LoadMaster 7.2.43 Release Notes
Refer to the sections below for details about firmware version 7.2.43. This was released on 25th July 2018.
New Features
The following new features were added to the 7.2.43 release:
- Virtual LoadMaster (VLM) Annual Subscription Model: The subscription LoadMaster offers organizations a way to acquire Virtual LoadMaster Application Delivery Controller (ADC) functionality by subscription rather than purchasing a perpetual license. It enables customers to procure ADC capabilities on an annual basis, helping to reduce initial outlay while delivering increased performance and functionality.
- Published a Microsoft SharePoint 2016 Virtual Service application configuration template.
- LoadMaster LM-X15 now supports the LM-SFP-LR (SFP+ LR Transceiver 10GBASE-LR 1310nm, 10KM over SMF) transceiver.
Feature Enhancements
- Improved the activation workflow for Metered Enterprise License Agreement (MELA) LoadMasters by providing a simplified KEMP 360 Central Activation Settings Web User Interface (WUI) page and guidance text on the initial and subsequent login pages on how to correctly activate MELA LoadMasters using KEMP 360 Central.
- Previously, when using the LoadMaster Web User Interface (WUI) admin login method Client certificate required or Client certificate required (Verify via OCSP), a user was not granted the expected permissions defined in local user/group settings.
Now, when using those login methods, permissions are granted as defined in local user/group settings. - Previously, when tracking for Failed Login Attempts is enabled, Single Sign On (SSO) sessions associated with Failed Login Attempts were displayed in addition to valid and active SSO sessions.
Now, SSO sessions for Failed Login Attempts are not displayed under SSO Sessions, thus limiting the information displayed to just valid and active SSO sessions. - Previously, there was no way to restrict non-admin users on the LoadMaster from adding new Virtual Services or modifying existing Virtual Services.
Now, a new Allow Extended Permissions option is available when adding users to the LoadMaster. This allows the admin user to restrict other users from adding new Virtual Services or from modifying the IP address of existing Virtual Services. - Previously, there was no Redundant Array of Independent Disks (RAID) monitoring facility available for hardware LoadMasters that supported disk RAID configurations.
Now, in the Debug Options screen on the LoadMaster WUI, there are options to display the RAID controller and RAID disk information. Status information in relation to RAID events is also available in the LoadMaster message logs and using Syslog. - Previously, there were two licensing options (Online Licensing and Local Activation) to license the LoadMaster Service Provider License Agreement (SPLA) product.
The Local Activation option has been renamed to KEMP 360 Central Licensing. - The Virtual Service application configuration template for VMware Horizon View 7 was updated.
- Enhancements made to the Edge Security Pack (ESP) SSO functionality to mitigate memory issues.
- Previously, in the network interface management WUI screen for interfaces other than eth0, the Allow Administrative WUI Access option could not be enabled until an IP address was specified on that interface.
Now, the Allow Administrative WUI Access option can be enabled without specifying an IP address. This option can also be enabled when configuring an IP address on the interface. - Previously, when using the LoadMaster WUI admin login method with a different domain name and remote access groups enabled, users were not granted the expected permissions defined in local user/group settings.
Now, with this configuration, users are granted the correct permissions as defined in local user/group settings.
Issues Resolved
PD-11560 |
Previously, in certain scenarios, a LoadMaster configured in High Availability (HA) was failing over from active to backup regularly. Now, the failover scenario is fixed and HA functions as expected. |
PD-11546 |
Previously, when ESP was enabled and the Client Authentication Mode was set to Delegate to Server, some configuration items that should be enabled were not configurable. Now, the following configuration items are available to be set: Allowed Virtual Hosts and Allowed Virtual Directories. |
PD-11504 |
Previously, if the LoadMaster was restored to factory settings, the backup file always included the output of the top command. Now, the LoadMaster backup file only includes the output of the top command when the Include Top in Backup option is enabled in the Debug Options screen. |
PD-11495 |
Previously, in a LoadMaster cloud HA environment, there were inconsistencies in the naming of some configuration items. Now, some configuration items have text containing the respective cloud environment name, for example Azure HA Mode and LoadMaster Azure HA Parameters. |
PD-11481 |
Previously, the WUI displayed incorrect error messages when adding or modifying a Virtual Service, SubVS, or Real Server for various incorrect configurations. Now, the WUI displays the correct error message in all cases. |
PD-11441 |
Previously, latency issues were experienced on UDP Virtual Services. Now, latency issues for UDP Virtual Services are resolved. |
PD-11419 |
Previously, the LoadMaster Domain Name System (DNS) failed to resolve non-local Real Server IP addresses. |
PD-11415 |
Previously, the interface link speed was not displayed correctly in the Virtual LoadMaster (VLM) WUI. Now, the link speed is displayed correctly for VLMs. |
PD-11373 |
Previously, SubVSs could not be added to a wildcard Virtual Service. Now, you can add SubVSs to wildcard Virtual Services. |
PD-11371 |
Previously, in a configuration with multiple SubVSs, if content switching rules are configured on at least one SubVS and this SubVS is marked as critical - if this SubVS went out of service, traffic was still allowed to be handled by the Virtual Service. Now, if a critical SubVS that has content switching rules configured is out of service, all traffic to the master Virtual Service is blocked. |
PD-11369 |
Previously, in the LoadMaster WUI, if Local Users authentication and Use ONLY if other AAA services fail is enabled, local user authentication failed. Now, if both of these options are enabled, the local user is authenticated correctly. |
PD-11339 |
Previously, when GEO was configured with two or more Fully Qualified Domain Name (FQDN) sites with the same IP address, the API command to change the checker address (changecheckeraddr) only worked for the first FQDN and failed for others. Now, the API command works as expected when multiple FQDN sites are configured with the same IP address. |
PD-11333 |
Previously, the dash character (-) was not permitted in a Remote User Group name. Now, the Remote User Group name supports the dash character (-) and the error shown if an unsupported character is used is more informative about what characters are supported. |
PD-11310 |
Previously, when validuser debug was enabled with a different Admin Login Method, no logs were sent to the syslog server. |
PD-11309 |
Previously, when a user viewed the ESP SSO sessions in the WUI, a combination of long IPv6 client addresses and other session details such as "username" could result in an SSO manager buffer overrun. This resulted in the SSO manager restarting and causing existing sessions to be dropped. Now, buffer sizes for user sessions and source addresses in the SSO manager are increased. Also, checking was implemented to ensure buffers are not exceeded. These changes prevent user sessions with the above combinations from being dropped. |
PD-11297 |
Previously, in the LoadMaster WUI, if a user enabled Local Users Authentication, followed by enabling both the Authorization and Use ONLY if other AAA services fail check boxes and then subsequently disabled Local Users Authentication, without first disabling Use ONLY if other AAA services fail, then the Local Users Authentication remained enabled. Now, if a user disables Local Users Authentication, the previous settings of Authorization and Use ONLY if other AAA services fail are preserved, but the functionality is disabled. |
PD-11281 |
Previously, inconsistencies were observed with text case sensitivity when configuring Remote User Group names in different LoadMaster configurations. Now, Remote User Group names are case-sensitive throughout all LoadMaster configurations. |
PD-11277 |
Previously, with ESP enabled and Dual Factor Authentication configured with RADIUS and LDAP, in certain cases an invalid remote user was able to log in after a previous valid user had successfully logged in. Now, with this configuration, all invalid users are blocked from logging in and are prompted to authenticate to gain access. |
PD-11263 |
Previously, with ESP enabled and Use for Session Timeout set to max duration for client-side Single Sign On, the user session expiry time showed in the Expires column for open client-side sessions on the WUI increased when the user received an email. Now, with the configuration mentioned, the user session expiry time shown in the Expires column for open Client-Side Sessions does not increase anymore. |
PD-11250 |
Previously, when deleting a user from the LoadMaster, an incorrect message was displayed and the Cancel function did not operate correctly. Now, the correct warning message displays and the Cancel function works as expected. |
PD-11206 |
Previously, Local User accounts could not access the LoadMaster WUI in an ESP environment when RADIUS authentication was configured. Now, access to the LoadMaster WUI is working for Local User accounts when RADIUS authentication is configured. |
PD-11180 |
Previously, when Security Assertion Markup Language (SAML) was configured on the LoadMaster with an Active Directory Federation Service (AD FS) setup, users had failed logout attempts due to an issue with the NameID format. Now, the correct NameID is provided for the logout workflow and users are able to successfully log out. |
PD-11178 |
Previously, connections were not allowed to a Virtual Service configured for SSL with ESP enabled. Now, a Virtual Service with this configuration allows connections to be created and passes traffic as normal. |
PD-11162 |
Previously, the memory restriction associated with enabling the Web Application Firewall (WAF) on a LoadMaster was not adhered to. |
PD-11110 |
Previously, with ESP enabled, a local or non-local LDAP user with client certificate authentication enabled was always assigned read-only group permissions. |
PD-11052 |
Previously, a connection to a Virtual Service failed if Enable HTTP/2 Stack and Detect Malicious Requests options were both enabled. |
PD-11042 |
Previously, during a firmware upgrade of a HA LoadMaster configuration with Netconsole enabled, a large reboot latency was observed following the upgrade. |
PD-10976 |
Previously, in certain scenarios, high CPU utilization was observed with GEO. |
PD-10936 |
Previously, when SAML is configured, the value of the StatusCodeValue element Now, the StatusCodeValue corruption is fixed and verification of the value and the SAML response as a whole proceeds as expected. |
PD-10930 |
Previously, connections to Virtual Services sometimes failed if Enable HTTP/2 Stack and WAF were both enabled. |
PD-10862 |
Previously, a Local User account that only had Real Servers permissions, could not modify Real Servers on a Virtual Service that has SSL offloading or re-encryption enabled. |
PD-10802 |
Previously, users could not add a Real Server with the Forwarding method set to route using the RESTful API. |
PD-10801 |
Previously, the ESP SSO setting Username Only was not available for the Logon Format (Phase 1 RADIUS) when the Authentication Protocol was set to RADIUS and LDAP in the manage SSO WUI screen. |
PD-10800 |
Previously, cloud HA did not handle WAF rules or GEO blacklist downloads correctly. |
PD-10347 |
Previously, the SSO session expiry time was not displayed accurately. |
PD-10207 |
Previously, when ESP was enabled and the LDAP server response was interrupted, the LDAP service not reachable and LDAP service up again warning messages were logged. |
PD-10197 |
Previously, in cluster mode - Virtual Service and Real Server status and statistics were reported incorrectly in the WUI home page of the master LoadMaster. |
Known Issues
PD-11670 |
When the LoadMaster is configured in cluster mode, in the WUI cluster status page - a cluster member that is actually down is displayed as Disabled. |
PD-11662 |
The output of the ps command in the LoadMaster backup file is unreadable. |
PD-11636 |
On a Federal Information Processing Standards (FIPS) enabled hardware LoadMaster, during creation of a Virtual Service, this log output appears in the WUI: grep: /tmp/cert.list: No such file or directory. This can be safely ignored. |
PD-11621 |
In a GEO configuration with Stickiness set in the Miscellaneous Params WUI screen, a requested Fully Qualified Domain Name (FQDN) is not returned correctly if the Fail Over location is set to Everywhere. |
PD-11613 |
A user who only has the Geo Control permission cannot enable GSLB on the LoadMaster. |
PD-11607 |
When an Online Certificate Status Protocol (OCSP) server address is changed on the LoadMaster, the logs report that the change was made but the change does not take effect. The workaround is to force an OCSPD cache flush in the Debug Options screen in the LoadMaster WUI. |
PD-11591 |
In certain circumstances, while modifying the LoadMaster configuration using API automation, the configuration can become corrupt. |
PD-11577 |
A user with the correct permissions cannot add a content rule to a Virtual Service. |
PD-11520 |
If a LoadMaster license is downgraded to remove ESP or the Web Application Firewall (WAF), Virtual Service still displays that these features are configured in the View/Modify Services WUI screen, even though the functionality was removed. |
PD-11503 |
In GEO, an incorrect message "GEO ACL Automatic Update file not found" is reported in the logs, even if Enable Automated GEO IP Blacklist data Updates is disabled. |
PD-11436 |
Routing issues exist when adding IPv6 addresses to a HA LoadMaster configuration. |
PD-11413 |
When ESP is enabled with a Virtual Service configuration of Client Authentication Mode set to Client Certificate and Server Authentication Mode set to Kerberos Constrained Delegation (KCD), a valid user can be denied access even if it has a valid certificate and is part of a permitted group. |
PD-11354 |
When ESP is configured, the time displayed on the WUI when a user is put in a blocked state is displayed in the incorrect time zone. |
PD-11351 |
An out-of-context memory condition exists when memory that was previously allocated to a connection between the Layer 7 engine and SSL handling engine is being utilized by another process/task. In this scenario, the memory pointer is present but it is not what the system is expecting and this condition results in a kernel panic. |
PD-11253 |
There is no REST or PowerShell API command to add a Real Server to all SubVSs. |
PD-11252 |
An error occurs when adding an IPv6 RADIUS server IP address when configuring the ESP feature. |
PD-11109 |
RESTful API does not respond with the correct warning message if the user is unable to enable WAF. |
PD-11044 |
A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service, and KCD is enabled on the SubVS level for server-side authentication. |
PD-11040 |
Under certain conditions, the ESP logs can fill the allocated partition for /var/log/userlog which may cause the unit to reboot. |
PD-11024 |
The WUI is not accessible on NIC-1 from a non-local subnet. |
PD-10970 |
If a template is exported from an older version of LoadMaster and it contains an improper string, a newer LoadMaster cannot import it. |
PD-10961 |
LoadMasters in an Azure environment are not contacting the KEMP licensing server during a reboot. |
PD-10956 |
In a cluster configuration of three or more LoadMasters with the Edge Security Pack (ESP) configured, issues exist where Single Sign On (SSO) fails. |
PD-10917 |
An issue exists when setting up a 2-armed HA VLM in Azure. |
PD-10874 |
An issue exists which prevents restoring certificates if the password includes the percentage (%) or ampersand (&) characters. |
PD-10784 |
Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster (VLM) does not work. |
PD-10627 |
There are issues when replacing clustered nodes. |
PD-10598 |
There is no PowerShell API parameter to modify the IdP Certificate Match option. |
PD-10586 |
If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled. |
PD-10572 |
The extended log view fails when the selected range is in different years. |
PD-10490 |
The vsremovewafrule RESTful API command does not allow multiple rules to be removed. |
PD-10474 |
A SNORT rule is triggering a false positive in certain scenarios. |
PD-10466 |
LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF). |
PD-10435 |
Under certain specific conditions, the GEO application logs can fill the allocated partition which causes the unit to not log any further messages. |
PD-10421 |
Setting options for the syslog server settings multiple times for different levels using the API causes events to repeat. |
PD-10363 |
The PowerShell API is missing the ServerFbaPath and ServerFBAPost parameters. |
PD-10193 |
A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported. |
PD-10188 |
When adding a Real Server to a Virtual Service or SubVS on a Safari browser, the list of available Real Servers is not available. |
PD-10159 |
When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI. |
PD-10155 |
An issue with configuration corruption is causing some GEO features to not function. |
PD-10136 |
There are some minor issues with LoadMaster clustering. |
PD-10129 |
There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout. |
PD-9854 |
WAF does not support chunked transfer encoding on the POST body. |
PD-9947 |
Virtual Services/Real Servers can report as "Up" in the API even if SubVSs are disabled. |
PD-9816 |
There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves. |
PD-9765 |
GEO does not support DNS TCP requests from unknown sources. |
PD-9553 |
There is no API command to disable secure NTP mode. |
PD-9507 |
Unable to add an SDN controller using the RESTful API/WUI in a specific scenario. |
PD-9476 |
There is no RESTful API command to get/list the installed custom rule data files. |
PD-9375 |
Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication. |
PD-8853 |
GEO Location Based failover does not work as expected. |
PD-8725 |
GEO Proximity and Location Based scheduling do not work with IPv6 source addresses. |
PD-8697 |
Some users are experiencing issues detecting the partition when using the Hardware Security Module (HSM). |
PD-7156 |
The VSIndex parameter is missing in some Application Program Interface (API) commands. |