Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster 7.2.41.1 Release Notes

Refer to the sections below for details about firmware version 7.2.41.1. This was released on 21st February 2018.

Feature Enhancements

  • Previously, there was no specific SubVS information detailed in the logs when a failure occurred.
    Now, the logs are updated with Virtual Service and SubVS names when a failure occurs.
  • Previously, Virtual LoadMaster (VLM) cloud instances only listened for port 8444 on eth0.
    Now, there is an option to listen on all interfaces.
  • The LoadMaster Operating System (LMOS) Linux kernel was upgraded from linux-4.4.32 to linux-4.9.58 to improve performance and latency issues observed in previous releases.
  • Previously, text/XML and application/JSON content types were supported with the Inspect HTML POST Request Content feature.
    Now, the new Enable Other Content Types option enables the selection of all content types or specified content types.
  • Previously, the User Agent String was not present in the log files.
    Now, the new Include User Agent Header in User Logs option on the L7 Configuration screen enables User Agent String information to be printed in the logs.
  • Previously, SSO manager logs were collected under the ssomgr logs option in the Extended Log Files section of the LoadMaster WUI.
    Now, the SSO manager logs (with levelled debug logging) are collected and managed in the system log file. This improves managing logs centrally.
  • Previously, there was no indication of where to find the LDAP endpoint from the SSO domain configuration, LDAP WUI auth, and Real Server health check.
    Now, a modify LDAP configuration button is in the manage SSO configuration, WUI auth LDAP setting, and Virtual Service Real Server health check.
  • Previously, the default value for the additional L7 headers field was Legacy (X-ClientSide).
    Now, the default value for the additional L7 headers field is X-Forwarded-For.
  • Previously, the default value for the 100-Continue-Handling field was RFC-2616 Compliant.
    Now, the default value for the 100-Continue-Handling field is RFC-7231 Compliant.
  • Previously, the L7 Connection Drain Time (secs) field was not available next to the Drop at Drain Time End field.
    Now, the L7 Connection Drain Time (secs) field is underneath the Drop at Drain Time End field.
  • Previously, the default global setting for Enable Non-Local Real Servers was disabled.
    Now, the default global setting for Enable Non-Local Real Servers is enabled.
  • Previously, on VLMs there were ttyS0: ioctl: Input/output error messages in the system logs.
    Now, there are no respawn or ttys0-related messages in syslog.
  • Previously, GMT offset settings were on top of the Set Timezone drop-down list options.
    Now, the GMT offset settings are on the bottom of the Set Timezone drop-down list options.
  • Previously, the bonding option was available in the WUI and RESTful API for cloud platforms like AWS and Azure, but it was not a supported feature.
    Now, the bonding option is disabled and removed from the WUI and RESTful API for cloud platforms.
  • Previously, when the user was unable to add a Virtual Service or SubVS, the error message displayed in the WUI was unclear.
    Now, the error message is better and it advises that the LoadMaster is under-resourced and therefore a new Virtual Service or SubVS cannot be added.
  • Previously, connectivity broke when moving the default gateway to another interface.
    Now, you can move the default gateway to another interface without affecting connectivity.
  • Previously, the WUI displayed inappropriate warning messages when a user attempted to configure an IP address which is already configured on another interface.
    Now, the WUI displays an updated warning message informing that the IP address is already configured on another interface.
  • The System Log Files screen now shows the percentage used/free in relation to log partitions.
  • Previously, the firmware update license error message did not have enough details and caused confusion.
    Now, clear and concise feedback about why the failure has happened, and a link to a Help Center article, is provided.
  • Previously, there were platform-specific Application Program Interface (API) commands, for example, for Azure there is a getazurehaparams command and for AWS there is a getawshaparams command.
    Now, there is a common API command called getCloudHaParams for querying HA parameters on all cloud platforms.

Issues Resolved

PD-9764

Previously, IPsec had connectivity issues to Azure for LoadMaster firmware version 7.2.38.2 and above.
Now, IPsec successfully connects to Azure.

PD-9944

Previously, the WUI allowed up to 208 characters in the Header Field, Match String, Value of Header Field to be Added, Modified URL, and Value of Header Field to be replaced fields when creating and modifying content rules.
Now, this limit is 255 characters in the WUI and RESTful API.

PD-9975

Previously, there were no logs when an LDAP AAA test user failed.
Now, there are logs when an LDAP AAA test user fails.

PD-10039

Previously, the HTTP/2 stack had issues with features like shopping carts with browsers other than Internet Explorer.
Now, HTTP/2 works with Chrome, Firefox, and Internet Explorer.

PD-10040

Previously, icb_alloc logs can be seen if the Web Application Firewall (WAF) is enabled and chunked data is received.
Now, icb_alloc messages do not appear in logs.

PD-10042

Previously, WAF statistics did not get cleared/reset on Virtual Service deletion.
Now, WAF statistics get cleared (set to 0) on Virtual Service deletion.

PD-10051

Previously, LoadMaster activation failed when re-licensing the LoadMaster multiple times.
Now, a reboot is required after each re-license.

PD-10071

Previously, the libxml2 GNOME XML library was installed.
Now, the library has been updated to libxml2-2.9.5.

PD-10083

Previously, the LoadMaster did not return a complete list of Virtual Services and Real Servers when queried using a MIB browser or smtpwalk command.
Now, the LoadMaster returns a complete list of Virtual Services and Real Servers configured when queried using a MIB browser or smtpwalk command.

PD-10086

Previously, the WUI displayed inappropriate warning messages when attempting to configure an IP address which is already configured on any interface.
Now, the WUI displays an updated warning message if you attempt to configure an IP address which is already configured on any interface.

PD-10141

Previously, the check interval time was stored incorrectly in the configuration file and caused unwanted LoadMaster FIN ACK traffic.

PD-10142

Previously, the master LoadMaster did not send uCAP packets every second. It randomly missed one or more packets.
Now, this bug is fixed and both the WUI and configuration shows similar check interval with no unwanted traffic.

PD-10204

Previously, the replace certificate in LoadMaster WUI workflow had a minor error and did not allow the user to replace the certificate.
Now, the replace certificate workflow has been improved and the user can replace a certificate using the WUI.

PD-10205

Previously, underscores, dashes, and square brackets were not allowed in the Form Authentication Path field in the WUI.
Now, underscores, dashes, and square brackets are allowed in the Form Authentication Path field in the WUI.

PD-10235

Previously, log rotation for the adaptive.log file did not work on LoadMasters without the SDN add-on.
Now, log rotation works for the adaptive.log file on LoadMasters without the SDN add-on.

PD-10239

Previously, the Pre-Shared Key (PSK) was unencrypted in backup files.
Now, the PSK is encrypted.
Note: If upgrading the LoadMaster firmware to 7.2.41.1, ensure to re-enter the PSK to ensure it is encrypted. If you do not do this, the VPN still works, but the new security measure does not take effect until the PSK is re-saved.

PD-10245

Previously, when trying to access the connection, security, and user extended log files - the previous days logs were grayed out and you could not view them.
Now, the Extended Log Files screen includes options to select by date, files, and filter. Also, when viewing Edge Security Pack (ESP) logs, selecting the next date includes logs from the previous date.

PD-10255

Previously, the default value for the Strict Transport Security Header field was Add the Strict Transport Security Header - include subdomains.

Now, the default value for the Strict Transport Security Header field is Don't add the Strict Transport Security Header.

PD-10345

Previously, connectivity on Link Aggregation Control Protocol (LACP) bonded interface did not work with some switch hardware.
Now, LACP bonded interfaces are activated quickly and connectivity works on this port as expected.

PD-10353

Previously, in the warning logs on Federal Information Processing Standards (FIPS) boxes, there were multiple instances of a log message FIPS selftest completed successfully. Using FIPS mode.
Now, this message no longer repeats. This shortens the logs length for download and parsing.

PD-10354

Previously, bare metal ISO installations would sometimes obtain an invalid value for the serial number.
Now, the serial number obtains successfully.

PD-10355

Previously, when using SAML client authentication and a user opens a second tab, the user received an Access Denied error message.
Now, the user is redirected to the federated server login page (for example, the Active Directory Federation Services (AD FS) login). KEMP recommends that the user continues to use the latest tab opened for login access. Otherwise, the authentication may get confused due to temporary cookie use and SAML Response ID matching may fail.

PD-10361

Previously, the LM-4000 model had stability issues on LoadMaster firmware version 7.2.36.1 with certain traffic.
Now, a fix has been implemented to improve stability.

PD-10368

Previously, the RADIUS server password could not be set using the API.
Now, the RADIUS server password can be set using the API.

PD-10374

Previously, when using the Client Certificate authentication mode, the user credentials for the SSO domain health checks over LDAP (LDAPS and StartTLS), were in plain text and visible in a protocol capture trace.
Now, when using the Client Certificate authentication mode, the SSO domain health checks use StartTLS and therefore the user credentials are no longer visible in a protocol capture trace.

PD-10393

Previously, the signature verification in the case of a trusted certificate and intermediate certificate did not work. The certificate in the response must match the certificate assigned in the SAML SSO domain.
Now, with the IDP Certificate Match option, both pre-7.2.40 and post-7.2.40 behavior allowing configuration for strict matching of the certificate.

PD-10433

Previously, active/backup bonding did not work when the cable was plugged out from the active interface.
Now, active/backup bonding works correctly when the cable is plugged out from the active interface and the connection shifts to the backup interface.

PD-10448

Previously, log rotation did not work when the rotation file name already existed.
Now, log rotation is working properly.

PD-10461

Updated the OpenSSL version from 1.02k-fips to 1.0.2n-fips.

PD-10477

Previously, adding clients to an SSO image set with more than 32 special characters ('%') caused L7d to crash.
Now, this bug is fixed and nearly 256 special characters are allowed in the client SSO image set input file.

PD-10486

Previously, WAF did not block all POST attack requests when multiple content-types are set for the Enable Other Content Types option.
Now, WAF blocks all POST attack requests when multiple content-types are set for the Enable Other Content Types option.

PD-10514

 Previously, the copyright date in the LoadMaster was 2017.
Now, the copyright date is 2018.

PD-10530

 Previously, unwanted error messages appeared when navigating to the Default Gateway.
Now, no error message appears when navigating to the Default Gateway.

PD-10637

Previously, use of the configured port for the target OCSP server and SSL responses from the server were handled incorrectly.
Now, the port configured for the OCSP server is used correctly per the configuration setting on the LoadMaster. SSL responses are also handled correctly.

PD-10096

Previously, on occasions the GEO zone serial is not refreshed causing a spurious "Zone may fail to transfer to slaves" log message.
Now, the log level for these messages have been changed from ERROR to INFO. These messages do not affect functionality.

PD-10115

Previously, if an FQDN with a wildcard and another FQDN belonging to the same domain is configured, in some scenarios GEO can pick up the wildcard FQDN instead of the correct FQDN.
Now, GEO picks up the correct FQDN even if the configuration has a wildcard FQDN.

PD-10473

Previously, GEO returns sites that are down if the Selection Criteria is set to All Available.
Now, only sites with a status of "up" are returned.

PD-9525

Previously, the showfqdn API command displayed the Failtime value in seconds, but it is set in minutes.

Now, the showfqdn API command displays the Failtime value in minutes.

PD-9785

Previously, running an Azure PowerShell command after calling any LoadMaster PowerShell command with a self-signed certificate returned an error.
Now, Azure PowerShell commands work as expected, even when running after executing any LoadMaster PowerShell command with a self-signed certificate.

PD-10043

Previously, there was no RESTful API command to get the WAF logging format and remote logging details.
Now, WAF logging format and remote logging details can be retrieved by running the getwafsettings RESTful API command.

PD-10076

Previously, Credential was a mandatory parameter for the Get-LicenseType PowerShell command.
Now, Credential is an optional parameter for the Get-LicenseType PowerShell command.

PD-9539

Previously, the New-GeoCluster command returned an invalid error, when you try to add a GEO cluster that already exists with the same name and IP address.
Now, for the same scenario, the New-GeoCluster command returns a proper error message: Cluster already defined. Name/IP must be unique.

PD-9570

Previously, the removecountry API command error message had a typo (countries was spelled counries).
Now, the typo in the removecountry API command error message is fixed.

PD-9572

Previously, the showcluster and showfqdn API commands displayed location parameter values in degrees, but the showip API command displayed the values in seconds.
Now, the showfqdn, listfqdns, showip, listops, showcluster, and listclusters API commands display the values in seconds.

Known Issues

PD-10980

A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible.
Further information can be found here: Mitigation For Remote Access Execution Vulnerability.

PD-10193

Using WAF with ESP and KCD is not supported with Microsoft Exchange 2010.

PD-9854

WAF does not support chunked transfer encoding on the POST body.

PD-9765

GEO does not support DNS TCP requests from unknown sources.

PD-8697

Some users are experiencing issues detecting the partition when using the Hardware Security Module (HSM).

PD-9375

Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

PD-9649

Some users are experiencing a SAML error "Could not base64 decode the SAMLResp".

PD-9821

Some high memory usage has been observed.

PD-10129

There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout.

PD-10131

There are some problems attaching files in SharePoint when using WAF with Process Responses enabled and Kerberos Constrained Delegation (KCD).

PD-10149

It has been observed that Alternative Domain selection and handling is not always reliable. While an Alternative Domain may be selected appropriately, the Virtual Service association is not always consistent. As a result, Form Based Authentication (FBA) on the server side is not triggered when expected. Furthermore, some characters are not permitted to be included in the server side FBA post to the Real Server.

PD-10159

When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.

PD-10188

When adding a Real Server to a Virtual Service or SubVS on a Safari browser, the list of available Real Servers is not available.

PD-10197

Cluster Virtual Service and Real Server home page statistics are reported incorrectly.

PD-10207

The ESP LDAP logs need to be enhanced.

PD-10259

When under load, WAF does not read all of the Real Server responses and closes the connection prematurely.

PD-10332

When you try to add a duplicate VLAN ID/VXLAN ID, text saying "Duplicate VLAN id/VXLAN id Cache-Control: no-cache" appears in the WUI.

PD-10381

Removing Application Generic rule sets from the Virtual Service causes WAF misconfiguration.

PD-10445

Some websites do not work when the WAF Process Responses option is enabled.

PD-10455

Amazon Web Services (AWS) cannot use the admin certificate after a reboot.

PD-10474

A SNORT rule is triggering a false positive in certain scenarios.

PD-10478

Custom SSO image set is not displaying in the SSO Image Set drop-down list after the ESP SSO configuration is restored from a backup.

PD-10488

Occasionally WAF is getting stopped with an "errno 24" error.

PD-10525

Some users are experiencing WAF read errors when connections are closing.

PD-10538

Cannot create body rules when single quotes are in separate capture groups.

PD-10545

Virtual LoadMasters become inaccessible on Azure cloud when the WUI is moved to NIC-1.

PD-10572

The extended log view fails when the selected range is in different years.

PD-10584

There are some SAML User Principal Name (UPN) and SAM-Account-Name interaction issues.

PD-10590

Automatic WAF rule downloads are not working on the second HA node even if it is active.

PD-10616

When WAF Process Responses is enabled, the response is cut.

PD-10627

There are issues when replacing clustered nodes.

PD-10702

There are spurious KCD credentials expired log messages.

PD-10586

If a GEO FQDN is configured with All Available as the Selection Criteria, IPs are returned even if the cluster is disabled.

PD-10155

An issue with configuration corruption is causing some GEO features to not function.

PD-8725

Proximity and Location Based scheduling do not work with IPv6 source addresses.

PD-8853

Location Based failover does not work as expected.

PD-7156

The VSIndex parameter is missing in some API commands.

PD-9476

There is no RESTful API command to get/list the installed custom rule data files.

PD-9507

Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.

PD-9553

There is no API command to disable secure NTP mode.

PD-9816

There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.

PD-9947

Virtual Services/Real Servers can report as "Up" in the API even if SubVSs are disabled.

PD-10363

The PowerShell API is missing the ServerFbaPath and ServerFBAPost parameters.

PD-10421

Setting options for the syslog server settings multiple times for different levels using the API causes events to repeat.

PD-10490

The vsremovewafrule RESTful API command does not allow multiple rules to be removed.

PD-10577

Some API calls are failing due to NULL pointers.

PD-10598

There is no PowerShell API parameter to modify the IdP Certificate Match option.


Comments