESS' and does not recover.

Conditions:
Retry timing problem in the key retrieval logic sometimes causes the database to hang for over 30 seconds during configuration reload, resulting in the hardware watchdog expiring and causing a failover.

Impact:
Configuration database will not be usable, partitions will not start correctly. System must be restored from backup.

Workaround:
Prior to attempting to change the primary-key, ensure that a controller, partition, and tenant backups with a known primary-key are available. If the problem occurs, perform a "system database reset-to-default", reset the primary key to the previous known value corresponding to the backup and restore the backups.

Fix:
Setting the primary key does not cause a failover.

2034889-1 : Blade interface presence/stats are getting wiped because of bad power event during system controller failover

Links to More Info: BT2034889

Component: F5OS-C

Symptoms:
After inserting a blade in the chassis, the blade interface state may be wiped out on the next system controller failover.

Interfaces will be shown as "NOT_PRESENT" even though the blade is present and running.


default-1# show interfaces interface state oper-status
NAME OPER STATUS
--------------------
1/1.0 DOWN
1/2.0 DOWN
2/1.0 NOT_PRESENT
2/2.0 NOT_PRESENT
3/1.0 DOWN
3/2.0 DOWN

Conditions:
Physically inserting a blade in the chassis, followed by a controller failover after the blade finishes booting.

Impact:
After the controller failover, the incorrect 'power off' event causes the partition software to erase the blade dataplane state, resulting in the blade dataplane being inoperative.

Workaround:
To avoid the issue:

After inserting a blade in the chassis, cause a controller failover and then reboot the blade.

To recover if the problem is encountered:

Reboot the blade.

Fix:
Inaccurate power events are not generated during system controller failover.

2034665 : F5 VELOS BX520 ATSE firmware v75.3.25.00

Links to More Info: BT2034665

Component: F5OS-C

Symptoms:
F5 VELOS BX520 ATSE firmware v75.3.25.00

Conditions:
F5 VELOS BX520 Platform

Impact:
Not applicable.

Workaround:
None

Fix:
Fixes disaggregation issue. See ID2034661 for more information.

2034661-2 : BX520 blade eDAG masking issue causes redirections with ipv6-prefix-len not equal to 128.

Component: F5OS-C

Symptoms:
This issue can cause lower overall system performance because of bad disaggregation to service endpoint. Host software recognizes that packets are not at the correct endpoint and redirects the packets to the correct endpoint. The extra packet hop can cause lower overall system performance.

Conditions:
ipv6-prefix-len not equal to 128.

ATSE v75.3.23.00 or earlier.

Impact:
Variable packet performance and latency impact.

Workaround:
Update to ATSE v75.3.25.00 or newer bitstream release for BX520 blade.

Fix:
Logic bug in disaggregation masking found and fixed in ATSE v75.3.25.00 bitstream release for BX520 blade.

2016349-1 : IPv6 NDP Neighbor Advertisements may get dropped at the VELOS platform layer when tenant transitions from Standby to Active during a failover

Links to More Info: BT2016349

Component: F5OS-C

Symptoms:
-- Some IPv6 NDP Neighbor Advertisements (NA) from a tenant does not egress the VELOS platform when the tenant becomes active during failover.

-- When a failover occurs, drop_pkt_cnt increases when observing the counters from the controller using the following command:

  for i in blade-{1,2}; do echo $i; echo '====='; ssh $i docker exec -i partition_fpga fpgatool -c ＼"nsms hdp_drop_pkt_cnt 1＼"; done

Conditions:
-- Tenant running on VELOS v1.8.1, v1.8.2.
-- IPv6 floating self-IPs and many IPv6 floating virtual addresses are configured in VLANs on the tenant.
-- Failover occurs.

Impact:
Upstream devices do not receive the IPv6 NDP NAs that should have indicated that the new tenant has taken over for the affected IPv6 addresses.

Workaround:
None

2008753-4 : Privilege Escalation to Admin via SSH Port Forwarding

Links to More Info: K000156771

2008505-2 : F5OS SCP hardening

Links to More Info: K000156771

2000389-1 : CVE-2018-10105 - tcpdump: SMB data printing mishandled

Links to More Info: K000156675

1999777-1 : CVE-2018-10103 - tcpdump: SMB data printing mishandled

Links to More Info: K000156675

1997485 : CVE-2019-5736 runc: Execution of malicious containers allows for container escape and access to host filesystem

Links to More Info: K46421255

1996657-1 : CVE-2022-2817 vim: heap use-after-free in string_quote() at src/strings.c

Component: F5OS-C

Symptoms:
A use-after-free vulnerability was found in Vim in the string_quote function in the strings.c file. This issue occurs because an already freed memory is used when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the use-after-free, causing the application to crash, possibly executing code and corrupting memory.

Conditions:
vim prior to 9.0.0212

Impact:
May trigger a use-after-free condition

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1996609-1 : CVE-2022-3296 vim: out-of-bound write in function ml_append_int

Component: F5OS-C

Symptoms:
A stack-based buffer overflow vulnerability was found in vim's ex_finally() function of the src/ex_eval.c file. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a bug that causes an application to crash, possibly executing code and corrupting memory.

Conditions:
NA

Impact:
Users may observe unexpected termination or memory inconsistency during editing or buffer operations.

Workaround:
NA

Fix:
This issue has been adressed with a fix

1996593-1 : CVE-2022-3234 vim: Heap-based Buffer Overflow

Component: F5OS-C

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.

Conditions:
NA

Impact:
The vim process may exit unexpectedly or produce inconsistent runtime behavior during editing.

Workaround:
NA

Fix:
The issue had been addressed with a fix

1996585-1 : CVE-2022-2816 vim: out-of-bounds read in check_vim9_unlet() at src/vim9cmds.c

Component: F5OS-C

Symptoms:
An out-of-bounds read vulnerability was found in Vim in the check_vim9_unlet function in the vim9cmds.c file. This issue occurs because of invalid memory access when compiling the unlet command when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the out-of-bounds read, causing the application to crash, possibly executing code and corrupting memory.

Conditions:
vim prior to 9.0.0211

Impact:
May trigger an out-of-bounds read

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1996529-1 : CVE-2022-2210 vim: out-of-bound write in function ml_append_int

Component: F5OS-C

Symptoms:
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.

Conditions:
vim prior to 8.2

Impact:
Could trigger an out-of-bounds write

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1996329-1 : CVE-2022-2580 vim: Out-of-bounds Read in vim

Component: F5OS-C

Symptoms:
A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.

Conditions:
vim prior to 9.0.0102

Impact:
May trigger a heap buffer overflow

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is fixed in vim-minimal-2:9.1

1996193-1 : CVE-2022-2285 vim: integer overflow in del_typebuf() at getchar.c

Component: F5OS-C

Symptoms:
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.

Conditions:
vim prior to 9.0.

Impact:
May trigger an integer overflow or wraparound

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995929-1 : CVE-2023-0433 vim: reading past the end of a line when formatting text

Component: F5OS-C

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.

Conditions:
NA

Impact:
Users may experience unexpected program termination or inconsistent runtime behavior when performing specific input processing or editing operations under certain conditions.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1995773-1 : CVE-2022-3256 vim: use-after-free in movemark() at mark.c

Component: F5OS-C

Symptoms:
A heap use-after-free vulnerability was found in vim's movemark() function of the src/mark.c file. This issue occurs because vim uses freed memory when 'autocmd' changes the mark. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap use-after-free that causes an application to crash, possibly executing code and corrupting memory.

Conditions:
NA

Impact:
Users may observe unexpected termination of the application, or internal memory inconsistencies, which under certain conditions could lead to unpredictable behavior beyond the editing session

Workaround:
NA

Fix:
The issue had been addressed with a fix

1995661-1 : CVE-2023-0512 vim: divide by zero in adjust_skipcol() at move.ca

Component: F5OS-C

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.

Conditions:
NA

Impact:
Users may encounter unexpected program termination when window width becomes very narrow under certain input conditions.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1995613-1 : CVE-2022-2207 vim: heap-based buffer overflow in function ins_bs

Component: F5OS-C

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

Conditions:
vim prior to 8.2.

Impact:
May result in a heap-based buffer overflow

Workaround:
Do not open untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995465-1 : CVE-2022-2889 vim: use-after-free in find_var_also_in_script() in evalvars.c

Component: F5OS-C

Symptoms:
A use-after-free vulnerability was found in Vim in the find_var_also_in_script function in the evalvars.c file. This issue occurs because an already freed memory is used when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the use-after-free, causing the application to crash, possibly executing code and corrupting memory.

Conditions:
NA

Impact:
Users may observe unexpected termination of the process

Workaround:
NA

Fix:
The issue has been adressed by improving internal memory handling for specific input conditions

1995445-1 : CVE-2022-2287 vim: out of bounds read in suggest_trie_walk() at spellsuggest.c

Component: F5OS-C

Symptoms:
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.

Conditions:
vim prior to 9.0

Impact:
May trigger an out-of-bounds read

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995353-1 : CVE-2022-2581: vim: Out-of-bounds Read in vim src/regexp.c

Component: F5OS-C

Symptoms:
A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.

Conditions:
vim prior to 9.0.0104

Impact:
May trigger a heap buffer overflow

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995349-1 : CVE-2022-2571 vim: Heap-based Buffer Overflow in vim

Component: F5OS-C

Symptoms:
A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.

Conditions:
vim prior to 9.0.0101

Impact:
May trigger a heap buffer overflow

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995341-1 : CVE-2022-3352 vim: use after free

Component: F5OS-C

Symptoms:
Use After Free in GitHub repository vim/vim prior to 9.0.0614.

Conditions:
NA

Impact:
Users may observe unexpected termination of vim or internal memory inconsistencies during buffer operations.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1995337-1 : CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension

Component: F5OS-C

Symptoms:
A flaw was found in golang.org. In x/text, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension.

Conditions:
NA

Impact:
may cause a panic with "index out of range"

Workaround:
NA

Fix:
We are not using the package

1995157-1 : CVE-2022-2182 vim Heap-based Buffer Overflow

Component: F5OS-C

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

Conditions:
vim prior to 8.2.

Impact:
Could lead to a heap-based buffer overflow

Workaround:
Avoid opening files from untrusted sources

Fix:
This issue is addressed in vim-minimal-2:9.1

1995097-1 : CVE-2022-2125 vim Heap-based Buffer Overflow

Component: F5OS-C

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

Conditions:
A vulnerable version of vim (prior to 8.2)

Impact:
Could result in a heap-based buffer overflow

Workaround:
Avoid opening untrusted or unknown files with vulnerable versions of vim.

Fix:
The issue is resolved in vim-minimal-2:9.1

1995077-1 : CVE-2022-2601 grub2: Buffer overflow in grub_font_construct_glyph() can lead to out-of-bound write and possible secure boot bypass

Component: F5OS-C

Symptoms:
A flaw was found where a maliciously crafted pf2 font could lead to an out-of-bounds write in grub2. A successful attack can lead to memory corruption and secure boot circumvention.

Conditions:
NA

Impact:
May trigger an out-of-bounds write

Workaround:
Avoid using untrusted or unknown pf2 font files

Fix:
Resolved by upgrading grub

1995037-1 : CVE-2022-3705 vim: a use after free in the function qf_update_buffernt

Component: F5OS-C

Symptoms:
A use-after-free vulnerability was found in Vim in the find_var_also_in_script function in the evalvars.c file. This issue occurs because an already freed memory is used when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the use-after-free, causing the application to crash, possibly executing code and corrupting memory.

Conditions:
NA

Impact:
Users may observe unexpected termination of vim or internal memory inconsistencies during quickfix buffer operations.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1994969-1 : CVE-2022-2946 vim-minimal-7.4.629-6.el7.x86_64.rpm: Use After Free in GitHub repository vim/vim prior to 9.0.0246

Component: F5OS-C

Symptoms:
A flaw was found in vim, where it is vulnerable to a use-after-free in the vim_vsnprintf_typval function. This flaw allows a specially crafted file to crash a program, use unexpected values, or execute code.

Conditions:
This issue can manifest when vim is used in workflows that handle dynamic input evaluation or formatted string operations.

Impact:
Users might see vim exit unexpectedly or behave inconsistently in those workflows.

Workaround:
NA

Fix:
The issue has been adressed

1994953-1 : CVE-2022-2284 vim: out of bounds read in utfc_ptr2len() at mbyte.c

Component: F5OS-C

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.

Conditions:
vim prior to 9.0.

Impact:
May trigger a heap-based buffer overflow

Workaround:
Do not open untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1994929-1 : CVE-2022-2819 vim: heap buffer overflow in compile_lock_unlock() at src/vim9cmds.c

Component: F5OS-C

Symptoms:
A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.

Conditions:
vim prior to 9.0.0210

Impact:
A specially crafted input file may trigger a heap buffer overflow.

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1994669-1 : CVE-2023-0051 vim: heap-based buffer overflow in msg_puts_printf() in message.c

Component: F5OS-C

Symptoms:
A heap-based buffer overflow was found in Vim in the msg_puts_printf function in the message.c file. The issue occurs because of an invalid memory access when calculating the length of a string when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the heap-based buffer overflow, causing the application to crash.

Conditions:
NA

Impact:
Users may observe unexpected termination of vim or memory inconsistencies during message formatting operations.

Workaround:
https://access.redhat.com/security/cve/cve-2023-0051

Fix:
This issue has been addressed with a fix

1994517-1 : CVE-2022-2126 vim: out of bounds read in suggest_trie_walk()

Component: F5OS-C

Symptoms:
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.

Conditions:
vim prior to 8.2

Impact:
Could lead to an out-of-bounds read

Workaround:
Do not open untrusted or unknown files

Fix:
This issue is fixed in vim-minimal-2:9.1

1994465-1 : CVE-2022-2862 vim: heap use-after-free in generate_PCALL() at src/vim9instr.c

Component: F5OS-C

Symptoms:
Use After Free in GitHub repository vim/vim prior to 9.0.0221.

Conditions:
vim prior to 9.0.0221.

Impact:
Successful exploitation may trigger a use-after-free condition

Workaround:
Do not open untrusted or unknown files

Fix:
This issue is addressed in vim-minimal-2:9.1

1994449-1 : CVE-2023-0054 vim-minimal-7.4.629-6.el7.x86_64.rpm: Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.

Component: F5OS-C

Symptoms:
An out-of-bounds write flaw was found in Vim, in the do_string_sub function in the eval.c file. The issue occurs because of an invalid memory access due to a missing check of the return value of the vim_regsub function when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file to trigger the out-of-bounds write, causing the application to crash.

Conditions:
NA

Impact:
Users may experience unexpected termination of vim or internal inconsistencies during substitution operations.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1993253-1 : VOQs don't recover after window error on own slot

Links to More Info: BT1993253

Component: F5OS-C

Symptoms:
Traffic outage after a VOQ window error occurs on a the blade's own slot.
The VQF_CORE_GLOBAL_ACTIVE_BLADES_REG (0x1024) on the blade will not have the bit for itself asserted.

Conditions:
VOQ window error occurs on a the blade's own slot.

Impact:
Traffic outage.

Workaround:
Reboot the blade with the VOQ window error.

1992749-3 : F5 VELOS BX520 TAM firmware v73.80.18.66

Links to More Info: BT1992749

Component: F5OS-C

Symptoms:
F5 VELOS BX520 TAM firmware v73.80.18.66

Conditions:
F5 VELOS BX520 Platform.

Impact:
Not applicable.

Workaround:
None

Fix:
Fixes issue with 4x100G mode. See ID1983021 for more information.

1987113-3 : System uptime misreported when uptime is 7 days or more

Links to More Info: BT1987113

Component: F5OS-C

Symptoms:
The "show system uptime" command and uptime reported for controllers and blades in the F5OS GUI will report incorrect uptime values when it has an uptime that is 7 days or more, e.g.:

[root@controller-1:Active ~]# f5sh show system uptime
NAME UPTIME
---------------------------------
controller-1 0d, 21h, 36m, 55s
controller-2 3d, 5h, 37m, 27s

[root@controller-1:Active ~]# uptime
 15:41:54 up 21 days, 21:36, 1 user, load average: 6.73, 7.01, 6.56
[root@controller-1:Active ~]#

Conditions:
- VELOS system

Impact:
The "show system uptime" command output fails to include the number of weeks of uptime.

Workaround:
Log into the system as root and run "uptime" on the appropriate system controller or blade.

1983021-3 : No egress traffic from front-panel interface for port 1/2.1 in 4x100G mode on CX1610/BX520 blades

Component: F5OS-C

Symptoms:
Symptom is no traffic from front-panel interface for port 1/2.1 in 4x100G mode.

Conditions:
CX1610/BX520 blade front panel ports have to be configured in 4x100G mode.

Impact:
Loss of traffic routed to front panel.

Workaround:
This has been fixed with a TAM bitfile update in F5OS-C-1.8.1 EHF2 and newer.

This issue is fixed in TAM FPGA bitfile version 73.80.18.66 and newer.

Fix:
FPGA logic bugfix.

The 'enable' bit of ports 1.x were also connected to ports 2.x. We also discovered a problem with port filtering that can cause wrong routing.

Both problems are fixed in TAM FPGA bitfile version 73.80.18.66 (or newer).

1970817-1 : Can't upgrade F5OS-C 1.8.x FIPS-licensed chassis to F5OS 2.x★

Links to More Info: BT1970817

Component: F5OS-C

Symptoms:
On F5OS-C-1.8.0 and 1.8.1, the "check-version-fips" and "set-version-fips" commands fail with a compatibility check failure.

Conditions:
Upgrade chassis from 1.8.0 or 1.8.1 to 2.0 or later w/ FIPS licensed.

Impact:
Cannot upgrade to F5OS 2.x

Workaround:
None

Fix:
Upgrade compatibility check succeeds.

1966945-1 : High CPU or increased translation errors following upgrade or restart when DAG distribution changes

Component: F5OS-C

Symptoms:
Dagv2 tables are randomized and may change when a tmm is restarted. This can result in a change of traffic distribution, which in some cases may lead to traffic disruption.

The specific condition when this option was introduced is using a CGNAT pool that is not large enough.

Conditions:
- tmm is restarted (or chassis rebooted)

Impact:
- dag distribution changes which may cause a traffic disruption.

Workaround:
You can restart tmm until the distribution is good, which can be checked using tools like cmp_dest.

Fix:
ID 1966941 added two DB variables to control dagv2 behavior -

sdag.runtime.hashtable
sdag.runtime.mirror.hashtable.

This adds F5OS-side support to this solution.

1965629-1 : SSH configuration file on the active controller can be corrupted

Component: F5OS-C

Symptoms:
It is possible that the SSH configuration file on the active controller can become corrupted.

Conditions:
The SSH configuration file is not protected correctly from the multi-threaded orchestration-manager process.

Impact:
Host names that do not correspond to the correct IP addresses are observed.

Workaround:
The corrupted configuration file required to be fixed manually.

Fix:
This issue is fixed.

1962261-6 : The controller-manager pods can enter CrashLoopBackOff due to expired API server certificate★

Links to More Info: BT1962261

Component: F5OS-C

Symptoms:
After a controller restart, controller-manager pods enter CrashLoopBackOff state, if the API server certificate has expired.

Conditions:
API server certificate is expired and a controller is rebooted.

Impact:
The controller-manager pods crash repeatedly and new blades can not be added.

Workaround:
To check if cert is expired:
oc get secret apiserver-ssl -n kube-service-catalog -o jsonpath='{.data.tls＼.crt}' | base64 --decode | openssl x509 -noout -enddate

As the root user:
[root@controller-1(velos.system):Active ~]# docker exec -it orchestration_manager bash
bash-4.2# ansible-playbook -v -i /tmp/omd/etc_ansible_hosts playbooks/openshift-service-catalog/config.yml

This script takes about 5 minutes to run and then the pods are fixed

1959845-2 : CVE-2022-48340: glusterfs: heap use-after-free in dht_setxattr_mds_cbk() in dht-common.c

Component: F5OS-C

Symptoms:
A flaw was found in Gluster, where GlusterFS is vulnerable to a denial of service caused by an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free. By sending a specially-crafted request, a remote attacker can cause a denial of service.

Conditions:
NA

Impact:
Clients may experience service interruption or unexpected termination of GlusterFS in certain operating scenarios.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1953653-1 : cve-2022-27406: Freetype: Segmentation violation via FT_Request_Size

Links to More Info: K000141126

1953617-1 : CVE-2019-2201 libjpeg-turbo: several integer overflows and subsequent segfaults when attempting to compress/decompress gigapixel images

Component: F5OS-C

Symptoms:
In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-120551338

Conditions:
NA

Impact:
The image processing component may experience instability or process termination when handling very large image data.

Workaround:
NA

Fix:
The issue has been resolved by removing the unused libjpeg-turbo package from the product image.

1953601-1 : CVE-2020-13790 buffer overflow in libjpeg-turbo 2.0.4, and mozjpeg 4.0.0.

Component: F5OS-C

Symptoms:
libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

Conditions:
NA

Impact:
The image processing component may terminate unexpectedly or exhibit unstable behavior when handling specific image inputs.

Workaround:
NA

Fix:
The issue has been addressed by removing the unused libjpeg-turbo and mozjpeg packages from the product image.

1952797-2 : Partitions can leave stale tenant pods when controller configuration reset to default is issued★

Component: F5OS-C

Symptoms:
Partition tenants that are configured with slots greater than max-nodes can fail to come back when resetting the controller configuration and restoring it back via save configuration for controller and partition.

Conditions:
Occurs typically when
- Partition with ID 1
- Tenant uses virtual slots that do not match the physical slot.
- Controller reset-to-default is issued

Impact:
Stale tenant pods for partition 1 tenants will still show after restoring the controller configuration and partition configuration, but the impacted tenants may not came back up fully (multinodes case).

Workaround:
- Bring partition tenants down if planning to do controller configuration reset-to-default.

or

- Manually delete default partition 1 after reset-to-default before restoring the save controller configuration. This should take care of removing everything associated to the namespace before the config-restore happens.

Partitions with ID different than 1 should clear the namespace automatically, since they don't get recreated as part of reset-to-default.

Fix:
Startup stale cleanup logic has been adjusted to manage multinode and virtual slots tenants appropriately.

1933721-2 : Interface remain down in F5OS after removing and reinserting SFP modules

Links to More Info: BT1933721

Component: F5OS-C

Symptoms:
After SFPs are removed and reinserted in a VELOS blade, the interface will remain down in F5OS until the blade is rebooted. The peer switch may report the interfaces as having a link.

Conditions:
- VELOS chassis running F5OS-C 1.8.0
- SFPs in blade are removed and reinserted.

Impact:
F5OS interfaces remain reported as operationally down until the blade is rebooted.

Workaround:
After SFP modules are removed and reinserted on a blade, reboot the blade.

1926585-3 : High memory utilization by NetworkManager★

Links to More Info: BT1926585

Component: F5OS-C

Symptoms:
After a VELOS system controller, blade, or rSeries appliance has been running for several hundred days, the NetworkManager service may start leaking memory. This will eventually result in system instability including a failover between system controllers, or instability to tenants.

Log messages similar to the following occurring in /var/log/messages or the systemd journal:

controller-2.chassis.local NetworkManager[180091]: gsignal.c:2642: instance '0x564069a2be40' has no handler with id '34120'

Prior to these log messages being generated, there is no way to tell how close to occurring the issue is.

Conditions:
The NetworkManager service has been running for a substantial period of time (i.e. more than 500 days).

Impact:
NetworkManager service utilizes high memory in the system, which leads to controller failover.

Workaround:
Restart NetworkManager by logging in to the appropriate device as root (system controller, blade, or appliance) and running the command "systemctl restart NetworkManager".

1921793-1 : Health summary is not reported for some nodes in controller and partition ConfD

Links to More Info: BT1921793

Component: F5OS-C

Symptoms:
System health summary is missing for some nodes.

Conditions:
It is observed when iso is upgraded to 1.8.1 branch

Impact:
System health summary is not reported for some nodes. It throws error while fetching summary.

Workaround:
None

Fix:
Updated Node tag in components properly. Since GET:health api is fixed in diag-agent, Show system health summary reports etails properly for all nodes.

1920325-1 : The network-manager container crashes when it fails to create FDB entry in database★

Links to More Info: BT1920325

Component: F5OS-C

Symptoms:
Network-manager container crashes.

Conditions:
The issue may occur when there is an upgrade/downgrade, tenant creation/deletion, or reset/restore the database.

Impact:
The network-manager container will restart.

Workaround:
None

Fix:
The network-manager will not crash when it fails to create FDB entry in database.

1891301-2 : CVE 2020-27743: pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes().

Component: F5OS-C

Symptoms:
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.

Conditions:
The current version pam_tacplus from version 1.6.0 doesn't have the fix as this was added in version 1.6.1 source package.

Impact:
This could lead to use of a non-random/predictable session_id which means an adversary could gain access.

Workaround:
N/A

Fix:
By updating the pam_tacplus source code to 1.7.0 where the vulnerability was fixed in 1.6.1, the new code does not have this issue.

1890297-1 : Memory leak in l2_agent daemon on F5OS

Component: F5OS-C

Symptoms:
- Large memory consumption by the l2_agent.
- Tenant disruption on F5 rSeries appliance.

Conditions:
- An F5OS system with SNMP configured and a LAG (Link Aggregation Group) with more than 1 member.

- SNMP monitoring in use.

We can check the l2_agent memory consumption by using `top` command.

Ex: Top output showed a 15GB l2_agent process:

   PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
19454 root 20 0 17.3g 14.9g 1788 S 0.0 5.9 174:04.57 /confd/bin/l2_agent -s appliance-1

Impact:
Eventually the system experience OOM (Out of Memory).

On an F5 rSeries appliance, a tenant might experience disruptions and slowness, up to and including a TMM SIGABRT core.

Workaround:
None.

Fix:
The l2_agent process no longer leaks memory.

1889913-2 : VELOS partition Allowed IP rule restrictions

Links to More Info: K000151718, BT1889913

1871517 : CVE-2017-18342 PyYaml arbitrary code execution from untrusted data

Links to More Info: K000139901, BT1871517

1857241-2 : CVE-2025-22869 - SSH file-transfer servers vulnerable to Denial of Service via slow key exchange

Component: F5OS-C

Symptoms:
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Conditions:
The issue occurs when the SSH service uses golang.org/x/crypto/ssh versions earlier than 0.35.0 and supports file transfer functionality

Impact:
The SSH service may become unresponsive or experience degraded performance under certain conditions.

Workaround:
Upgrade to patched version

Fix:
The Issue is fixed in golang.org/x/crypto/ssh v0.35.0 and above.

1857073-1 : CVE-2025-22869 - SSH file-transfer servers vulnerable to Denial of Service via slow key exchange

Component: F5OS-C

Symptoms:
A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.

Conditions:
The SSH server implementation must support file transfer protocols over golang.org/x/crypto/ssh < 0.35.0

Impact:
The SSH service may experience reduced responsiveness or temporary unavailability under certain conditions.

Workaround:
Upgrade to patched version

Fix:
The issue is fixed in golang.org/x/crypto/ssh v0.35.0 and above.

1857057-2 : CVE-2025-22869 - SSH file-transfer servers vulnerable to Denial of Service via slow key exchange

Component: F5OS-C

Symptoms:
SSH servers that support file transfer protocols may hang, consume excessive memory, or become unresponsive when a client engages in a slow or incomplete key exchange, because data is buffered.

Conditions:
The SSH server implementation must support file transfer protocols over golang.org/x/crypto/ssh < 0.35.0

Impact:
The SSH service may experience reduced responsiveness or temporary unavailability under certain conditions.

Workaround:
Upgrade to patched version

Fix:
The Issue is fixed in golang.org/x/crypto/ssh v0.35.0 and above.

1857049-3 : CVE-2025-22869 - SSH file-transfer servers vulnerable to Denial of Service via slow key exchange

Component: F5OS-C

Symptoms:
A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.

Conditions:
The SSH server implementation must support file transfer protocols over golang.org/x/crypto/ssh < 0.35.0

Impact:
The SSH service may experience reduced responsiveness or temporary unavailability under certain conditions.

Workaround:
Upgrade to patched version

Fix:
The Issue is fixed in golang.org/x/crypto/ssh v0.35.0 and above.

1857033-3 : CVE-2025-22869 - SSH file-transfer servers vulnerable to Denial of Service via slow key exchange

Component: F5OS-C

Symptoms:
A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.

Conditions:
The SSH server implementation must support file transfer protocols over golang.org/x/crypto/ssh < 0.35.0

Impact:
The SSH service may experience reduced responsiveness or temporary unavailability under certain conditions.

Workaround:
Upgrade to patched version

Fix:
The issue is fixed in golang.org/x/crypto/ssh v0.35.0 and above.

1850481 : Standby tenant is unreachable after F5OS partition upgrade to 1.7.x or higher.★

Links to More Info: BT1850481

Component: F5OS-C

Symptoms:
- The `tmsh show net arp` may show arps with an unknown status.
- The confd CLI `show dag-states` command shows dag tables consisting of only zeros.

Conditions:
* Multi-slot tenant in a device group
* Connection mirroring enabled
* Upgrade F5OS partition from 1.6.x to 1.7.x or greater

Impact:
Standby tenant is inaccessible.

Workaround:
None

Fix:
This issue has been fixed in F5OS partition upgrades to 1.7.x or higher.

1850165-1 : Missing internal interface pgindex field causes l2-agent to restart★

Links to More Info: BT1850165

Component: F5OS-C

Symptoms:
Upon upgrade from 1.1 -> 1.6 -> 1.8, l2-agent on blade will exit due to interface data mismatch. This mismatch happens because the pgindex hidden leaf is missing from cdb, but the l2-agent on blade expects it.

Conditions:
Chain upgraded from 1.1 -> 1.6 -> 1.8. Version 1.8 is the version where l2-agent added more logic to check interface data inconsistency.

Impact:
Dataplane is not functioning.

Workaround:
Work around is to delete the blades from the partition and re-add them. This will require user to reconfigure interface data (vlans, lag members).

Fix:
With this fix, the upgrade into 1.8 will work as expected, and l2-agent on the blade will find matching interface data.

1826209-1 : Error log does not contain all needed information.

Links to More Info: BT1826209

Component: F5OS-C

Symptoms:
An "Interface data differ" log is logged by l2-agent, but all of the compared fields in the log message are identical.

Conditions:
L2-agent logs an error message that the interface data differs.

Impact:
The lack of some data such as interface type and slot ID in the log entry makes troubleshooting more complex.

Workaround:
Save the backup configuration file, and inspect the file for hidden fields. For example, search for pgindex under the interface entry.

Fix:
With this change, the log ERROR will display all required data.

1824525-1 : LDAP Remote user may show as a different user after logging in to the system

Links to More Info: BT1824525

Component: F5OS-C

Symptoms:
LDAP Remote user may show as a different user after logging in to the system and using the 'who' command.

Conditions:
If LDAP auth is not configured at the time the local user is created, the account could potentially end up with the same local user's UIDs. However, the permissions will not be be determined by the UIDs, therefore the account is required to have the correct permissions.

Impact:
No functional impact.

Workaround:
None

1819289-2 : Zero is not allowed as Prefix Length for allowed IPs

Links to More Info: BT1819289

Component: F5OS-C

Symptoms:
It is not possible to save a prefix length with a value of ‘0’.

Conditions:
Prefix Length value is configured to '0'.

Impact:
Allowed IPs cannot be created with prefix value '0'.

Workaround:
Works from CLI.

Fix:
Fixed to accept '0' as prefix length value.

1818185 : The meaning of the interface phyport internal field changed from phyport to DID. This will break functionality that is using phyport★

Links to More Info: BT1818185

Component: F5OS-C

Symptoms:
Two different symptoms surfaced after the meaning of phyport changed:
- reset-counters for an specific interface
- lag members association with a lag in fpgamgr

Conditions:
You configure LAGs while running 1.6.2, with LAG members spanning multiple blades (e.g. blade-1 and blade-3), and then perform a live upgrade to 1.8.0 and above.

You attempt to reset counters for a specific interface (e.g. 1/1.0) after a live upgrade from 1.6.2 into 1.8.0 and above.

Impact:
For the lag members mismatch, the data packets will be forwarded to the wrong port.

For the reset counters, the counters are not reset for the specified interface.

Workaround:
For the reset-counters issue, execute reset counters for all interfaces. This will clean up the counters.

For the LAG member mismatch, reboot the blades after live install ends successfully.

Fix:
The fix addresses the mismatch in interface phyport values.
This will allow reset counters per interface to work.
This will allow the lag members to be properly handled after live upgrade.

1817669-1 : Timeout for the Ansible playbook during cluster install cannot be retried.★

Links to More Info: BT1817669

Component: F5OS-C

Symptoms:
If there are other issues on the chassis that cause the ansible playbooks to run slowly during Kubernetes cluster install, the playbook cannot be retried correctly if it reaches timeout.

Conditions:
This can occur, if there are other issues on the chassis that cause the ansible playbooks to run slowly, such as DNS or remote auth issues when a Kubernetes cluster rebuild is executed.

Impact:
The Kubernetes cluster install may fail repeatedly because it will not correctly recognize the timeout, and raise the amount of time it will wait.

Workaround:
Mitigation is resolve the issue(s) causing the playbooks to run slowly. This may involving removing bad DNS servers or remote auth servers that may be causing the slow down.

Fix:
The orchestration-manager code has been updated to correctly recognize the timeout error, and handle it correctly.

1814073-1 : F5OS chassis switchd core dump

Links to More Info: BT1814073

Component: F5OS-C

Symptoms:
The switchd process experiences crashes that generate core dumps.

Conditions:
These crashes are typically observed during certain interface queries or other operations involving statistics updates.

Impact:
The switchd process crashes and generates core files. Temporary service disruptions may occur for functionalities reliant on the switchd process.

Workaround:
None

Fix:
This issue has been fixed, ensuring switchd includes proper handling for TMSTAT query.

1814057-1 : Daemons that handle ZMQ messages may crash under certain conditions.

Links to More Info: K000151718

1814053-2 : Orchestration Agent process may core

Links to More Info: K000151718, BT1814053

1814045-2 : Daemons that handle ZMQ messages may crash under certain conditions.

Links to More Info: K000151718, BT1814045

1812665-2 : Fpgamgr failing to clear alarms when unplugging and replugging SFPs combined with disabling/enabling interfaces

Links to More Info: BT1812665

Component: F5OS-C

Symptoms:
Fpgamgr fails to clear the {transmit,receive} {power,bias} {low high} alarms, even though the values are within tolerance.

Conditions:
-- Unplugging and replugging SFPs
-- Disabling/enabling interfaces at the same time

Impact:
The {transmit,receive} {power,bias} {low high} alarms do not clear.

Workaround:
None

1812541-2 : DDM system alarms triggered when interface is disabled

Links to More Info: K000150155, BT1812541

Component: F5OS-C

Symptoms:
Running 'show system alarms' reports "Portgroup <N> ERROR Lanes: 1 Transmitter power low alarm"

Conditions:
Disabling an interface locally

Impact:
Transmitter power low and transmitter bias low alarms occur.

Workaround:
To clear the alarms, workaround provided in article K000150155 can be followed.

1789417-1 : Component fpgamgr in restart loop with segmentation fault after failed FPGA firmware update

Links to More Info: BT1789417

Component: F5OS-C

Symptoms:
Component fpgamgr experiences segmentation fault after failed FPGA firmware update and persists in a reboot loop. The CLI command "show cluster nodes node state platform fpga-state" indicates that FPGA_STATE persists in FPGA_INIT and never reaches the state FPGA_RDY.

Conditions:
FPGA firmware update fails and one or more of the FPGA devices does not show up on the PCI bus. This causes a FPGA SDK segmentation fault upon the fpgamgr component startup, and perpetual reboot loop so long as the FPGA issue persists.

Impact:
A failure in the FPGA firmware update process results in one or more FPGA devices not being detected on the PCI bus. This, in turn, causes a segmentation fault in the FPGA SDK upon the startup of the fpgamgr component, leading to a continuous reboot cycle until the FPGA issue is resolved.

Workaround:
None. Perpetual reboot loops after trying to load FPGA firmware that do not recover typically indicates a hardware error and requires an RMA.

Fix:
One of the BARs fails to initialize when the PCIE speed does not load at the intended Generation. This issue was causing a segmentation fault in the SDK, but it has now been resolved by having the SDK notify the fpgamgr of the missing BAR instead. While the device may still fail to load, the fpgamgr will no longer experience a crashing loop as a result.

1789141-2 : If 'ldap-group is configured for a role but LDAP search fails, users with the default GID for the role can still get those privileges

Component: F5OS-C

Symptoms:
When an 'ldap-group' mapping is configured for a F5OS role, and the mapping fails (because the filter is invalid or the LDAP query of remote groups fails for some other reason), the default mapping for the role (or, what is configured in 'remote-gid' for the role) is still used.

For example, if you were attempting to map the F5OS role 'admin' (default GID 9000) to an LDAP group 'CN=my-ldapgroup', and the LDAP search for that group failed (because the provided filter was invalid, the group does not exist, etc.), users with GID 9000 would still be able to authenticate and login with 'admin' privileges.

Conditions:
1. LDAP authentication is enabled.
2. A role mapping is applied via the 'ldap-group' configuration for a F5OS role.
3. The provided 'ldap-group' filter is invalid or another unexpected issue is encountered when querying the LDAP server.

Impact:
Users can login with privileges in excess of what one might expect given the system configuration.

Workaround:
If the LDAP group/users have Posix attributes ('gidNumber'), it is possible to map the F5OS role using this GID number by specifying it in the 'remote-gid' configuration under the role.

If this is not feasible, it is possible to directly validate the 'ldap-group' mapping was successful by inspecting this file from a bash shell:

[root@appliance-1(test):Active] ~ # cat /etc/ldap-gid-map.txt
1108:=9000

If there is an entry that has the default GID for the role on the right-hand side of ':=' in this file, it means the mapping was applied successfully and users with the default or 'remote-gid' GID will not be able to obtain the role permissions. If such an entry is missing, you will need to fix the 'ldap-group' filter so an LDAP query of the group can be successful.

Fix:
If a configured 'ldap-group' mapping fails, deny all role-based access for the mapped role until it is fixed or de-configured.

1789125-1 : VQF VOQ entries missing for the functional blades in the show fpga-tables output

Links to More Info: BT1789125

Component: F5OS-C

Symptoms:
Blade 13 is in faulty state due to a different issue related to memory DIMMs.

For the show FPGA tables command there is output for VOQs corresponding to blades 1 and 11.

And in the vqf_voq_stat table output, the remaining VOQ stat requests starting from 13 do not return data although the tmstat table for some other blades are intact.

Conditions:
One of the intermediate blades from the list of show components is faulty and leads to skipping of processing the vqf voq stat requests for rest of the blades that are properly functional.

Impact:
Improper output for the 'show fpga-tables vqf_voq_stat' command.

Workaround:
None

Fix:
Added a code change to get the stats completion for rest of the functional blades when one of the blades is faulty.

1789117-1 : SNMP bulk queries for LAGs on VELOS might return incomplete information

Links to More Info: BT1789117

Component: F5OS-C

Symptoms:
SNMP queries for interface statistics for a LAG might return incomplete information

Conditions:
- VELOS partition
- Querying SNMP for LAGs
- The LAG contains multiple members
- The SNMP client is issuing bulk SNMP queries
- The SNMP client queries for the first member of the LAG, skips another member of the LAG, and then queries information for the LAG

Impact:
The SNMP statistics reported by the VELOS system could possibly return incomplete information (failing to include statistics from one or more of the members of the LAG).

Workaround:
None

Fix:
The system will now correctly report SNMP statistics for LAGs.

1785841-1 : Management port not bouncing on failover on VELOS CX410 chassis

Component: F5OS-C

Symptoms:
When a failover occurs on VELOS CX410 chassis, the management link won't bounce, resulting in loss off connectivity for 300s or other to which remote switch has set as it's timeout for the mac address table.

Conditions:
Failover occurs on VELOS CX410.

Impact:
Loss of management connectivity for 300s or other to which remote switch has set as it's timeout of the mac address table.

Workaround:
Wait for remote switch to timeout and clear it's mac address table.

Fix:
With this fix in place the VELOS CX410 chassis will now bounce it's management link on failover immediately clearing the remote mac address table on the switch.

1785621-1 : Tenant deployed with Max Memory available on system results in Resource allocation failed - Node is up but Platform services not responding

Links to More Info: BT1785621

Component: F5OS-C

Symptoms:
Tenant fails to come to running state when deployed with max memory on system.

Conditions:
Tenant is deployed with max-available memory on the blade in prior releases of F5OS-C 1.8.1 version.

Impact:
Tenant fails to come to running state.

Workaround:
Since the max memory available for tenants on blade is corrected in F5OS-C-1.8.1, the tenant memory should be configured accordingly.

Step 1. Move failed tenant to configured state and adjust the memory to the new max-available memory of the tenant.

Step 2. Move the tenant back to the deployed state.

Fix:
Max memory available on system for tenant deployment has been corrected with right value.

1783781 : Bash history file containing "PRIVATE KEY" may block qkview

Links to More Info: BT1783781

Component: F5OS-C

Symptoms:
Qkview file generation gets stuck at zero percent complete:

# system diagnostics qkview status
result {"Busy":true,"Percent":0,"Status":"collecting","Message":"Collecting Data","Filename":"controller1.qkview.tar.gz"}

Subsequent attempts to generate a qkview fail with the result "Qkview capture can not be initiated. Another Qkview capture is already in progress"

Conditions:
-- Generating qkview
-- The bash history file is large and contains the text "PRIVATE KEY"

Impact:
Qkview files are not able to be collected

Workaround:
1. Run system diagnostics qkview cancel
2. mv ~/.bash_history ~/.bash_history.bak
3. Re-run qkview

Fix:
TBD

1782925-3 : Active Directory LDAP integration without uidNumber/gidNumber does not work after system reboot

Links to More Info: BT1782925

Component: F5OS-C

Symptoms:
After an rSeries appliance reboot, Active Directory LDAP authentication configured with "Unix Attributes" set to false does not work and users from Active Directory are unable to authenticate with the F5OS system.

There will be messages similar to the following logged in platform.log shortly after the reboot:

authd[8]: priority="Err" version=1.0 msgid=0x3901000000000101 msg="LDAP API error during : -" oper="SASL bind" code=-1 msg="Can't contact LDAP server".
authd[8]: priority="Warn" version=1.0 msgid=0x3901000000000098 msg="Unable to retrieve domain Sid for supplied servers and domains; server will be treated as if it has unix attributes present.".

Conditions:
- F5OS device configured with Active Directory LDAP authentication, and the "Unix Attributes" setting configured as false.
- System reboots

Impact:
LDAP remote authentication does not work.

Workaround:
To workaround this issue on an rSeries appliance, create a cron task to restart the system_user_manager and authentication-mgr docker containers after a system reboot:

1. Log into the system as root and create /etc/cron.d/ldap-post-reboot with these contents (not including the '==='):
===
# Workaround for post-reboot issue with LDAP auth (ID1782925)
#
# In the the first five minutes after the system reboots, assume the first
# instance of the following log message that we see is a result of the management
# port lack of connectivity when the docker containers start up, and restart both
# system_user_manager and authentication-mgr once.
#
# authd[8]: priority="Err" version=1.0 msgid=0x3901000000000101 msg="LDAP API error during : -" oper="SASL bind" code=-1 msg="Can't contact LDAP server".

@reboot root timeout 5m sh -c 'tail -n0 -F /var/F5/system/log/platform.log | grep -a -m1 authd.*0x3901000000000101 && sleep 20s && echo Restarting authd and user-manager && docker restart system_user_manager authentication-mgr' || echo "Timed out"
===

This mitigation may fail under some corner cases, e.g. potentially after an upgrade or if something goes wrong with the platform services such that they don't start up within the first five minutes after system boot. In those circumstances, log into the system as root and restart the system_user_manager and authentication-mgr containers:

    docker restart system_user_manager authentication-mgr

1780717-2 : CVE-2022-41723 - specially crafted HTTP/2 stream could cause excessive CPU usage in the HPACK decoder

Component: F5OS-C

Symptoms:
A malicious HTTP/2 stream can cause excessive CPU usage on the server, due to expensive HPACK decoding operations.

Conditions:
Golang < 1.19.6

Impact:
The service may experience reduced responsiveness or performance degradation.

Workaround:
Upgrade to patched version

Fix:
The issue is addressed in Go version 1.20.0 and later.

1780613-2 : CVE-2023-45288 - HTTP/2 endpoint excessive header reading via CONTINUATION frames

Links to More Info: K000152659

1779881-1 : CVE-2022-41722 stdlib-1.17.8: A path traversal vulnerability exists in filepath

Component: F5OS-C

Symptoms:
A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:＼b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".＼c:＼b".

Conditions:
NA

Impact:
The component may incorrectly process file paths, potentially leading to unexpected file access behavior.

Workaround:
NA

Fix:
The issue had been resolved

1779873-1 : CVE-2022-41720 stdlib-1.17.8: On Windows, restricted files can be accessed via os.DirFS and http.Dir

Component: F5OS-C

Symptoms:
On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.

Conditions:
NA

Impact:
May allow access to files outside the intended directory, leading to unexpected file exposure.

Workaround:
NA

Fix:
The issue has been resolved

1779865-1 : CVE-2022-41716 Unsanitized NUL in environment variables on Windows in syscall and os/exec

Component: F5OS-C

Symptoms:
Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B＼x00C=D" sets the variables "A=B" and "C=D".

Conditions:
NA

Impact:
May result in the unintended creation or modification of additional environment variables, potentially leading to unexpected behavior.

Workaround:
NA

Fix:
CVE-2022-41716 does not affect Red Hat software

1779857-1 : CVE-2022-30634 golang-runtime

Component: F5OS-C

Symptoms:
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.

Conditions:
An affected version of Go (before 1.17.11 or 1.18.3) is used on Windows

Impact:
Passing an excessively large buffer to crypto/rand.Read may cause the application to enter an infinite loop

Workaround:
NA

Fix:
CVE-2022-30634 does not affect Red Hat software

1779849-1 : CVE-2022-29804 Path traversal via Clean on Windows in path/filepath

Component: F5OS-C

Symptoms:
Incorrect conversion of certain invalid paths to valid, absolute paths in Clean in path/filepath before Go 1.17.11 and Go 1.18.3 on Windows allows potential directory traversal attack.

Conditions:
An affected version of Go (before 1.17.11 or 1.18.3) is used on Windows platforms

Impact:
May allow a directory traversal scenario, potentially permitting unauthorized access to files or directories outside the intended path.

Workaround:
NA

Fix:
CVE-2022-29804 does not affect Red Hat software

1779677-1 : Multiple docker containers can get assigned the same bridge IP during rolling upgrade★

Links to More Info: BT1779677

Component: F5OS-C

Symptoms:
Multiple containers can get the same bridge IP during a rolling upgrade or docker restart

[root@controller-2 ~]# docker inspect controller-services-registry-2502 | grep IPAddress
            "SecondaryIPAddresses": null,
            "IPAddress": "100.64.0.2",
                    "IPAddress": "100.64.0.2",
[root@controller-2 ~]# docker inspect partition-services-registry-2202 | grep IPAddress
            "SecondaryIPAddresses": null,
            "IPAddress": "100.64.0.2",
                    "IPAddress": "100.64.0.2",

There's a race in IP address allocation in Docker.

Conditions:
When multiple containers start at the same time.

Impact:
This causes one of the two containers to answer requests depending on which container last refreshed the arp cache.
The other container does not work properly.

Workaround:
Reboot the system.

Fix:
Docker address allocator uses bit map to manage IP address pool but it's not thread safe.

Now, set/unset bitmap operations are protected by a lock.

1779669-1 : ConfD HA Status does not match bash prompt

Links to More Info: BT1779669

Component: F5OS-C

Symptoms:
When accessing the confd-cli it may report a different ha-state than that of the bash prompt. For example you may see:
syscon-2-standby#
[root@controller-2:Active ~]#

Conditions:
No specific conditions, the issue roots from Vcc-HA using blocking socket I/O that hangs when attempting to program ccsync state. When it hangs, Vcc-HA will hang forever and active/standby state of ccysnc will not be programmed correctly.

Impact:
Ccsync isn't programmed correctly images and other resources managed by ccsync will not be correctly synced between controllers.

Workaround:
Perform docker restart vcc-ha on both controllers.

Fix:
Updated vcc-ha to use non-blocking socket I/O to insure it cannot get hung when trying to program ccsync. It will instead exit and retry if the timeout is hit.

1779465-1 : SwitchD core file observed after live upgrade

Links to More Info: BT1779465

Component: F5OS-C

Symptoms:
Users may observe core files being generated on both controllers after a system live upgrade.

Conditions:
The occurrence of the core is non-deterministic, but it can happen after the live upgrade.

Impact:
When this issue occurs, the SwitchD process generates a core file on the controller.

Workaround:
Reboot the controllers after observing SwitchD core file on the controller.

Fix:
This issue has been resolved to ensure proper process initialization during SwitchD initialization.

1778689-1 : Duplicate OMD alerts during Inaccessible Memory incident

Links to More Info: BT1778689

Component: F5OS-C

Symptoms:
During certain conditions where an “Inaccessible Memory” issue occurs, duplicate OMD alerts may accidentally be triggered at the same time due to overlapping OID/alert IDs associated with the same root cause.

Conditions:
This issue arises when an “Inaccessible Memory” incident occurs, resulting in OMD generating redundant alerts “openshiftCertsExpWithinNinetyDays” for the same event, which is causing confusion and unnecessary noise in alert tracking systems.

Impact:
False-positive or duplicate alerts for OMD.

Workaround:
To verify and troubleshoot the issue, you can:

1. Use the confD command 'show cluster cluster-status' to check the cluster's current status.
2. Analyze the openshift.log/velos.log file for any errors or abnormalities related to the incident or cluster health.

Fix:
The issue has been addressed by implementing enhanced logic in OMD alert generation to eliminate duplicate alerts resulting from overlapping OID/alert IDs. The system now ensures each alert is uniquely identified and mapped to its respective event, preventing redundancy during “Inaccessible Memory” incidents. All configurations have been updated to maintain integrity and consistency.

1772501-3 : CVE-2024-45337 - Misuse of ServerConfig.PublicKeyCallback in golang.org/x/crypto/ssh

Links to More Info: K000152659

1772473-6 : CVE-2024-45337 - Misuse of ServerConfig.PublicKeyCallback in golang.org/x/crypto/ssh

Links to More Info: K000152659

1772433-2 : Config restore fails after upgrade★

Links to More Info: BT1772433

Component: F5OS-C

Symptoms:
1. Bare metal to: 1.6.1-19136
2. Upgrade to: 1.8.0-19115
3. Take controller backup
4. Reset database: system database config reset-default-config
5. Attempt to apply backup from step 3, this fail.

Conditions:
-- Upgrade from 1.6.1 to 1.8.0
-- Perform config-restore

Impact:
Unable to perform config-restore after upgrade.

Workaround:
None

Fix:
With the fix for ID1917841, you can now perform the config-restore.

1772305-1 : Unable to deploy a tenant to both BX110 and BX520 blade in same partition

Links to More Info: BT1772305

Component: F5OS-C

Symptoms:
A tenant can only be deployed to a partition if it is deployed to a node that is the same type as the other nodes that are running tenants. Deploying a multi-bladed tenant that includes both BX110 and BX520 blades is not supported.

Conditions:
Deploying a tenant to a partition that contains a mix of BX110 and BX520 blades.

Impact:
If a partition contains both BX110 and BX520 blades, you must choose to deploy tenants to one blade type or the other but not both.

Workaround:
Deploy tenants to nodes that are of the same blade type.

Fix:
None

1772053-1 : High memory usage due to log flood when one controller is in FIPS error state

Links to More Info: BT1772053

Component: F5OS-C

Symptoms:
In FIPS error state, the active controller triggers a sync to the errored controller which results into an infinite loop of waiting as the peer is unreachable. This dumps an enormous amount of logs in ccsync.log and consumes excessive memory.

Conditions:
One active controller and one FIPS errored out controller.

Impact:
Consumes high system memory and log files are rotated in no time leaving a huge dump of logs in ccsync.log

Workaround:
- stop ccswatch.service
- Recover FIPS errored controller
- restart ccswatch.service

Fix:
Added retries to wait for a finite time period before exiting to reduce log flood and memory usage.

1759733-1 : Controller reboot during a controller loading can cause openshift cluster to fail.

Links to More Info: BT1759733

Component: F5OS-C

Symptoms:
If a system controller is rebooted after it's ETCD instance has been started, but before the controller has been fully added to cluster, it can cause a failure that will not automatically recover. The controller will not be able to join the cluster after this failure.

Conditions:
A system controller is rebooted after it's local ETCD instance has been started, but before the controller is fully added into the openshift cluster.

Impact:
The rebooted controller will persistently fail to join the cluster after this failure. As such the cluster will not be redundant between the 2 system controllers.

Workaround:
Rebuild the openshift cluster to recover the affected system controller.

Fix:
The fix cleans any stale ETCD state when the process of adding the controller to the cluster after the reboot. This allows the controller to be re-added to the cluster correctly.

1757729-2 : Default port for LDAP server does not match default server type

Links to More Info: BT1757729

Component: F5OS-C

Symptoms:
On Server Groups screen, when adding an LDAP server, the default value for LDAP Over TCP type is set to 636 port by default, which is used for LDAP over SSL. This behavior is causing confusion.

Conditions:
When configuring an LDAP server.

Impact:
This issue can be confusing because the default setting for LDAP over TCP type is set to 636 port (instead of 389, which is the port used for LDAP over TCP).

Workaround:
None

Fix:
The default value for the ‘Port’ field has been changed to 389 to align with the default value for LDAP over TCP type.

1753469 : Add notification to set-version when downgrading the system from F5OS-A/C-1.8.0

Links to More Info: BT1753469

Component: F5OS-C

Symptoms:
A downgrade to an earlier version of F5OS from F5OS-A/C 1.8.0 can leave the system inoperable. Refer to ID1712009 for more information.

Conditions:
Perform a config-restore or config reset-to-default operation to an earlier version of F5OS.

Impact:
A downgraded system may be inoperable.

Workaround:
Refer to ID1712009 for workaround.

Fix:
There is an issue with performing a config-restore after downgrading from F5OS-A/C 1.8.0 (ID1712009). If you intend to perform a config-restore or config reset-to-default operation, please refer to the F5OS-A/C 1.8.0 release notes for information on avoiding this issue.

1752821-1 : Cluster re-install with missing system controller does not complete★

Links to More Info: BT1752821

Component: F5OS-C

Symptoms:
If a cluster re-install is issued when only one system controller is installed in the chassis, the cluster re-install will not complete and the system will not be functional.

Conditions:
-- Only one system controller is in a chassis, or one of the system controllers is broken.
-- Re-installing the cluster via 'touch /var/omd/CLUSTER_REINSTALL'

Impact:
System will not be able to launch tenants or pass traffic.

Workaround:
None

Fix:
The cluster orchestration layer has been update to allow K8S cluster install when one system controller is missing from the system. If the system controller is broken, but still inserted into the system the "/var/omd/FORCE_PEER_CC_MISSING" can be created on the remaining controller, and it will behave as if the broken CC has been removed from the chassis. Once the broken controller is replaced, the /var/omd/FORCE_PEER_CC_MISSING file should be removed.

1750613-1 : If a system controller PXE boots and reimages, partitions may not start correctly, and cause data loss★

Links to More Info: BT1750613

Component: F5OS-C

Symptoms:
If a system controller PXE boots, the partition instance restart on that controller may not work and the partition instance will be left in the "failed"/not running state with no configuration database. If that instance later becomes "active" it will overwrite the correct partition configuration database with the empty database.

Example failed partition instance state:

syscon-1-active# show partitions
                                                                   RUNNING
             BLADE OS SERVICE PARTITION SERVICE STATUS
NAME ID VERSION VERSION CONTROLLER STATUS VERSION AGE
----------------------------------------------------------------------------------------
none - - -
default 1 1.6.2-22734 1.6.2-22734 1 running-active 1.6.2-22734 40m
                                       2 failed - 11m


Normally following a controller reimage, the partitions will complete restart after all the ISOs are replicated to the controller and reimported. This may take 15 to 30 minutes depending on how many images are present. The partitions will show as "failed" while this resync occurs, and then they will start up normally. In the failure case, the instance stays "failed" indefinitely.

Do NOT attempt to enable/disable the partition while it is in this "failed" state, or perform a software upgrade (set-version). If that happens, the "wiped" partition instance may start up and become Active, and all partition configuration will be lost.

Conditions:
This problem occurs when the partition is running a "patch" version of partition-services rather than a "base" version. Patch versions have a version number (major.minor.patch) that ends in a number other than “0” (zero).
A race condition may occur between the completion of the partition ISO import and the initiation of the partition, resulting in a potential declaration of success despite failure. In such cases, the operation will not be retried.

In this scenario, the partition might never get started, so it has no opportunity to form an HA pair with the other partition instance and synchronize the configuration database and tenant images. If it does eventually become Active it will erase all partition configurations.

Impact:
All partition and tenant configuration in that partition is lost.

Workaround:
Following a PXE boot or reimage of the controller, check the status of all partition ISOs using the "show image partition" command. For patch versions, the partitions may stay in the "failed" state. However, for base versions, the partition should automatically restart and become running-standby within approximately 5 minutes after the ISOs have been imported. No further corrective action is necessary in this scenario.

To recover force the partition instance startup code to retry by changing the partition configuration in a minimally disruptive way. Recommend toggling the partition mgmt-ip to 'none' and then back, as this will force the retry but not permanently change any configuration.

Example:
syscon-1-active(config)# partitions partition default config mgmt-ip ipv4 address 0.0.0.0 ; exit
syscon-1-active(config)# commit
Commit complete.
syscon-1-active(config)# partitions partition default config mgmt-ip ipv4 address <ip address>; exit
syscon-1-active(config)# commit
Commit complete.
syscon-1-active(config)#

Do NOT attempt to enable/disable the partition while an instance is in this "failed" state following a reimage or perform a software upgrade (set-version). If that happens, the "wiped" partition instance may become Active, and all partition configuration will be lost.

Fix:
Partitions restart and form an HA pair correctly following system controller reimage/replacement, regardless of partition services version.

1737677-1 : Reboot of both system controllers results in dataplane issues

Links to More Info: BT1737677

Component: F5OS-C

Symptoms:
Traffic outage after simultaneously rebooting both system controllers.

Conditions:
With a multi-blade partition configured, reboot both system controllers simultaneously.

Impact:
Traffic outage

Workaround:
Reboot blades in affected partition.

1737517-1 : Rare partition startup conditions can cause persistent application-communication error on that partition

Links to More Info: BT1737517

Component: F5OS-C

Symptoms:
While executing partition commands related to tenants. Commands include but not limited to commits related to VLANs, tenants, and interfaces, or, showing data related to VLANs, tenants, and interfaces. Persistent error logging in the partition's confd.log and devel.log about an unregistered lac_mac_hook/write_all callpoint.

Conditions:
Specific cases, where a partition failover occurs, when the partition starts up, or reset to its default settings

Impact:
The partition is effectively inoperable, as very few commands are related to VLANs, and tenants. Additionally, VLANs are functional.

Workaround:
Reboot active partition's system controller or toggle the partition's enabled state.

1730833-4 : Tmm may egress broadcast traffic even when VLANs are disabled in F5OS

Links to More Info: BT1730833

Component: F5OS-C

Symptoms:
In certain scenarios such as restoring a UCS on an F5OS tenant, if the VLANs in F5OS are disabled, tmm may egress broadcast traffic such as gratuitous ARPs onto the disabled VLANs.

Conditions:
-- An F5OS tenant where VLANs were assigned and then removed.
-- An F5OS tenant where tmm is not in forced-offline mode.
-- An action occurs on the tenant (such as restoring a UCS or restarting tmm, or loading the config) that results in gratuitous ARPs.

Impact:
This could cause IP address conflicts on the network or other issues related to unexpected broadcast traffic such as gratuitous ARPs on the network.

Workaround:
- In F5OS, remove the affected VLANs from the LAG or interface.

- On the tenant use forced offline to prevent traffic egress.

- If you are restoring a UCS from another BIG-IP such as for a platform migration, put the source BIG-IP into forcedoffline state before taking the UCS.

- delete the tenant, and recreate without any VLANs assigned.

Fix:
A single tenant with a vlan that was configured and then removed via F5OS will no longer leak broadcast traffic onto the network on the removed vlan.

This fix does not address the issue when multiple tenants are attached to the same vlan. F5 has created ID1758957 for that issue.

1711633-1 : All nodes can be reported as not ready, after a live controller upgrade

Component: F5OS-C

Symptoms:
After a controller upgrade, it is possible that all of the nodes in the cluster can be reported as in the not ready state for a brief period of time.

Conditions:
The cluster state data that is being reported to ConfD is using stale data. The cluster data is not updated correctly until a valid nodes query is completed.

Impact:
The user can see inaccurate cluster data information.

Workaround:
None.

Fix:
It has been observed that no nodes have displayed a state of unreadiness during the initial stages.

1710765-2 : The node number fetched by the SNMP disk stats handler from the disk operational handler has the wrong blade value.★

Links to More Info: BT1710765

Component: F5OS-C

Symptoms:
Rarely, SNMP command output may not show up the disk stats for a particular blade. This could happen because of incorrect blade value of the blade fetched from the backend.

The partition "velos.log" file may show below logs:

1. <Timestamp> default platform-stats-bridge[8]: nodename=controller-2(p1) priority="Err" version=1.0 msgid=0x4305000000000007 msg="" msg="Invalid slot value." value=761491247.

2. <Timestamp> default platform-stats-bridge[8]: nodename=controller-2(p1) priority="Err" version=1.0 msgid=0x4305000000000007 msg="" msg="Failed to assign blade instance" value=761491247.

Conditions:
1. Upgrade the partition
2. Configure SNMP community of any version
3. Execute SNMPWalk command on the disk stats table MIB.

Impact:
SNMPWalk will miss the disk utilisation stats of problematic blade.

Workaround:
As a workaround, either restart the platform-stats-bridge container of the partition or disable/enable the partition from Confd.

Fix:
As a workaround, either restart the platform-stats-bridge container of the partition or disable/enable the partition from Confd.

1710453-1 : Partition configuration wiped out during Controller reboot

Links to More Info: BT1710453

Component: F5OS-C

Symptoms:
In rare cases the partition configuration volume can be wiped during a system controller reboot when partitions are disabled, resulting in partition configuration loss.

Conditions:
When partitions are disabled and a system controller is rebooted there can be a shutdown race between a (spurious) resize request and LVM shutdown that can cause one of the partition volumes to get removed.

When the partition is subsequently enabled, whichever controller instance starts first will establish the current configuration. If the instance that was removed starts first, the partition is reinitialized to a clean configuration.

If the partition is running when the system controller reboots it will automatically resync itself from the other system controller as soon as it restarts. Configuration loss is not observed, though there may be missing logfiles on one of the system controller partition instances.

Impact:
Partition and tenant configuration is lost, and must be restored from backup before continuing.

Workaround:
Partitions should be left enabled. As long as at least one partition instance is running, the high availability subsystem will ensure that no configuration is lost.

Chassis power loss won't trigger this problem since there won't be a "race" between the stopping components.

Fix:
The spurious resizes no longer occur, and the error paths in partition volume resize and partition enablement can no longer result in removing the volumes.

1710405-1 : MAC exhausted error can occur even though there are available MACs

Links to More Info: BT1710405

Component: F5OS-C

Symptoms:
MAC address processing during tenant configuration can result in a "MAC exhausted" error even though there are available MAC addresses.

Conditions:
If the processing of a tenant's configuration releases MAC addresses to the partition's free list then this can erroneously cause a MAC exhaustion error. In this case there may be error logs in velos.log as well indicating failure to update or modify the MAC address pool.

Impact:
This can disrupt tenant configuration.

Workaround:
Modifying the tenant in the CLI when adding VLANs to a tenant is less likely to run into this issue.

Fix:
The code has been modified to log the error but not cause the misleading MAC exhaustion error and not block tenant configuration.

1709665-2 : Blade NotReady after liveupgrade★

Links to More Info: BT1709665

Component: F5OS-C

Symptoms:
A blade is stuck in the NotReady state after an upgrade.

Conditions:
-- The VELOS system is being upgraded.
-- A reboot is triggered before the grub config update is complete.

Impact:
Blade stuck in NotReady state.

Workaround:
Perform a clean install of the blade by PXE installing it. Connect to the serial console of the blade and interrupt the boot process by selecting 'b' when the boot process displays "Press <c> to enter setup".

1709121-5 : Unable to create a tenant as the Network Manager start-up or failover may result in a looping process

Links to More Info: BT1709121

Component: F5OS-C

Symptoms:
While creating a new tenant, an error occurs:

"Failure for data/f5-tenants:tenants API. The server or an underlying service is unreachable."

The network-manager service seems to hang, or it might be in a restart loop.

In confd, the 'show system mac-allocation state' command indicates that no MAC addresses have been allocated.

$ show system mac-allocation state
system mac-allocation state free-single-macs 16
system mac-allocation state allocated-single-macs 0
system mac-allocation state free-large-blocks 2
system mac-allocation state allocated-large-blocks 0
system mac-allocation state free-medium-blocks 0
system mac-allocation state allocated-medium-blocks 0
system mac-allocation state free-small-blocks 0
system mac-allocation state allocated-small-blocks 0
system mac-allocation state total-free-mac-count 80
system mac-allocation state total-allocated-mac-count 0 <---
system mac-allocation state total-mac-count 80

Conditions:
This can occur with combinations of tenants using MAC blocks greater the size 1. The specific combinations are somewhat unpredictable.

Impact:
Tenants cannot be created.

Workaround:
None

Fix:
The code will be updated to prevent the hang condition.

1699821-2 : Partition data missing

Links to More Info: BT1699821

Component: F5OS-C

Symptoms:
The system controller can be rebooted while a partition is being created. This can cause the partition to not function correctly.

Conditions:
A system controller is rebooted while the partition is being created.

Impact:
Partition doesnt work as expected. /config, /shared, /images paths (one or more) will be missing.

Workaround:
Disable and delete the defective partition, then re-create the partition.

Fix:
Controller reboot during partition creation completes correctly after the controller returns to service.

1697237-1 : Partition volumes IMAGES, shared are not present in partition snmpwalk output. in hrStorageDescr in HOST-RESOURCES-MIB

Links to More Info: BT1697237

Component: F5OS-C

Symptoms:
SNMP get fails to display the HOST-RESOURCES-MIB details for the partition's volumes IMAGES.

Conditions:
Snmpwalk is performed on the Chassis Partition.

Impact:
HOST-RESOURCES-MIB information is not included in snmp get output.

Workaround:
None

Fix:
Corrected the regex used to collect the Partition's volumes image details.

1696325-1 : Unresolved VQF IMM watchdogs after system controller failover, VoQ Window Errors, and extensive disconnect to confd

Links to More Info: BT1696325

Component: F5OS-C

Symptoms:
The VoQ IMM Enabled status in the fpga-tables vqf-voq-stats output from the CLI remains 0 indefinitely resulting in traffic loss between blades.

Example:
show fpga-tables vqf-voq-stats
                                                                    COS MEM COS WIN
             EMM IMM SMS FILL FULL HI COS LO SMS EMM IMM ERR
SLOT NAME ENABLED ENABLED DRPLVL PKT CNT BYTE CNT DROP DROP DROP DROP DROP DROP DROP CNT
--------------------------------------------------------------------------------------------------------------------------

3 13.12 1 0 32767 1819895878 2330473381038 200121 0 0 86532 0 14 9 0
3 13.13 1 0 32767 1815815755 2322725261469 251277 0 0 58031 0 14 9 0
3 13.14 1 0 32767 1824204787 2337092078111 211707 0 0 1528 0 14 9 0
3 13.15 1 0 32767 1839939128 2357633747305 208636 0 0 0 0 14 9 0
3 13.4 1 0 32767 0 0 0 0 0 0 0 14 9 0
3 13.9 1 0 5427 0 0 0 0 0 0 0 14 9 0

Conditions:
A temporary loss of the dataplane links between the system controller and a blade on a system, followed by an extensive outage for that blade to the confD database.

Impact:
Traffic loss from the blade reporting the zero values for IMM Enabled towards the destination blade. The destination blade is indicated by the first number in the decimal of the "NAME" column.

For instance, if the IMM ENABLED values are 0 for "Slot 3 and NAME "13.12", this indicates that traffic from slot 3 towards slot 13 will be lost.

Workaround:
Reboot the blades reporting the IMM Enabled values of 0.

1696269-1 : If partition confd initiates a failover due to a health fault, it may incorrectly attempt to fail over repeatedly

Links to More Info: BT1696269

Component: F5OS-C

Symptoms:
In some conditions, when the partition confd initiates a failover to the other controller, it fails to complete the failover in a timely fashion and the original instance reclaims the active role. If the failover was due to a controller fault and is still present, it will immediately fail over again.

Conditions:
If a controller health fault is present on system controller-1, and the partition redundancy mode is set to either "auto" or "prefer-1".

Impact:
While the partition instance is failing back and forth, the control-plane functions are unavailable or degraded, and this can impact dataplane operations.

Workaround:
Set the partition "system redundancy config mode" to "active-controller". When a controller fault exists, and the controller fails over, the partition will automatically prefer to follow the active controller location.

1696157-4 : Container api-svc-gateway crashes after enabling a tenant

Links to More Info: BT1696157

Component: F5OS-C

Symptoms:
The api-svc-gateway container crashes intermittently.

The logs contain the following entries

appliance-1.chassis.local tcpdumpd-manager[8]: priority="Info" version=1.0 msgid=0x5401000000000095 msg="Interfaces/VLANs were removed. No change to hardware programming needed.".
appliance-1.chassis.local Core-helper.Appliance: priority="Err" msgid="0x6501000000000001" msg="Core dumped on Appliance" process="api_svc_gateway" location="/var/shared/core/container/core.system_api_svc.api_svc_gateway.25499.1728690599.core.gz"
appliance-1.chassis.local alert-service[9]: priority="Notice" version=1.0 msgid=0x2201000000000029 msg="Received event." event="327680 appliance core-dump EVENT NA 'Core dumped on appliance. process=api_svc_gateway, location=/var/shared/core/container/core.system_api_svc.api_svc_gateway.25499.1728690599.core.gz'

Conditions:
1. Enabling a tenant by changing it's running-state to deployed.
2. Enabling a tenant followed by deleting the tenant from the CLI promptly.

Impact:
The api-svc-gateway container crashes.

Workaround:
None. The api-svc-gateway will restart immediately and tenants will be recovered automatically.

Fix:
The api-svc-gateway will not crash and tenant will be in the expected state after performing the operations.

1695589-1 : Data-plane links are bounced on HA failover

Links to More Info: BT1695589

Component: F5OS-C

Symptoms:
If the active management port link is cycled down and up, a system controller and partition HA failover will occur. When the system controller failover occurs, a slot state change event is generated causing switchd to "link bounce" all data plane ports even though the slot state on those ports has not changed.

Any act performed on the chassis that would cause a slot state change event will trigger this behavior. That includes inserting or removing a blade.


The impact of the link bounce can be observed by 'IMM watchdog events' reported in the partitions velos.log (/var/F5/partition<id>/velos.log:

fpgamgr[14]: nodename=controller-1(p4) nodename=blade-3(p4) priority="Warn" version=1.0 msgid=0x305000000000008 msg="VQF IMM Watchdog." slot=5 port=9.

Conditions:
This occurs when the active system controller management link is marked down, resulting in an HA switchover or any other act performed on the chassis that can lead to a slot state change event (ie removing/inserting a blade).

Impact:
The data plane links are bounced (brought down and immediately back up), this will trigger the VQF IMM watchdogs.

Workaround:
None.

1695557-1 : CVE-2024-23599-Intel BIOS vulnerability

Links to More Info: K000141500

1691557-1 : CVE-2020-8037: tcpdump memory leak.

Links to More Info: K000149929

1682425-1 : Rate limiting does not work on BX520 front panel interfaces

Links to More Info: BT1682425

Component: F5OS-C

Symptoms:
Broadcast and other DLF (destination lookup failure) traffic on BX520 front-panel interfaces is not rate-limited.

Conditions:
Excessive broadcast or DLF traffic is present at the front panel interfaces.

Impact:
Excessive broadcast or DLF traffic can cause traffic loss.

Workaround:
None

Fix:
This issue has been fixed by configuring the BX520 rate-limiter hardware correctly.

1681533 : F5 VELOS ATSE firmware v7.10.7.12

Links to More Info: BT1681533

Component: F5OS-C

Symptoms:
F5 VELOS ATSE firmware v7.10.7.12

Conditions:
F5 VELOS system

Impact:
Not applicable.

Workaround:
None

Fix:
Fixes intermittent register access. See ID1624057 for more information.

1681529 : F5 VELOS ATSE firmware v7.10.7.02

Links to More Info: BT1681529

Component: F5OS-C

Symptoms:
F5 VELOS ATSE firmware v7.10.7.02

Conditions:
F5 VELOS system

Impact:
Not applicable.

Workaround:
None

Fix:
Fixes intermittent register access. See ID1624057 for more information.

1681525 : F5 VELOS ATSE firmware v7.10.7.22

Links to More Info: BT1681525

Component: F5OS-C

Symptoms:
F5 VELOS ATSE firmware v7.10.7.22

Conditions:
F5 VELOS system

Impact:
Not applicable.

Workaround:
None

Fix:
Fixes intermittent register access. See ID1624057 for more information.

1681521 : F5 VELOS ATSE firmware v7.10.7.11

Links to More Info: BT1681521

Component: F5OS-C

Symptoms:
F5 VELOS ATSE firmware v7.10.7.11

Conditions:
F5 VELOS system

Impact:
Not applicable.

Workaround:
None

Fix:
Fixes intermittent register access. See ID1624057 for more information.

1681501 : F5 VELOS ATSE firmware v7.10.7.00

Links to More Info: BT1681501

Component: F5OS-C

Symptoms:
F5 VELOS ATSE firmware v7.10.7.00

Conditions:
F5 VELOS system

Impact:
Not applicable.

Workaround:
None

Fix:
Fixes intermittent register access. See ID1624057 for more information.

1680105-2 : Using 'iburst' option is preferred when adding NTP servers.

Links to More Info: BT1680105

Component: F5OS-C

Symptoms:
It's reported that sometimes system time drifts even with NTP server configured.

Conditions:
This is a common occurrence among specific NTP servers.

Impact:
System time drift.

Workaround:
Use 'iburst' option.
It helps making more reliable synchronization and initial accuracy with the server.

Fix:
From 1.8.1 and later, If the default settings are not specified, the settings will automatically change to iburst=true and association-type=pool.
The old NTP configurations, which have the default settings, will be updated to new default settings after the upgrade..
This change is relatively secure and is not likely to result in any problems.

1679941-2 : "gen error" while running snmpget/snmpbulkget commands

Links to More Info: BT1679941

Component: F5OS-C

Symptoms:
Triggered shell script which does the snmpget/snmpbulkget in a loop with 50sec delay in each loop reports genError for hrStorageAllocationunits

Conditions:
Snmpwalk is fetching the value for any index. No validation for the key passed.

Impact:
Some OIDs report an error, for example

Error in packet
Reason: (genError) A general failure occured
Failed object: HOST-RESOURCES-MIB::hrStorageAllocationUnits.131080

Workaround:
None

Fix:
Need to validate the index/key

1677797-1 : OMD on Active system controller hung due to 'oc delete project' command hang, after delete and recreate a partition and move slots

Links to More Info: BT1677797

Component: F5OS-C

Symptoms:
After deleting and recreating a partition and then moving slots in to the new partition, as a result:
* Blades scheduling is disabled
* multus and/or kubevirt are unhealthy
* Pods pending in the new partition
* Controller-manager pods CrashLoopBackOff
* New partition namespace is terminating

Conditions:
This issue occurs when you delete and recreate a partition.
During this operation, slots are moved to the new partition.
The ‘oc delete project’ command hangs, causing OMD on the active system controller to hang.

Impact:
This leads to system instability due to blade scheduling issues. Unhealthy pods impacting functionality and service availability.

Workaround:
Restart OMD services on the active system controller.

Fix:
The issue has been resolved by adding timeouts to the ‘oc delete project’ command. This ensures the operation will not hang indefinitely, preventing OMD on the active system controller from locking up and allowing the system to recover cleanly after partition and slot changes. You should now experience improved reliability during these operations.

1673925-4 : Missing masquerade MAC FDB entry causes excessive DLFs following tenant failover.

Links to More Info: BT1673925

Component: F5OS-C

Symptoms:
The FDB entry for the tenants masquerade MAC is missing from a blades internal L2 table after a tenant failover.

The output of

[root@blade-1 ~]# docker exec -i partition_fpga tmctl -d blade -w 180 nse_l2 -s mac,l2_tag
mac l2_tag
--- ------

[root@blade-1 ~]

where MAC and L2_tag match the masquerade MAC and VLAN from the output of 'show FDB'

Conditions:
During tenant failover, the system will delete the masquerade MAC from the old active and add it to the new active. In parallel, the system will detect a port-motion event when the tenant issues a GARP for the new MAC.

This introduces a race condition between the static ADD from the system and the dynamic port-motion event from the H/W. If the port-motion event is processed last, the new static entry can be deleted erroneously.

Impact:
All front-panel traffic towards the tenant will encounter a DLF, causing excessive DLF traffic to the tenant.

Workaround:
From the tenant, remove and then re-add the masquerade MAC to the traffic group.

Fix:
For port-motion events, don't delete the existing entry if it's a static system entry.

1673265-3 : RADIUS remote auth on F5OS may not use system management IP as NAS IP address

Links to More Info: BT1673265

Component: F5OS-C

Symptoms:
An F5OS appliance does not use the management IP as the NAS-IP-Address or NAS-IPv6-Address in RADIUS authentication messages, or uses a stale/out-of-date management IP address.

Conditions:
- An F5OS system configured for RADIUS remote authentication
- The F5OS host is configured to use DHCP for assignment of its management IP, or an administrator changes the management IP addresses without rebooting the system.

Impact:
RADIUS messages sent to servers contain an incorrect NAS IP address.

Workaround:
None

Fix:
F5OS will now use the correct management IP address for the NAS-IP-Address / NAS-IPv6-Address attribute.

1672269-1 : Blades missing L2 entries causing excessive DLFs.

Links to More Info: BT1672269

Component: F5OS-C

Symptoms:
Excessive DLFs from certain blades due to missing L2 entries.

The 'l2fs_stat' tmstat table shows the IDs of the blades to which L2 entries will be forwarded to:

[root@blade-1 ~]# docker exec -i partition_fpga tmctl -d blade -w 180 l2fs_stat -s svc_ids
svc_ids
---------------------------------
[ 0x2c 0x4c 0x6c 0x8c 0xac 0xcc ]

[root@blade-1 ~]#

In this example, blade-1 will forward to blades 3, 5,7,9,11 and 13.

A blade should have an entry for all other blades in the partition.

Conditions:
Reboot of a tenant or changing the tenant from deployed to configured back to deployed.

Impact:
L2 entries learned on the affected blade are not forwarded to other blades causing missing L2 entries on those blades.

Workaround:
Reboot the blade that's missing the entries for other blades.

For example, blade-1 is missing IDs for all blades in the partition:

[root@blade-1 ~]# docker exec -i partition_fpga tmctl -d blade -w 180 l2fs_stat -s svc_ids
svc_ids
---------------------------------
[ ]

[root@blade-1 ~]#

Fix:
On tenant deletion, don't remove service IDs belonging to the L2FwdSvc.

1670437-1 : Jumbo frames with an IP length greater than 9174 bytes may be dropped

Links to More Info: BT1670437

Component: F5OS-C

Symptoms:
Jumbo frames with an IP total length greater than 9174 bytes are dropped when traversing the VELOS inter-blade backplane.

Conditions:
This issue may occur for VELOS tenants with a VLAN MTU set to 9175 or higher.

Impact:
Data transfers between a VELOS tenant and another host configured with the same MTU may be disrupted. Individual packets may be dropped, or some flows may be permanently dropped.

Workaround:
Do not set the VLAN MTU higher than 9174 on a VELOS tenant.

Fix:
The MTU limit of the inter-blade backplane has been increased to align with the maximum supported size of jumbo frames, ensuring that jumbo frame communication is reliably transmitted without packet drops.

1670029-1 : Reset counter functionality not working properly on rSeries platforms

Links to More Info: BT1670029

Component: F5OS-C

Symptoms:
On rSeries appliances, interface counters will be reset briefly but then revert to the previous values. This behavior occurs within both the Link Aggregation Group (LAG) and individual interfaces, affecting the accuracy of network statistics and troubleshooting efforts.

Conditions:
Execute the “reset counters all” or equivalent command. The counters briefly reset before reverting to their previous values.

Impact:
The issue impacts the accuracy of interface statistics displayed in the GUI section under “Network -> Network Details.” When you reset counters for a specific interface, only the “Out” counters are successfully reset to 0, while the “In” counters remain unchanged or continue increasing. This causes confusion or incorrect reporting during network diagnostics or performance monitoring.

Workaround:
None

1660961-4 : Active Directory LDAP integration without uidNumber/gidNumber does not work with LDAP over TLS

Links to More Info: BT1660961

Component: F5OS-C

Symptoms:
Configuring an F5OS device to integrate with Active Directory using group names to map to roles rather than requiring unix attributes (uidNumber/gidNumber) in the directory will not work if the LDAP servers are configured to use encryption (TLS/SSL).

Log messages similar to the following in platform.log / velos.log:

authd[8]: priority="Err" version=1.0 msgid=0x3901000000000101 msg="LDAP API error during : -" oper="bind" code=-1 msg="Can't contact LDAP server".
authd[8]: priority="Warn" version=1.0 msgid=0x3901000000000098 msg="Unable to retrieve domain Sid for supplied servers and domains; server will be treated as if it has unix attributes present.".

Conditions:
- LDAP system authentication configured to authenticate against an Active Directory Server
- Under the system Authentication Settings configuration in the Common LDAP Configuration section, "Authenticate with Active Directory" set to True and "Unix Attributes" set to False
- LDAP group filters specified for one or more roles

Impact:
LDAP authentication functions based on unix attributes in the directory (uidNumber/gidNumber)

Workaround:
None

1644293 : Interface status alert and SNMP trap is not sent immediately after interface is disabled

Links to More Info: BT1644293

Component: F5OS-C

Symptoms:
When an interface is disabled, the alert or SNMP trap is not sent immediately.

Conditions:
-- Disable an interface.

Impact:
No alert or SNMP trap is sent when an interface is disabled. The trap is sent when the interface is re-enabled.

Workaround:
None

Fix:
Add a new "Interface disabled" event triggered when an interface is disabled. The "Interface up" and "Interface down" alerts changed to events.

1644221-3 : Log file grows to gigabytes (GBs) under /var/log

Links to More Info: BT1644221

Component: F5OS-C

Symptoms:
The default setting for logrotation on host-os is once per day. This can be troublesome if a problem arises and causes an excessive amount of log files to be generated. In such cases, the log files will grow to several GBs within a day.

Conditions:
If any service floods the logfiles under /var/log then file starts to grow in GBs.

Impact:
System disk gets full and becomes unusable.

Workaround:
None

Fix:
This issue has been fixed and the Log files will no longer grow in GBs.

1644185-1 : DAG State table is not cleaned when a tenant is deleted or moved to configured/provisioned

Links to More Info: BT1644185

Component: F5OS-C

Symptoms:
DAG State table is not cleared when a tenant is deleted, or moved to configured or provisioned state

Conditions:
1. Deploy a tenant and confirm the sDAG state table is present in partition ConfD.
2. Delete the tenant

Impact:
DAG State table is not deleted. The stale table is no longer functional.

Workaround:
The stale table can be manually deleted.

Fix:
DAG State table is now cleaned when a tenant is deleted.

1642081 : "default" partition key sometimes initialized improperly★

Links to More Info: BT1642081

Component: F5OS-C

Symptoms:
There is a potential for the default partition to incorrectly initialize the partition primary key at initial startup.

If this happens the API gateway on the blades will log this error message and secure tenants will be unable to connect.

2024-09-05T17:05:18.626737+00:00 default api-svc-gateway[12]: nodename=blade-1(p1) priority="Err" version=1.0 msgid=0x5803000000000010 msg="Key header check failed" HEADER="????xg?A????j?8?????p?}=?ajT".

Once the database & key are mismatched, the partition database is non-recoverable.

Conditions:
This issue only affects the "default" partition, and only during initial database creation following either a USB install or resetting the system controller database using "system database config reset-default-config true".

It does not affect any other partition. It does not occur if the controller database is reinitialized using "system database reset-to-default".

Impact:
Tenant will be unable to connect to the API Gateway and start up correctly.

Other encrypted fields will also be unable to be decoded.

Workaround:
Before configuring and enabling the default partition, recreate the default partition using the following command sequence.


syscon-2-active# config
Entering configuration mode terminal
syscon-2-active(config)# no partitions partition default
syscon-2-active(config)# validate
Failed: illegal reference 'slots slot 1 partition'
syscon-2-active(config)# partitions partition default ; exit
syscon-2-active(config)# validate
Validation complete
syscon-2-active(config)# commit
Commit complete.

If the partition has ever been enabled, this sequence will not have the desired effect, and will not repair the partition.

Fix:
The database startup initialization is fixed to ensure that the default partition primary key is correctly initialized.

1638629-1 : "Unhealthy" kubevirt pod due to internal networking issue with blade★

Links to More Info: BT1638629

Component: F5OS-C

Symptoms:
Some kubevirt pods are in a "CrashLoopBackOff" state following a live upgrade. The output of the 'show cluster' command shows that kubevirt status is unhealthy.

Conditions:
Exact conditions are unknown and this occurs rarely.

It was encountered during internal testing after a live upgrade.

Impact:
Might affect tenant deployment & traffic on the issued blade.

Workaround:
There are 2 workarounds for this issue:

1. Reboot the affected blade
2. Unschedule & reschedule the affected node

Steps for workaround #2:

'oc adm cordon <node>' ------> Mark <node> as unschedulable.

'oc adm drain <node> --delete-local-data --ignore-daemonsets' -----> safely evicts all pods from the specified node,preparing it for maintenance or decommissioning.

'oc adm uncordon <node>' -------> mark the node as schedulable again. After the maintenance is complete, can use this command to allow new pods to be scheduled onto the node.

Fix:
Please follow the work around steps and contact f5 support if need further assistance.

1634545 : OpenShift cluster may fail to install if no management IP's are configured★

Links to More Info: BT1634545

Component: F5OS-C

Symptoms:
The OpenShift cluster may fail to install after a bare-metal install or cluster rebuild if not management IP's have been configured on the system controller management ports. The output of the 'show cluster' command reports that 'MasterInstall' is in a state of Failed.

syscon-1-standby# show cluster
STAGE NAME STATUS
--------------------------------------
AddingBlade Not Started
HealthCheck Done
HostedInstall Not Started
MasterAdditionalInstall Not Started
MasterInstall Failed <===========
NodeBootstrap Done
NodeJoin Not Started
Prerequisites Done
RemoveBlade InProgress
ServiceCatalogInstall Not Started
etcdInstall Done

Conditions:
No management IP's configured on the system controller management ports while an OpenShift cluster install is initiated, either via a bare-metal install or a manual cluster rebuild.

Impact:
OpenShift cluster install will fail until management IP's are configured on the the system controller management ports.

Workaround:
Configure management IP's on the system controller management ports.

Fix:
F5OS will now add a default route on both system controllers that will allow the OpenShift cluster install to complete even when no management addresses have been configured on the system controller management ports.

1633681-1 : Dynamic FDB entries may not be flushed from all blades when a vlan tag is removed from a LAG.

Links to More Info: BT1633681

Component: F5OS-C

Symptoms:
When a vlan tag is removed from a LAG in a VELOS partition, existing FDB entries for that vlan that were learned on that LAG may not be flushed out on each blade.

If that vlan is then added to a different interface or LAG, the old FDB entries may get updated via L2 learning. But if that fails to happen (e.g. due to ID1620077), the old entries may persist.

Conditions:
Remove a vlan tag from a LAG on VELOS, and add the vlan to another.

Old FDB entries may persist when moving a vlan tag from a LAG to another LAG. If moving a vlan tag from a LAG to an interface, L2 learning seems to correct the situation.

Impact:
Since the old FDB entries are not flushed, if the system fails to update them via L2 learning also, egress traffic that matches these old entries is dropped.

This depends on which blades have the old entries and where the tenants are assigned to run. Tenant instances running on those blades are impacted, for the MAC address and vlan matching the old entry.

Workaround:
If old L2 entries persist, a reboot of the blade is required to clear them out.

1633073-4 : A core can occur in a forked process with an Orchestration Agent

Links to More Info: BT1633073

Component: F5OS-C

Symptoms:
You may occasionally notice a core file from a forked process of the orchestration agent.

Conditions:
This can occur in orchestration agent during normal operation.

Impact:
There’s a minimal impact. The core occurs rarely. It happens in a forked process during a read of the partition token. It doesn’t core the overall orchestration agent, only the forked process. There are no error logs. If the read fails, there will be a retry.

Workaround:
None

1630273-2 : CVE-2023-4207 - Centos Security Update for kernel

Links to More Info: K000138693

Component: F5OS-C

Symptoms:
https://my.f5.com/manage/s/article/K000138693

Conditions:
https://my.f5.com/manage/s/article/K000138693

Impact:
https://my.f5.com/manage/s/article/K000138693

Workaround:
NA

Fix:
https://my.f5.com/manage/s/article/K000138693

1629257-2 : Diag-agent service memory utilization increases because of heartbeat probe

Links to More Info: BT1629257

Component: F5OS-C

Symptoms:
Diag-agent service memory utilization rises if not controlled which can lead to OOM.

Conditions:
Diag-agent service generates heartbeat events which are sometimes creating a deadlock in the service. Once deadlock is hit the memory queue of diag-agent service in increasing because of heartbeat probes and eventually diag-agent service memory utilization also rises.

Impact:
Diag-agent service memory utilization rises if not controlled which can lead to OOM.

Workaround:
None

Fix:
Updated diag-agent service handle event locking in a better way so that a deadlock does not occur.

1628557-3 : F5OS high memory usage when using snmp

Links to More Info: K000149820

1627541-1 : System Controller unexpected failover in auto mode due to unhealthy SwitchD

Links to More Info: BT1627541

Component: F5OS-C

Symptoms:
A issue was identified where an unhealthy status reported by switchd was causing a system controller failover.

Conditions:
This issue occurs when switchd experiences a transient connection problem with ConfD and as a result reports it is unhealthy.

Impact:
The reporting of a transient ConfD connection problem as unhealthy triggers an unexpected system controller failover.

Workaround:
None.

Fix:
Switchd no longer reports an unhealthy condition because of a transient ConfD connection interruption thus removing this as a trigger of system controller Failover.

1624853-3 : ETCD consumes a high amount of CPU time

Links to More Info: BT1624853

Component: F5OS-C

Symptoms:
ETCD may consume a significant amount of CPU time after a controller failover, or when tenants are being deployed or removed.

Conditions:
Conditions causing extended high CPU time are unknown at the moment.

Impact:
This may slow down other F5OS control plane processes while ETCD is consuming a high amount of CPU.

Workaround:
If the ETCD CPU usage is continually high, it is possible to restrict the CPU's that ETCD is allowed to run on.

This can be done from the system controller shell, and needs to be done on both system controllers. This will need to re-done on system controller reboot or failover.

for x in $(pgrep 'etcd$'); do taskset -cp 4-7 $x; done

1624837-1 : Possible to have inconsistencies in the cluster member ready status after a Controller Connection failover

Links to More Info: BT1624837

Component: F5OS-C

Symptoms:
An inconsistency in the actual ready status of the nodes and controllers may be observed after a controller failover.

Conditions:
On a controller failover, it is possible there could be stale cluster status data on the new active controller that is being written into ConfD before a new poll of that data occurs.

Impact:
When looking at output of the controller CLI 'show cluster' command, you may see cluster members that are offline when in actuality they are in the Ready state. This is a temporary condition as the output will be eventually update to the correct data.

Workaround:
No workaround is necessary as the correct results will be shown on the next data poll.

1624777-1 : Tenants will not deploy since Orchestration Agent process is continuously generating a core

Links to More Info: BT1624777

Component: F5OS-C

Symptoms:
When attempting to deploy a tenant an error occurs:

tenants tenant my-bigip-1 config type BIG-IP (fill out all prompts)
default-1(config-tenant-my-bigip-1)# commit
Aborted: application communication failure

Core files are found in the partition's /shared/core/container/ directory.

Conditions:
-- Creating a BIG-IP tenant
-- Orchestration agent is crashing

Impact:
Tenants cannot be deployed if Orchestration Agent is crashing. User will not be able to deploy a tenant successfully.

Workaround:
None

1624665-4 : ConfD state data shows key and certificate configured for secure (mTLS) even after deleting from config

Links to More Info: BT1624665

Component: F5OS-C

Symptoms:
ConfD operational state data shows key and certificate configured for mutual transport layer security (mTLS) even after deleting them from configuration.

Conditions:
When the exporter is configured with mutual TLS. And then the key and certificate are deleted from the configuration. ConfD operational state data displays the deleted key and certificate for the exporter.

Impact:
No functional impact.

Workaround:
Delete the exporter and reconfigure it again.

Command to delete the exporter from ConfD CLI:

no system telemetry exporters exporter <exporter-name>

1624449-2 : SNMP polling of coreTotal5minAvg causing timeouts and genErrors

Links to More Info: BT1624449

Component: F5OS-C

Symptoms:
While running an snmpwalk that includes coreTotal5minAvg, you may get a timeout or a general error:

 Timeout: No Response from 10.170.9.16

The general error occurs less frequently:

 Error in packet
 Reason: (genError) A general failure occured

Conditions:
-- snmpwalk a MIB that includes coreTotal5minAvg
-- The polling is done for CPUs that are not present

Impact:
Error in packet

 Reason: (genError) A general failure occurred

 Failed object: iso.3.6.1.4.1.12276.1.2.1.1.3.1.6.8.112.108.97.116.102.111.114.109.0

Workaround:
After the system starts, after about two minutes, platform-stats-bridge will log this log message:

msg="DB ready check done" NAME="SnmpCpuStatsHandler".

After that log message, you will be able to check coreTotal5minAvg.

Fix:
Modified code such that snmpwalk will not be executed for offline cpus

1624057-2 : BX110 Port Flapping or interface/connectivity issues

Links to More Info: BT1624057

Component: F5OS-C

Symptoms:
F5OS-C v1.8.0 has a fix for an issue "VELOS interfaces flapping if an interface is disabled"; however a corner case remains that could still cause port flapping or have ATSE register reads return 0xebade001 instead of the correct value.

Conditions:
VELOS system

Impact:
Interfaces are intermittently marked DOWN and then UP. Traffic is disrupted while the interface is marked DOWN.

There may be other intermittent issues with interfaces or general connectivity issues.

Workaround:
Upgrade to F5OS-C 1.8.0 EHF-1

1623761 : After cleaning up disk due to disk space full error, tcpdump program still detects the disk as full and aborts

Links to More Info: BT1623761

Component: F5OS-C

Symptoms:
Tcpdump program detects the disk and aborts if the disk does not have enough space. However, even after cleaning up the disk, tcpdump does not recover from the abort state.

Conditions:
Fill up the disk space in /var/F5/partition/shared/. Then, run tcpdump from confd. An abort error will show up. After cleaning up the disk space, the system will still show abort errors when running tcpdump in confd.

Impact:
Can not run tcpdump after the disk space have been full at one point in time.

Workaround:
Restart the tcpdumpd_manager container on the controller that is running-active for the partition.

1623101-2 : External OTEL server receives log data for both the platform and event logs, even if only one of them has been configured

Links to More Info: BT1623101

Component: F5OS-C

Symptoms:
The configured OTEL exporter receives log data from both platform-log and event log, even when only one of them is configured.

Conditions:
This occurs when you configure one telemetry exporter with only either of “platform-log” or “event-log” instruments and another telemetry exporter with “all” or “logs” or both “[platform-log event-log]” instruments.

Impact:
The telemetry exporter configured to receive only platform-log or event-log instrument data will receive data from both log instruments.

Workaround:
None

1622869-5 : Might see TPOB core after HA disassembly

Links to More Info: BT1622869

Component: F5OS-C

Symptoms:
TPOB container might crash after performing BIG-IP Next-HA disassembly operation.

Conditions:
-- BIG-IP Next in a HA pair
-- The HA pair is disassembled and factory reset

Impact:
No impact, as the container gets re-created

Workaround:
None

Fix:
No Fix needed

1620513-1 : CVE-2024-38477 httpd: NULL pointer dereference in mod_proxy

Links to More Info: K000140784, BT1620513

1620077-4 : FDB entry port motion not working if new interface is a trunk/LAG

Links to More Info: BT1620077

Component: F5OS-C

Symptoms:
Immediately after a fail-over of traffic from one trunk/LAG to another, outbound traffic from the appliance or chassis to certain addresses may be interrupted for up to five minutes before recovering.

Conditions:
Switching traffic from one LAG to another on an appliance or chassis.

Impact:
Temporary disruption of tenant’s outbound traffic on an appliance or chassis system.

Workaround:
None

Fix:
Updated handling of FDB entry port motion to include cases with a trunk/LAG as the new interface.

1617805-1 : CVE-2024-6345 Python Setup Tools vulnerability

Links to More Info: K000152019, BT1617805

1615917-1 : L2_agent crash due to SNMP★

Links to More Info: BT1615917

Component: F5OS-C

Symptoms:
After upgrading system, L2-agent crashes.

Conditions:
1. System running with older version (earlier then F5OS-C 1.8.0 or F5OS-A 1.8.0 or F5OS-C 1.5.3 )
2. Configure SNMP
3. Upgrade system
4. L2-agent will start crashing.

Impact:
L2-agent crashes and you are unable to do get/set operations for interfaces using ConfD interfaces.

Workaround:
None

Fix:
Fixed an issue causing l2-agent to crash after upgrade.

1614821-3 : CVE-2024-3596 - Blast-RADIUS

Links to More Info: K000141008, BT1614821

1614429-1 : iHealth upload is failing with error "certificate signed by unknown authority"

Links to More Info: K000140362, BT1614429

Component: F5OS-C

Symptoms:
When attempting to use the QKView upload feature, the upload may fail with the message "certificate signed by unknown authority". This is due to a recent change in certificate authority that is inconsistent between F5OS and iHealth.

Conditions:
Always, after mid-July 2024.

Impact:
Unable to upload QKView files to iHealth with a single click.

Workaround:
You can use the File Export feature to download QKView files, and then upload these files to iHealth.

You can find the QKView files in the GUI at System Settings > File Utilities, then choose "diags/shared" as the base directory, then select "qkview".

Fix:
Certificate authorities used by the iHealth upload feature in F5OS will be updated.

1612557-1 : Dma-agent service health warnings appears in show system summary

Links to More Info: BT1612557

Component: F5OS-C

Symptoms:
Dma-agent service health warnings shown in show system health summary even when dma-agent service is reporting healthy.

Conditions:
When the health file is not deleted by any means and created again making it untracked.

Impact:
When dma-agent sevice health file reports dma-agent to be healthy, stale data (including warnings) might be seen in show system health summary.

Workaround:
SSH to the impacted blade and restart the platform-monitor service. E.g.

  ssh blade-1
  docker restart platform-monitor

Fix:
Show system health won't show stale data (warnings) when dma-agent service health file reports dma-agent to be healthy.

1612405-5 : LACP status shows UP in BIG-IP tenant even if its down on F5OS.

Links to More Info: BT1612405

Component: F5OS-C

Symptoms:
LACP Trunk is UP in BIG-IP tenant even when it’s DOWN on F5OS.

Conditions:
Condition 1:
1. Setup a rSeries or VELOS system.
2. Configure LACP LAG with interfaces operationally down.
3. Make sure LACP Trunk is DOWN on F5OS.
4. Upgrade the software.
5. Launch a BIG-IP tenant.
6. Check LACP trunk status inside tenant.

Condition 2:
1. Setup a rSeries or VELOS system.
2. Configure STATIC LAG with interfaces operationally down.
3. Ensure STATIC Trunk is DOWN on F5OS.
4. Launch a BIG-IP tenant.
5. Check the Trunk status inside the tenant. It will be DOWN.
6. Convert LAG type to LACP
7. Check the Trunk status inside the tenant. It will be UP even though it is down on F5OS.

Impact:
LACP Trunk members are shown as working members even though they are DOWN.

Workaround:
Check the interface config. If the admin is disabled, enable it.

Fix:
The status of LACP members is read whenever an LACP member is added as an operational member.

1612217-1 : A large amount of SPVA DoS allow list entries can overload DMA-Agent causing a tenant to fail to pass traffic

Links to More Info: BT1612217

Component: F5OS-C

Symptoms:
If the DMA-Agent receives a high volume of SPVA allow list entries at once, it may become overwhelmed and stop working. As a result, no traffic will be able to exit the tenant. This can be identified by observing the DMA-Agent using 100% of the cpu.

Conditions:
This is usually seen in configurations where there are many virtual servers configured with a dos profile that contains an IP-based allow list.

The problem does not arise when VIPs are added individually, but it often happens after TMM is restarted following a tenant reboot.

Impact:
Affected tenants will fail to pass any traffic on the data-plane.

The TMSTAT sep_stats.tx_send_drops3 will be incremented.

This issue could also effect other tenants hosted on the same F5OS hypervisor.

Workaround:
Perform the following on the tenant:
tmsh modify sys db dos.forceswdos value true
tmsh save sys conf

To recover the DMA-Agent in F5OS, set the tenant state to “configured” and then set it back to “deployed.

Fix:
The DMA-Agent now handles a high volume of SPVA allow list entries.

1612101-2 : When vCPU cores configuration changed for BIG-IP Next tenant, RRD stats shows both the old and new CPU data stats

Links to More Info: BT1612101

Component: F5OS-C

Symptoms:
The RRD stats display the data for old and new CPU cores. You can match the new CPU cores and validate the data. The old CPU cores data is invalid and should not be displayed.

Conditions:
When user configures BIG-IP Next tenant and changes the vCPU cores.

Impact:
No Functional Impact. Both old and new data stats appear for cpu-stats in RRD. However, data streaming works as expected.

Workaround:
None

Fix:
None

1607745-3 : Apache HTTPD vulnerabilities CVE-2024-38476, 2024-38474 and CVE-2024-38475

Links to More Info: K000140618

1603509 : No alarm sent when front panel management link is down

Links to More Info: BT1603509

Component: F5OS-C

Symptoms:
When the front panel management port is down, no alarm is sent

Conditions:
Happens only when chassis is power cycled or blades are inserted/removed in slot 0 and 1.

Impact:
No alarm sent when front panel management link is down and switch stats displayed will not have accurate entries in "show system health".

Workaround:
None

Fix:
Diag-agent will not remove switch port entries when it receives module present events for slot 0 and 1.

1600693-1 : F5OS - BIG-IP Tenant does not display VELOS Chassis slot serial number

Links to More Info: BT1600693

Component: F5OS-C

Symptoms:
F5OS BIG-IP Tenant does not display the serial number for the slot ("Host Board Serial") under "System Information"

Conditions:
BIG-IP tenant is running on a chassis, and command "tmsh show sys hardware" is run from the tenant

Impact:
The slot serial number is not immediately visible to the user

Workaround:
For CLI, login to the partition and run command "show components component state serial-no". For GUI, login to the active controller, then go to System Settings -> System Inventory. The blade serial number will be shown.

Fix:
F5OS was updated to provide the blade serial number to the tenant for display. The tenant was updated to populate the blade serial number into "show sys hardware" command output, so it is now visible to the user. This fix requires a version 17.5 tenant.

1598937 : SNMP traps are not always sent★

Links to More Info: BT1598937

Component: F5OS-C

Symptoms:
After upgrading to 1.8.0 version SNMP traps may stop working.

Conditions:
Upgrade system to 1.8.0 from previous version.

Impact:
SNMP trap functionality does not work

Workaround:
Reconfigure the SNMP configuration.

Fix:
Correct the SNMP configuration in the upgrade case. So, issue is resolved.

1598605-1 : CVE-2023-45288 - HTTP/2 endpoint excessive header reading via CONTINUATION frames

Links to More Info: K000148640

1598509-2 : iHealth client can occasionally throw a core file

Links to More Info: BT1598509

Component: F5OS-C

Symptoms:
The iHealth client, accessible with the command line,
system diagnostics ihealth can be used for uploading QKView files to the iHealth service. If this client loses connection to the system database for any reason, it may throw a core file, in the host system's /var/shared/core directory.

Conditions:
System has been up for a long time, and there is a problem with the ConfD database causing the iHealth client to disconnect.

Impact:
A core file may be thrown. The iHealth client will restart if this happens, so functionality is not affected.

Workaround:
Retry the ihealth client operation.

Fix:
The iHealth client will only access the ConfD database when it needs to query information, and not maintain an open connection.

1596149-1 : Monitor rSeries ATSE to BE2 links and Raise Alarms in the Event of Failures

Links to More Info: BT1596149

Component: F5OS-C

Symptoms:
Monitor rSeries ATSE to BE2 links and Raise Alarms in the Event of Failures

Conditions:
F5 rSeries r5000, r10000, or r12000-series appliance.

This update is not applicable to r2000 or r4000-series appliances.

Impact:
In cases where errors are detected between the ATSE and BE2 links, alarms and events will be reported.

Workaround:
None

Fix:
Monitor ATSE to BE2 links and raise alarms and report events when errors are detected.

1595113-4 : Interface state enabled value stale due to timeout to reach confd

Links to More Info: BT1595113

Component: F5OS-C

Symptoms:
When trying to modify the interface admin status to disabled across five different interfaces on five blades in a VELOS partition in a single commit message, the CLI operation to update the state interface enabled field fails with an error "system call failed". "Failed to write 68 bytes to ConfD: Connection timed out".

Conditions:
This can occur when a failover of chassis-controller and partition occurs, right before the interface enabled field changes.

Impact:
Stale value for interface/state/enabled field.

Workaround:
Enable and re-disable the interfaces.

Fix:
With the fix, the interface/state/enabled field will reflect accurately the configuration admin status of the interface.

1594125 : GUI fails to modify interfaces on F5OS-C

Links to More Info: BT1594125

Component: F5OS-C

Symptoms:
Interface-related operations from the GUI fail.

Conditions:
-- Interface-related operations like LAG creation or deletion.
-- F5OS build prior to 1.8.0-15246

Impact:
You are unable to perform interface operations from the GUI

Workaround:
None

Fix:
GUI is able to modify the interfaces on F5OS-C

1593385 : F5OS Tenant Throughput (bits/packets) and TMM CPU usage higher than expected until VLAN is added or removed

Links to More Info: BT1593385

Component: F5OS-C

Symptoms:
Higher CPU usage and throughput from the tenant than expected. Traffic being directed to a single blade in a multi-blade system.

Conditions:
Repeated deletes/adds of a VLAN from/to a tenant. After approximately 130 deletes, the issue occurs.

Impact:
Traffic imbalance, higher than normal CPU usage.

Workaround:
Re-add the recently deleted VLAN to the tenant.

Fix:
Properly clean up internal storage when a VLAN is deleted from a tenant.

1592221 : A partition's internal bridge IP address is not detected correctly if there is a missing partition ID in the list of partitions.

Links to More Info: BT1592221

Component: F5OS-C

Symptoms:
The system controller logs will include the msg "Floating IP is not present for enabled partition; do not change controller state" on system controller failover.

Conditions:
When the list of partition IDs includes "holes" in the list. For example, there are partition IDs 1 and 3 (but no 2) on the chassis. This can happen if a partition is deleted.

Impact:
System controller failover is impacted.

Workaround:
Recreate a partition (no need to enable it). It will use the missing ID in the list.

Fix:
The code has been fixed to correctly check the partition ID when detecting presence of the partition bridge IP address.

1591645-3 : EPVA related dma-agent crash

Links to More Info: BT1591645

Component: F5OS-C

Symptoms:
A dma-agent seg_fault occurs when there is a conflict between special EPVA allow-list entries.

Conditions:
A conflict between two entries on the allow-list triggers a code path in the dma-agent and resulting in a seg_fault.

Impact:
Traffic loss as the dma-agent needs to be restarted by its watchdog/start up script. Tenants need to re-register with the datapath.

Workaround:
None

Fix:
This issue has been fixed by setting a THREAD local variable in the epva_tbl_mgmt thread, preventing a seg_fault when the edge case method is triggered.

1591585 : Sshd, httpd, rsync crashes with bunch of whitespaces in /etc/hosts file

Links to More Info: BT1591585

Component: F5OS-C

Symptoms:
When VELOS system controllers fail over, OMD rewrites /etc/hosts on each controller to move around where the 'etcd3.chassis.local' name is assigned.

When this occurs an extra space character is added to the controller-1.chassis.local and controller-2.chassis.local lines. If you add enough whitespace to /etc/hosts (uncertain how much, but megabytes will do it), it starts causing daemons to crash in getnameinfo() calls as they try to resolve the local system IP to a hostname.

Conditions:
VELOS System controllers fails over. Extra space characters are added after controller-X.chassis.local.

Impact:
Sshd, httpd, rsync crashes when the whitespace in /etc/hosts becomes excessive.

Workaround:
Run below command in bash to remove extra space in etc/hosts file.
sed -i 's/[[:space:]]＼+$//' /etc/hosts

Fix:
Fixed C-1.8.0

1591553 : Including /etc/resolv.conf and /etc/hosts files in QKView capture

Links to More Info: BT1591553

Component: F5OS-C

Symptoms:
The /etc/resolv.conf and /etc/hosts files are included to check the configured parameters in host QKView from the affected device.

Conditions:
F5OS-A 1.7.0 and lower versions QKView capture does not include the /etc/resolv.conf and /etc/hosts files.

Impact:
The /etc/resolv.conf and /etc/hosts files are not captured in F5OS-A 1.7.0 and lower versions.

Workaround:
None

Fix:
The /etc/resolv.conf and /etc/hosts files are included in QKView capture as part of F5OS-A 1.8.0 release.

1591549-1 : Support for case-insensitive LDAP username lookup

Links to More Info: BT1591549

Component: F5OS-C

Symptoms:
Previously, username lookup for LDAP-authenticated users was always case-sensitive.

Conditions:
Third-party authentication is configured with LDAP or Active Directory; user(s) in question reside in LDAP directory.

Impact:
Username lookups for authentication/authorization against LDAP directory were always conducted in a case-sensitive fashion, even for directories where case-insensitive was the default for the organization (e.g. Windows AD).

Case-insensitive default is considered a safer security posture. It prevents username masking and cache injection when multiple users that only differ by case, with differing authorization privileges, exist in the same directory.

Workaround:
Always use correct case for case-sensitive searches.

Fix:
A new option was added which allows the admin to enable case-insensitive searches for LDAP username lookups. Note that case-sensitive remains the default for security reasons.

1591069 : Blades may fail to get marked as InCluster in "show cluster" output after rolling upgrade

Links to More Info: BT1591069

Component: F5OS-C

Symptoms:
After a rolling upgrade, one or more blades may be marked as "Not In Cluster" in the "show cluster" output.

Conditions:
Perform rolling upgrades from a manufacturing-installed F5OS C v1.7.0 to F5OS C v1.7.1.

Impact:
System will function correctly, but "show cluster" output will show the blade is not being marked "In Cluster".

Workaround:
To workaround the issue, the orchestration-manager daemon can be restarted, which will result in the "In Cluster" status being updated. This action needs to be performed from the shell on both controllers.

systemctl restart orchestration_manager_container.service

Fix:
Fixed issue in the orchestration-manager daemon causing the "In Cluster" status not being updated.

1590617-1 : Partition Network Manager is crashing when turning up.

Links to More Info: BT1590617

Component: F5OS-C

Symptoms:
Upon Partition turn up, the Network Manager component crashes.

Conditions:
The Partition is turning up. This can happen due to partition creation, partition enable, or controller reboot.

Impact:
No impact. The Network Manager will successfully start after a retry.

Workaround:
None

Fix:
None

1590425 : Adding blade to openshift cluster can fail with ansible error

Links to More Info: BT1590425

Component: F5OS-C

Symptoms:
Adding or re-Adding a blade to the OpenShift cluster can fail with the following ansible error:

fatal: [blade-2.chassis.local -> controller-1.chassis.local]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: {{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}: 'dict object' has no attribute 'master'＼n＼nThe error appears to be in '/usr/share/ansible/openshift-ansible/roles/openshift_manage_node/tasks/main.yml': line 5, column 3, but may＼nbe elsewhere in the file depending on the exact syntax problem.＼n＼nThe offending line appears to be:＼n＼n# systemd to start the master again＼n- name: Wait for master API to become available before proceeding＼n ^ here＼n"}

Conditions:
Adding or re-Adding a blade to blade the OpenShift cluster after the etcd instance been rebuilt.

Impact:
New blade will not join the cluster correctly.

Workaround:
The workaround is to rebuild the OpenShift cluster which will regenerate the openshift.fact file that had been corrupted.

Fix:
The fix checks the openshift.fact file before running any ansible playbooks to make sure it is correct.

1588093-1 : Forwarding host log files to remote targets

Links to More Info: BT1588093

Component: F5OS-C

Symptoms:
/var/log/messages grows quickly, consuming the disk space, making the system unusable.

Conditions:
Having /var/log/messages as a host-logs files entry to forward the file lines to a remote destination.

Impact:
When syslog generated files are configured to be forwarded as files, forwarding efficiency can be affected compared to utilizing selectors.

The /var/log/messages being in this list can lead to a cyclical logging issue, where the disk space is consumed faster than the logs can be rotated out, potentially resulting in a full disk.

Workaround:
Use selectors instead for any file that is syslog generated.

The host-logs files configuration is meant for text files that cannot be forwarded through selectors configuration.

Fix:
To prevent filling the disk, files that are forwarded out line by line would not be processed locally. This will prevent having entries in /var/log/messages.

1587925-1 : Modifying a RADIUS server from the web UI requires the Secret to be configured or re-entered

Links to More Info: BT1587925

Component: F5OS-C

Symptoms:
Modifying a RADIUS server from the webUI always requires the Secret to be configured or re-entered.

Conditions:
Modifying a RADIUS server from the webUI.

Impact:
It requires the Secret to be entered, even if it is already configured.

Workaround:
If secret configuration is not required, edit the RADIUS server from the CLI.

Fix:
Create a Radius server and edit it. Editing the port or timeout fields no longer requires the Secret to enable saving.

1587837 : Memory leak in multiple components

Links to More Info: BT1587837

Component: F5OS-C

Symptoms:
A mishandling of memory allocation in the data provider callback library can cause memory allocation to grow over time. This memory usage growth can cause poor performance and the Out Of Memory (OOM) killer may kill components, causing outages.

Conditions:
If a data provider processes overlapping requests it can leak memory. The components most affected by this are the platform-stats, snmp-service, an L2 agent.

Impact:
Components may crash or get killed.

Workaround:
Monitor memory usage and periodically restart daemons that experience excessive memory growth. On a chassis system, a manual failover and the rebooting the standby controller will restart all daemons.

To minimize the occurrence of this leak, do not constantly poll for statistics, especially from multiple monitoring stations.

Fix:
The library has been fixed to no longer leak session data.

1586965-1 : No active instance of ConfD after failover

Links to More Info: BT1586965

Component: F5OS-C

Symptoms:
Unable to configure VELOS system, ConfD CLI commands fail.

Conditions:
Rarely, after failover newly active system controller silently transitions to none.

Impact:
Unable to configure VELOS system, ConfD CLI commands fail.

Workaround:
Reboot chassis.

Fix:
In releases with this fix in place, after failover there will be always be an Active instance of ConfD.

1586893 : Metrics server pod on system controller can exit and not be restarted

Links to More Info: BT1586893

Component: F5OS-C

Symptoms:
The openshift cluster does not operate properly and the controller-manager pods are in a crash loop.

Conditions:
When the metrics server pod exits it causes the controller-manager pods to go into a crash loop.

Impact:
Openshift cluster will not operate correctly since controller-manger pods are in running state.

Workaround:
If you see the metrics-server pod that is in the exit state, the following commands can be run at the root shell prompt.

1. Run oc get pods -n kube-system |grep -i metrics and get the pod name.

2. Run oc delete -n kube-system pod/<pod-name>

1586773 : BX520 Internal FPGA links can fail to come UP during initialization

Links to More Info: BT1586773

Component: F5OS-C

Symptoms:
On the BX520, internal FPGA links fail to initialize with the following error:

fpgamgr[9]: nodename=blade-11(p1) priority="Err" version=1.0 msgid=0x301000000000006 msg="SDK error during programming." API="f5sw_xilinx_cmac_datapath_reset" port=18 error="Waiting for the Xilinx MAC RX_ALIGN to be acheived has failed. Number of retries have exceeded".

Conditions:
Reboot of a BX520 blade.

Impact:
Traffic outage between FPGAs.

Workaround:
Reboot the affected blade.

Fix:
Implement updated initialization procedure for internal FPGA links.

1586661-2 : First login for a remote user fails

Links to More Info: BT1586661

Component: F5OS-C

Symptoms:
The first time a remote user attempts to login to a system, the access is denied despite providing the correct credentials. This is true for both TACACS or RADIUS remote users.

Conditions:
This happens always. A way to simulate the first login is to delete the file /etc/libnss-udr/passwd.

Impact:
The first login fails. Subsequent remote login attempts succeed with proper credentials.

Workaround:
Attempt renote login again.

Fix:
The user now can login with proper credentials from the first attempt. Note that the fix involves having the following version of openssh (or newer):

# rpm -q openssh
openssh-7.4p1-21.F5.6.2.7.el7.x86_64