Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster 7.2.42 Release Notes

Refer to the sections below for details about firmware version 7.2.42. This was released on 4th April 2018.

New Features

The following new features were added to the 7.2.42 release:

  • Previously, there was no way for a System Administrator to view the underlying processes and system resource usage of a LoadMaster.
    Now, the Linux top command is available in the Debug Options screen and in the Application Program Interface (API) (both RESTful API and PowerShell). Therefore, a System Administrator can get a better understanding of how the LoadMaster is consuming system resources.
  • Previously, to allow LDAP endpoint users (for example, Active Directory users) to authenticate on the LoadMaster, local users needed to be created with specific permissions assigned.
    Now, LDAP endpoint users can authenticate on the LoadMaster without a local account. The LoadMaster queries the LDAP endpoint and if the user is valid and a member of an LDAP user group configured on the LoadMaster, they are authenticated and assigned the permissions of that group. Queries of nested groups are also supported with the first match being returned as the valid user group.
  • Previously, LoadMaster instances were not available in the CenturyLink Cloud environment.
    Now, LoadMaster instances are available to set up and configure in the CenturyLink Cloud environment.

Feature Enhancements

  • Previously, Azure Bring Your Own License (BYOL) licensing only facilitated an online licensing option.
    Now, Azure BYOL licensing supports both online and offline licensing options.
  • Previously, the LoadMaster did not correctly interpret the Content-Type set in the POST.
    Now, if a POST has a Content-Type set in the additional headers, the LoadMaster uses this setting as intended.
  • Addressed a critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management where an unauthenticated, remote attacker could bypass security protections, gain system privileges, execute elevated commands, and expose certain sensitive system data, such as certificates and private keys. This vulnerability was partially addressed in The expanded scope of this vulnerability, covering exploitation through injection of arbitrary executable commands in cookies, is addressed in this release.
  • Previously, there was no way to reset or download the Web Application Firewall (WAF) debug or WAF event log files.
    Now, there are options to reset and download the WAF debug and WAF event logs in the System Log Files screen in the Web User Interface (WUI) and also using the PowerShell and RESTful APIs.
  • Previously, there was no indication on the LoadMaster WUI of the possible reasons why a WAF-enabled Virtual Service could not be configured.
    Now, a message appears in the Virtual Service modify screen (in the WAF Options section) which displays the possible reasons why a WAF-enabled Virtual Service cannot be configured.
  • Previously, the WAF user logs were not rotated.
    Now, WAF user logs are rotated every 30 minutes if the file size is greater than 50MB.
  • Previously, there was no option in the LoadMaster WUI to view the WAF debug or event logs.
    Now, there is an option to view the WAF debug and event logs in the System Log Files screen in the WUI if the files exist.

Issues Resolved


Previously, sporadic LoadMaster reboots were reported.
Now, further enhancements have stabilized the system and prevented reboots.


Previously, LoadMaster Virtual Service throughput statistics were reporting incorrectly.
Now, this issue is resolved and the correct values for Virtual Service throughput are reported.


Previously, processing SAML responses failed during the base64 decode when the RelayState parameter was present. The RelayState parameter was present when integrating with an OKTA Identity Provider (IDP).
Now, when the SAML response contains a RelayState parameter, it is ignored to prevent impacting the base64 decode of the SAML response. The parameter is not used on the LoadMaster Service Provider.


Previously, in, the SAML verbose logs were logged under system log messages and warnings with debug disabled.
Now, when debug is disabled, the SAML verbose logs are no longer in the system log file.


Previously, there was a race condition between closing a connection and the data being released, which caused the LoadMaster to reboot.
Now, checks exist to ensure that if this race condition occurs, it is handled gracefully to ensure that the LoadMaster does not reboot.


Previously, the image set percentage sign in HTML was being processed incorrectly, showing incorrect text size.
Now, correct handling of the percentage sign no longer causes resizing of the text on the logout page.


Previously, exporting a template with a certain configuration resulted in it being unable to be imported.
Now, the exported template no longer contains the offending string, so it can be successfully imported.


Previously, there was not enough details of the last WAF rule install date and time.
Now, the end user is informed of the last WAF rule download with specific time and timezone information.


Previously, the message "kcd_get_user_ticket: credentials expired" repeated in the syslog, even when there was no client authentication issue.
Now, this message only appears in the syslog when ssomgr debugging is on.


Previously, use of the configured port for the target OCSP server and SSL responses from the server were handled incorrectly.
Now, the port configured for the OCSP server is used correctly per the configuration on the LoadMaster. SSL responses are also handled correctly.


Previously, when the Process Responses option was enabled in WAF, the responses failed.
Now, all responses are successfully processed when Process Responses is enabled in WAF.


Previously, automatic WAF rule downloads did not work if configured for a second HA mode, even when it is in an active state.
Now, automatic WAF rule downloads work when configured for a second HA mode system. The issue that existed during HA configuration has been fixed.


Previously, when both the User Principal Name (UPN) and SAM (WindowsAccountName) Claims were in the SAML response, they were processed and selected for subsequent use inconsistently.
Now, when both the UPN and SAM Claims are present, the SAM (WindowsAccountName) Claim is given precedence for selection and subsequent use for sever-side authentication (for example, Kerberos Constrained Delegation (KCD)).


Previously, users could not add documents to SharePoint sites when a WAF Virtual Service had Process Responses enabled at the main Virtual Service level, and KCD enabled on the SubVS for server-side authentication.
Now, on Chrome and Firefox, users can add documents to sites with the same configuration, but they are prompted to authenticate.


Previously, Alternative Domain selection and handling was not always reliable. When an Alternative Domain could have been selected appropriately, Virtual Service association was not always consistent. As a result, Form Based Authentication (FBA) on the server side did not trigger when expected. Furthermore, some characters were not permitted to be included in the server-side FBA post to the Real Server.
Now, Alternative Domain selection and handling provides reliable and expected processing. The Virtual Service association for Alternative Domains is reliable and allows FBA on the server side to be successfully triggered for the Virtual Service. Support for extra characters in the FBA post to the Real Servers, such as square parenthesis ( ] [ ) has also been added.


Previously, under load, WAF would fail responses from Real Servers due to all response data not being processed.
Now, under load, Real Server responses are handled correctly to ensure all data is processed and no failed responses occur.


Previously, error text appeared in the LoadMaster WUI when adding a VLAN with an ID of an already existing VLAN.
Now, this text does not appear and a pop-up error message appears with the correct error information.


Previously, on a LoadMaster with 2GB or less memory and remote logging enabled, adding/removing Application Generic rule sets to/from a Virtual Service caused WAF misconfiguration.
Now, additional checks exist to ensure that memory is allocated correctly when adding/removing Application Generic rule sets to prevent WAF misconfiguration from occurring.


Previously, when WAF and Process Responses were both enabled on a Virtual Service, the Real Server did not respond correctly.
Now, when WAF and Process Responses are both enabled on a Virtual Service, the Real Server responds as expected.


Previously, when an SSL certificate is used as the administrative certificate, everything works as expected until the LoadMaster was rebooted, which caused access to the LoadMaster WUI to be lost.
Now, access to the LoadMaster WUI is preserved after a reboot.


Previously, SSO image sets did not get listed in the SSO Image Set drop-down list after the ESP SSO configuration was restored from a backup.
Now, SSO image sets are listed in the drop-down list after restoring from a backup.


Previously, when WAFD was terminating, there was a read error from the control channel if a termination sequence was called incorrectly.
Now, checking exists to ensure the termination sequence is correct and this ensures that WAF read errors do not occur.


Previously, Virtual LoadMasters became inaccessible on the Azure cloud when the WUI was moved to Network Interface Controller (NIC)-1.
Now, the WUI can be configured on any available NIC, except for access to the interface from a non-local network, even when the Admin WUI gateway is set to local network gateway with the option Allow Multi Interface Access is set.


Previously, if an edge error condition occurred when creating a Virtual Service using the API, a segfault could occur.
Now, this error condition is correctly handled and it no longer causes a segfault.


Previously, the hapreferred parameter in the Set-LmAzureHAConfiguration PowerShell API command was not spelled correctly.
Now, the parameter spelling has been corrected to hapreferred.

Known Issues


LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF), and LM-SFP-LR (SFP+ LR Transceiver 10GBASE-LR 1310nm, 10KM over SMF).


The active connection values reported in an SNMP tool do not match the LoadMaster statistics for active connections in all situations.


Under certain specific conditions, the Edge Security Pack (ESP) logs can fill the allocated partition for /var/log/userlog which may cause the unit to reboot.


Some users are experiencing issues detecting the partition when using the Hardware Security Module (HSM).


Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.


Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.


Some high memory usage has been observed.


Virtual Services/Real Servers can report as "Up" in the API even if SubVSs are disabled.


WAF does not support chunked transfer encoding on the POST body.


There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout.


There are some minor issues with LoadMaster clustering.


When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.


When adding a Real Server to a Virtual Service or SubVS on a Safari browser, the list of available Real Servers is not available.


A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.


Cluster Virtual Service and Real Server home page statistics are reported incorrectly.


The ESP LDAP logs need to be enhanced.


The SSO session expiry time is not updated in domain session management.


Setting options for the syslog server settings multiple times for different levels using the API causes events to repeat.


A SNORT rule is triggering a false positive in certain scenarios.


Occasionally WAF is stopped with an "errno 24" error.


Cannot create body rules when single quotes are in separate capture groups.


The extended log view fails when the selected range is in different years.


There are issues when replacing clustered nodes.


There are some issues relating to username normalization when using RADIUS authentication.


A local user with Real Server permissions cannot make changes to a Real Server when the Virtual Service is offloading or reencrypting.


LoadMasters in an Azure environment are not contacting the KEMP licensing server during a reboot.


If a template is exported from an older version of LoadMaster and it contains an improper string, a newer LoadMaster cannot import it.


High CPU utilization was observed in a certain scenario when using GEO.


The WUI is not accessible on NIC-1 from a non-local subnet.


When the LoadMaster reports settings back to the KEMP Licensing Server, it always reports that KEMP 360 Vision is not in use, even if it is.


A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service, and KCD is enabled on the SubVS level for server-side authentication.


GEO does not support DNS TCP requests from unknown sources.


Location Based failover does not work as expected.


Proximity and Location Based scheduling do not work with IPv6 source addresses.


If a GEO FQDN is configured with All Available as the Selection Criteria, IPs are returned even if the cluster is disabled.


An issue with configuration corruption is causing some GEO features to not function.


The VSIndex parameter is missing in some API commands.


There is no RESTful API command to get/list the installed custom rule data files.


There is no API command to disable secure NTP mode.


There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.


The vsremovewafrule RESTful API command does not allow multiple rules to be removed.


There is no PowerShell API parameter to modify the IdP Certificate Match option.


It is not possible to set the forward parameter to route using the addrs RESTful API command (you can set it using modrs).


RESTful API does not respond with the correct warning message if the user is unable to enable WAF.


The PowerShell API is missing the ServerFbaPath and ServerFBAPost parameters.