Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster 7.2.43 Release Notes

Refer to the sections below for details about firmware version 7.2.43. This was released on 25th July 2018.

New Features

The following new features were added to the 7.2.43 release:

  • Virtual LoadMaster (VLM) Annual Subscription Model: The subscription LoadMaster offers organizations a way to acquire Virtual LoadMaster Application Delivery Controller (ADC) functionality by subscription rather than purchasing a perpetual license. It enables customers to procure ADC capabilities on an annual basis, helping to reduce initial outlay while delivering increased performance and functionality.
  • Published a Microsoft SharePoint 2016 Virtual Service application configuration template.
  • LoadMaster LM-X15 now supports the LM-SFP-LR (SFP+ LR Transceiver 10GBASE-LR 1310nm, 10KM over SMF) transceiver.

Feature Enhancements

  • Improved the activation workflow for Metered Enterprise License Agreement (MELA) LoadMasters by providing a simplified KEMP 360 Central Activation Settings Web User Interface (WUI) page and guidance text on the initial and subsequent login pages on how to correctly activate MELA LoadMasters using KEMP 360 Central.
  • Previously, when using the LoadMaster Web User Interface (WUI) admin login method Client certificate required or Client certificate required (Verify via OCSP), a user was not granted the expected permissions defined in local user/group settings.
    Now, when using those login methods, permissions are granted as defined in local user/group settings.
  • Previously, when tracking for Failed Login Attempts is enabled, Single Sign On (SSO) sessions associated with Failed Login Attempts were displayed in addition to valid and active SSO sessions.
    Now, SSO sessions for Failed Login Attempts are not displayed under SSO Sessions, thus limiting the information displayed to just valid and active SSO sessions.
  • Previously, there was no way to restrict non-admin users on the LoadMaster from adding new Virtual Services or modifying existing Virtual Services.
    Now, a new Allow Extended Permissions option is available when adding users to the LoadMaster. This allows the admin user to restrict other users from adding new Virtual Services or from modifying the IP address of existing Virtual Services.
  • Previously, there was no Redundant Array of Independent Disks (RAID) monitoring facility available for hardware LoadMasters that supported disk RAID configurations.
    Now, in the Debug Options screen on the LoadMaster WUI, there are options to display the RAID controller and RAID disk information. Status information in relation to RAID events is also available in the LoadMaster message logs and using Syslog.
  • Previously, there were two licensing options (Online Licensing and Local Activation) to license the LoadMaster Service Provider License Agreement (SPLA) product.
    The Local Activation option has been renamed to KEMP 360 Central Licensing.
  • The Virtual Service application configuration template for VMware Horizon View 7 was updated.
  • Enhancements made to the Edge Security Pack (ESP) SSO functionality to mitigate memory issues.
  • Previously, in the network interface management WUI screen for interfaces other than eth0, the Allow Administrative WUI Access option could not be enabled until an IP address was specified on that interface.
    Now, the Allow Administrative WUI Access option can be enabled without specifying an IP address. This option can also be enabled when configuring an IP address on the interface.
  • Previously, when using the LoadMaster WUI admin login method with a different domain name and remote access groups enabled, users were not granted the expected permissions defined in local user/group settings.
    Now, with this configuration, users are granted the correct permissions as defined in local user/group settings.

Issues Resolved

PD-11560

Previously, in certain scenarios, a LoadMaster configured in High Availability (HA) was failing over from active to backup regularly.

Now, the failover scenario is fixed and HA functions as expected.

PD-11546

Previously, when ESP was enabled and the Client Authentication Mode was set to Delegate to Server, some configuration items that should be enabled were not configurable.

Now, the following configuration items are available to be set: Allowed Virtual Hosts and Allowed Virtual Directories.

PD-11504

Previously, if the LoadMaster was restored to factory settings, the backup file always included the output of the top command.

Now, the LoadMaster backup file only includes the output of the top command when the Include Top in Backup option is enabled in the Debug Options screen.

PD-11495

Previously, in a LoadMaster cloud HA environment, there were inconsistencies in the naming of some configuration items.

Now, some configuration items have text containing the respective cloud environment name, for example Azure HA Mode and LoadMaster Azure HA Parameters.

PD-11481

Previously, the WUI displayed incorrect error messages when adding or modifying a Virtual Service, SubVS, or Real Server for various incorrect configurations.

Now, the WUI displays the correct error message in all cases.

PD-11441

Previously, latency issues were experienced on UDP Virtual Services.

Now, latency issues for UDP Virtual Services are resolved.

PD-11419

Previously, the LoadMaster Domain Name System (DNS) failed to resolve non-local Real Server IP addresses.

Now, the LoadMaster DNS can resolve non-local Real Server IP addresses to the correct Fully Qualified Domain Names (FQDNs).

PD-11415

Previously, the interface link speed was not displayed correctly in the Virtual LoadMaster (VLM) WUI.

Now, the link speed is displayed correctly for VLMs.

PD-11373

Previously, SubVSs could not be added to a wildcard Virtual Service.

Now, you can add SubVSs to wildcard Virtual Services.

PD-11371

Previously, in a configuration with multiple SubVSs, if content switching rules are configured on at least one SubVS and this SubVS is marked as critical - if this SubVS went out of service, traffic was still allowed to be handled by the Virtual Service.

Now, if a critical SubVS that has content switching rules configured is out of service, all traffic to the master Virtual Service is blocked.

PD-11369

Previously, in the LoadMaster WUI, if Local Users authentication and Use ONLY if other AAA services fail is enabled, local user authentication failed.

Now, if both of these options are enabled, the local user is authenticated correctly.

PD-11339

Previously, when GEO was configured with two or more Fully Qualified Domain Name (FQDN) sites with the same IP address, the API command to change the checker address (changecheckeraddr) only worked for the first FQDN and failed for others.

Now, the API command works as expected when multiple FQDN sites are configured with the same IP address.

PD-11333

Previously, the dash character (-) was not permitted in a Remote User Group name.

Now, the Remote User Group name supports the dash character (-) and the error shown if an unsupported character is used is more informative about what characters are supported.

PD-11310

Previously, when validuser debug was enabled with a different Admin Login Method, no logs were sent to the syslog server.

Now, all the correct logs are sent to the syslog server for this configuration.

PD-11309

Previously, when a user viewed the ESP SSO sessions in the WUI, a combination of long IPv6 client addresses and other session details such as "username" could result in an SSO manager buffer overrun. This resulted in the SSO manager restarting and causing existing sessions to be dropped.

Now, buffer sizes for user sessions and source addresses in the SSO manager are increased. Also, checking was implemented to ensure buffers are not exceeded. These changes prevent user sessions with the above combinations from being dropped.

PD-11297

Previously, in the LoadMaster WUI, if a user enabled Local Users Authentication, followed by enabling both the Authorization and Use ONLY if other AAA services fail check boxes and then subsequently disabled Local Users Authentication, without first disabling Use ONLY if other AAA services fail, then the Local Users Authentication remained enabled.

Now, if a user disables Local Users Authentication, the previous settings of Authorization and Use ONLY if other AAA services fail are preserved, but the functionality is disabled.

PD-11281

Previously, inconsistencies were observed with text case sensitivity when configuring Remote User Group names in different LoadMaster configurations.

Now, Remote User Group names are case-sensitive throughout all LoadMaster configurations.

PD-11277

Previously, with ESP enabled and Dual Factor Authentication configured with RADIUS and LDAP, in certain cases an invalid remote user was able to log in after a previous valid user had successfully logged in.

Now, with this configuration, all invalid users are blocked from logging in and are prompted to authenticate to gain access.

PD-11263

Previously, with ESP enabled and Use for Session Timeout set to max duration for client-side Single Sign On, the user session expiry time showed in the Expires column for open client-side sessions on the WUI increased when the user received an email.

Now, with the configuration mentioned, the user session expiry time shown in the Expires column for open Client-Side Sessions does not increase anymore.

PD-11250

Previously, when deleting a user from the LoadMaster, an incorrect message was displayed and the Cancel function did not operate correctly.

Now, the correct warning message displays and the Cancel function works as expected.

PD-11206

Previously, Local User accounts could not access the LoadMaster WUI in an ESP environment when RADIUS authentication was configured.

Now, access to the LoadMaster WUI is working for Local User accounts when RADIUS authentication is configured.

PD-11180

Previously, when Security Assertion Markup Language (SAML) was configured on the LoadMaster with an Active Directory Federation Service (AD FS) setup, users had failed logout attempts due to an issue with the NameID format.

Now, the correct NameID is provided for the logout workflow and users are able to successfully log out.

PD-11178

Previously, connections were not allowed to a Virtual Service configured for SSL with ESP enabled.

Now, a Virtual Service with this configuration allows connections to be created and passes traffic as normal.

PD-11162

Previously, the memory restriction associated with enabling the Web Application Firewall (WAF) on a LoadMaster was not adhered to.

Now, WAF cannot be enabled on a hardware LoadMaster with less than 2 GB memory and 1.5 GB on a Virtual LoadMaster. This takes into account the memory used by the system already plus the recommended 512 MB free memory per-WAF enabled Virtual Service.

PD-11110

Previously, with ESP enabled, a local or non-local LDAP user with client certificate authentication enabled was always assigned read-only group permissions.

Now, the LDAP users with client certificates enabled is assigned the correct group permissions.

PD-11052

Previously, a connection to a Virtual Service failed if Enable HTTP/2 Stack and Detect Malicious Requests options were both enabled.

Now, when both options are enabled, the connections to the Virtual Service work as expected.

PD-11042

Previously, during a firmware upgrade of a HA LoadMaster configuration with Netconsole enabled, a large reboot latency was observed following the upgrade.

Now, the eth0 interface link is established earlier in the start up process and immediate access to the machine is possible. This removes the large reboot latency that was experienced previously.

PD-10976

Previously, in certain scenarios, high CPU utilization was observed with GEO.

Now, GEO stability has been increased.

PD-10936

Previously, when SAML is configured, the value of the StatusCodeValue element
that is returned in the response from the SAML federated server could become corrupt during internal processing with an invalid string. This resulted in the verification of the StatusCodeValue failing which resulted in the SAML response being rejected and the authentication attempt failing.

Now, the StatusCodeValue corruption is fixed and verification of the value and the SAML response as a whole proceeds as expected.

PD-10930

Previously, connections to Virtual Services sometimes failed if Enable HTTP/2 Stack and WAF were both enabled.

Now, when both options are enabled, the connections to the Virtual Service work as expected. 

PD-10862

Previously, a Local User account that only had Real Servers permissions, could not modify Real Servers on a Virtual Service that has SSL offloading or re-encryption enabled.

Now, the correct permissions are assigned to local users for the configuration mentioned.

PD-10802

Previously, users could not add a Real Server with the Forwarding method set to route using the RESTful API.

Now, users can add Real Servers with the Forwarding method set to route using the RESTful API.

PD-10801

Previously, the ESP SSO setting Username Only was not available for the Logon Format (Phase 1 RADIUS) when the Authentication Protocol was set to RADIUS and LDAP in the manage SSO WUI screen.

Now, the Username Only option is available for selection with this configuration.

PD-10800

Previously, cloud HA did not handle WAF rules or GEO blacklist downloads correctly.

Now, cloud HA handles WAF rules and GEO blacklist downloads correctly by having the standby LoadMaster synchronize its rules from the active LoadMaster instead of downloading them from a download site.

PD-10347

Previously, the SSO session expiry time was not displayed accurately.

Now, the correct user SSO session expiry time is displayed.

PD-10207

Previously, when ESP was enabled and the LDAP server response was interrupted, the LDAP service not reachable and LDAP service up again warning messages were logged.

Now, these warning messages no longer appear in the warn logs if the LDAP server response is interrupted.

PD-10197

Previously, in cluster mode - Virtual Service and Real Server status and statistics were reported incorrectly in the WUI home page of the master LoadMaster.

Now, the statistics and status for Virtual Services and Real Servers in cluster mode are reported correctly on the WUI home page of the master LoadMaster.

Known Issues

PD-11670

When the LoadMaster is configured in cluster mode, in the WUI cluster status page - a cluster member that is actually down is displayed as Disabled.

PD-11662

The output of the ps command in the LoadMaster backup file is unreadable.

PD-11636

On a Federal Information Processing Standards (FIPS) enabled hardware LoadMaster, during creation of a Virtual Service, this log output appears in the WUI: grep: /tmp/cert.list: No such file or directory. This can be safely ignored.

PD-11621

In a GEO configuration with Stickiness set in the Miscellaneous Params WUI screen, a requested Fully Qualified Domain Name (FQDN) is not returned correctly if the Fail Over location is set to Everywhere.

PD-11613

A user who only has the Geo Control permission cannot enable GSLB on the LoadMaster.

PD-11607

When an Online Certificate Status Protocol (OCSP) server address is changed on the LoadMaster, the logs report that the change was made but the change does not take effect. The workaround is to force an OCSPD cache flush in the Debug Options screen in the LoadMaster WUI.

PD-11591

In certain circumstances, while modifying the LoadMaster configuration using API automation, the configuration can become corrupt.

PD-11577

A user with the correct permissions cannot add a content rule to a Virtual Service.

PD-11520

If a LoadMaster license is downgraded to remove ESP or the Web Application Firewall (WAF), Virtual Service still displays that these features are configured in the View/Modify Services WUI screen, even though the functionality was removed.

PD-11503

In GEO, an incorrect message "GEO ACL Automatic Update file not found" is reported in the logs, even if Enable Automated GEO IP Blacklist data Updates is disabled.

PD-11436

Routing issues exist when adding IPv6 addresses to a HA LoadMaster configuration.

PD-11413

When ESP is enabled with a Virtual Service configuration of Client Authentication Mode set to Client Certificate and Server Authentication Mode set to Kerberos Constrained Delegation (KCD), a valid user can be denied access even if it has a valid certificate and is part of a permitted group.

PD-11354

When ESP is configured, the time displayed on the WUI when a user is put in a blocked state is displayed in the incorrect time zone.

PD-11351

An out-of-context memory condition exists when memory that was previously allocated to a connection between the Layer 7 engine and SSL handling engine is being utilized by another process/task. In this scenario, the memory pointer is present but it is not what the system is expecting and this condition results in a kernel panic.

PD-11253

There is no REST or PowerShell API command to add a Real Server to all SubVSs.

PD-11252

An error occurs when adding an IPv6 RADIUS server IP address when configuring the ESP feature.

PD-11109

RESTful API does not respond with the correct warning message if the user is unable to enable WAF.

PD-11044

A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service, and KCD is enabled on the SubVS level for server-side authentication.

PD-11040

Under certain conditions, the ESP logs can fill the allocated partition for /var/log/userlog which may cause the unit to reboot.

PD-11024

The WUI is not accessible on NIC-1 from a non-local subnet.

PD-10970

If a template is exported from an older version of LoadMaster and it contains an improper string, a newer LoadMaster cannot import it.

PD-10961

LoadMasters in an Azure environment are not contacting the KEMP licensing server during a reboot.

PD-10956

In a cluster configuration of three or more LoadMasters with the Edge Security Pack (ESP) configured, issues exist where Single Sign On (SSO) fails.

PD-10917

An issue exists when setting up a 2-armed HA VLM in Azure.

PD-10874

An issue exists which prevents restoring certificates if the password includes the percentage (%) or ampersand (&) characters.

PD-10784

Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster (VLM) does not work.

PD-10627

There are issues when replacing clustered nodes.

PD-10598

There is no PowerShell API parameter to modify the IdP Certificate Match option.

PD-10586

If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.

PD-10572

The extended log view fails when the selected range is in different years.

PD-10490

The vsremovewafrule RESTful API command does not allow multiple rules to be removed.

PD-10474

A SNORT rule is triggering a false positive in certain scenarios.

PD-10466

LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF).

PD-10435

Under certain specific conditions, the GEO application logs can fill the allocated partition which causes the unit to not log any further messages.

PD-10421

Setting options for the syslog server settings multiple times for different levels using the API causes events to repeat.

PD-10363

The PowerShell API is missing the ServerFbaPath and ServerFBAPost parameters.

PD-10193

A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.

PD-10188

When adding a Real Server to a Virtual Service or SubVS on a Safari browser, the list of available Real Servers is not available.

PD-10159

When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.

PD-10155

An issue with configuration corruption is causing some GEO features to not function.

PD-10136

There are some minor issues with LoadMaster clustering.

PD-10129

There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout.

PD-9854

WAF does not support chunked transfer encoding on the POST body.

PD-9947

Virtual Services/Real Servers can report as "Up" in the API even if SubVSs are disabled.

PD-9816

There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.

PD-9765

GEO does not support DNS TCP requests from unknown sources.

PD-9553

There is no API command to disable secure NTP mode.

PD-9507

Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.

PD-9476

There is no RESTful API command to get/list the installed custom rule data files.

PD-9375

Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

PD-8853

GEO Location Based failover does not work as expected.

PD-8725

GEO Proximity and Location Based scheduling do not work with IPv6 source addresses.

PD-8697

Some users are experiencing issues detecting the partition when using the Hardware Security Module (HSM).

PD-7156

The VSIndex parameter is missing in some Application Program Interface (API) commands.


Comments