LoadMaster 7.2.41.1 Release Notes
Refer to the sections below for details about firmware version 7.2.41.1. This was released on 21st February 2018.
Feature Enhancements
- Previously, there was no specific SubVS information detailed in the logs when a failure occurred.
Now, the logs are updated with Virtual Service and SubVS names when a failure occurs. - Previously, Virtual LoadMaster (VLM) cloud instances only listened for port 8444 on eth0.
Now, there is an option to listen on all interfaces. - The LoadMaster Operating System (LMOS) Linux kernel was upgraded from linux-4.4.32 to linux-4.9.58 to improve performance and latency issues observed in previous releases.
- Previously, text/XML and application/JSON content types were supported with the Inspect HTML POST Request Content feature.
Now, the new Enable Other Content Types option enables the selection of all content types or specified content types. - Previously, the User Agent String was not present in the log files.
Now, the new Include User Agent Header in User Logs option on the L7 Configuration screen enables User Agent String information to be printed in the logs. - Previously, SSO manager logs were collected under the ssomgr logs option in the Extended Log Files section of the LoadMaster WUI.
Now, the SSO manager logs (with levelled debug logging) are collected and managed in the system log file. This improves managing logs centrally. - Previously, there was no indication of where to find the LDAP endpoint from the SSO domain configuration, LDAP WUI auth, and Real Server health check.
Now, a modify LDAP configuration button is in the manage SSO configuration, WUI auth LDAP setting, and Virtual Service Real Server health check. - Previously, the default value for the additional L7 headers field was Legacy (X-ClientSide).
Now, the default value for the additional L7 headers field is X-Forwarded-For. - Previously, the default value for the 100-Continue-Handling field was RFC-2616 Compliant.
Now, the default value for the 100-Continue-Handling field is RFC-7231 Compliant. - Previously, the L7 Connection Drain Time (secs) field was not available next to the Drop at Drain Time End field.
Now, the L7 Connection Drain Time (secs) field is underneath the Drop at Drain Time End field. - Previously, the default global setting for Enable Non-Local Real Servers was disabled.
Now, the default global setting for Enable Non-Local Real Servers is enabled. - Previously, on VLMs there were ttyS0: ioctl: Input/output error messages in the system logs.
Now, there are no respawn or ttys0-related messages in syslog. - Previously, GMT offset settings were on top of the Set Timezone drop-down list options.
Now, the GMT offset settings are on the bottom of the Set Timezone drop-down list options. - Previously, the bonding option was available in the WUI and RESTful API for cloud platforms like AWS and Azure, but it was not a supported feature.
Now, the bonding option is disabled and removed from the WUI and RESTful API for cloud platforms. - Previously, when the user was unable to add a Virtual Service or SubVS, the error message displayed in the WUI was unclear.
Now, the error message is better and it advises that the LoadMaster is under-resourced and therefore a new Virtual Service or SubVS cannot be added. - Previously, connectivity broke when moving the default gateway to another interface.
Now, you can move the default gateway to another interface without affecting connectivity. - Previously, the WUI displayed inappropriate warning messages when a user attempted to configure an IP address which is already configured on another interface.
Now, the WUI displays an updated warning message informing that the IP address is already configured on another interface. - The System Log Files screen now shows the percentage used/free in relation to log partitions.
- Previously, the firmware update license error message did not have enough details and caused confusion.
Now, clear and concise feedback about why the failure has happened, and a link to a Help Center article, is provided. - Previously, there were platform-specific Application Program Interface (API) commands, for example, for Azure there is a getazurehaparams command and for AWS there is a getawshaparams command.
Now, there is a common API command called getCloudHaParams for querying HA parameters on all cloud platforms.
Issues Resolved
PD-9764 |
Previously, IPsec had connectivity issues to Azure for LoadMaster firmware version 7.2.38.2 and above. |
PD-9944 |
Previously, the WUI allowed up to 208 characters in the Header Field, Match String, Value of Header Field to be Added, Modified URL, and Value of Header Field to be replaced fields when creating and modifying content rules. |
PD-9975 |
Previously, there were no logs when an LDAP AAA test user failed. |
PD-10039 |
Previously, the HTTP/2 stack had issues with features like shopping carts with browsers other than Internet Explorer. |
PD-10040 |
Previously, icb_alloc logs can be seen if the Web Application Firewall (WAF) is enabled and chunked data is received. |
PD-10042 |
Previously, WAF statistics did not get cleared/reset on Virtual Service deletion. |
PD-10051 |
Previously, LoadMaster activation failed when re-licensing the LoadMaster multiple times. |
PD-10071 |
Previously, the libxml2 GNOME XML library was installed. |
PD-10083 |
Previously, the LoadMaster did not return a complete list of Virtual Services and Real Servers when queried using a MIB browser or smtpwalk command. |
PD-10086 |
Previously, the WUI displayed inappropriate warning messages when attempting to configure an IP address which is already configured on any interface. |
PD-10141 |
Previously, the check interval time was stored incorrectly in the configuration file and caused unwanted LoadMaster FIN ACK traffic. |
PD-10142 |
Previously, the master LoadMaster did not send uCAP packets every second. It randomly missed one or more packets. |
PD-10204 |
Previously, the replace certificate in LoadMaster WUI workflow had a minor error and did not allow the user to replace the certificate. |
PD-10205 |
Previously, underscores, dashes, and square brackets were not allowed in the Form Authentication Path field in the WUI. |
PD-10235 |
Previously, log rotation for the adaptive.log file did not work on LoadMasters without the SDN add-on. |
PD-10239 |
Previously, the Pre-Shared Key (PSK) was unencrypted in backup files. |
PD-10245 |
Previously, when trying to access the connection, security, and user extended log files - the previous days logs were grayed out and you could not view them. |
PD-10255 |
Previously, the default value for the Strict Transport Security Header field was Add the Strict Transport Security Header - include subdomains. Now, the default value for the Strict Transport Security Header field is Don't add the Strict Transport Security Header. |
PD-10345 |
Previously, connectivity on Link Aggregation Control Protocol (LACP) bonded interface did not work with some switch hardware. |
PD-10353 |
Previously, in the warning logs on Federal Information Processing Standards (FIPS) boxes, there were multiple instances of a log message FIPS selftest completed successfully. Using FIPS mode. |
PD-10354 |
Previously, bare metal ISO installations would sometimes obtain an invalid value for the serial number. |
PD-10355 |
Previously, when using SAML client authentication and a user opens a second tab, the user received an Access Denied error message. |
PD-10361 |
Previously, the LM-4000 model had stability issues on LoadMaster firmware version 7.2.36.1 with certain traffic. |
PD-10368 |
Previously, the RADIUS server password could not be set using the API. |
PD-10374 |
Previously, when using the Client Certificate authentication mode, the user credentials for the SSO domain health checks over LDAP (LDAPS and StartTLS), were in plain text and visible in a protocol capture trace. |
PD-10393 |
Previously, the signature verification in the case of a trusted certificate and intermediate certificate did not work. The certificate in the response must match the certificate assigned in the SAML SSO domain. |
PD-10433 |
Previously, active/backup bonding did not work when the cable was plugged out from the active interface. |
PD-10448 |
Previously, log rotation did not work when the rotation file name already existed. |
PD-10461 |
Updated the OpenSSL version from 1.02k-fips to 1.0.2n-fips. |
PD-10477 |
Previously, adding clients to an SSO image set with more than 32 special characters ('%') caused L7d to crash. |
PD-10486 |
Previously, WAF did not block all POST attack requests when multiple content-types are set for the Enable Other Content Types option. |
PD-10514 |
Previously, the copyright date in the LoadMaster was 2017. |
PD-10530 |
Previously, unwanted error messages appeared when navigating to the Default Gateway. |
PD-10637 |
Previously, use of the configured port for the target OCSP server and SSL responses from the server were handled incorrectly. |
PD-10096 |
Previously, on occasions the GEO zone serial is not refreshed causing a spurious "Zone may fail to transfer to slaves" log message. |
PD-10115 |
Previously, if an FQDN with a wildcard and another FQDN belonging to the same domain is configured, in some scenarios GEO can pick up the wildcard FQDN instead of the correct FQDN. |
PD-10473 |
Previously, GEO returns sites that are down if the Selection Criteria is set to All Available. |
PD-9525 |
Previously, the showfqdn API command displayed the Failtime value in seconds, but it is set in minutes. Now, the showfqdn API command displays the Failtime value in minutes. |
PD-9785 |
Previously, running an Azure PowerShell command after calling any LoadMaster PowerShell command with a self-signed certificate returned an error. |
PD-10043 |
Previously, there was no RESTful API command to get the WAF logging format and remote logging details. |
PD-10076 |
Previously, Credential was a mandatory parameter for the Get-LicenseType PowerShell command. |
PD-9539 |
Previously, the New-GeoCluster command returned an invalid error, when you try to add a GEO cluster that already exists with the same name and IP address. |
PD-9570 |
Previously, the removecountry API command error message had a typo (countries was spelled counries). |
PD-9572 |
Previously, the showcluster and showfqdn API commands displayed location parameter values in degrees, but the showip API command displayed the values in seconds. |
Known Issues
PD-10980 |
A critical vulnerability (CVE-2018-9091) in the LoadMaster Operating System (LMOS) related to Session Management could allow an unauthorized, remote attacker to bypass security protections, gain system privileges, and execute elevated commands such as ls, ps, cat, and so on, thereby compromising the system. Through this remote execution, in certain cases, exposure of sensitive system data such as certificates, private keys, and other information may be possible. |
PD-10193 |
Using WAF with ESP and KCD is not supported with Microsoft Exchange 2010. |
PD-9854 |
WAF does not support chunked transfer encoding on the POST body. |
PD-9765 |
GEO does not support DNS TCP requests from unknown sources. |
PD-8697 |
Some users are experiencing issues detecting the partition when using the Hardware Security Module (HSM). |
PD-9375 |
Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication. |
PD-9649 |
Some users are experiencing a SAML error "Could not base64 decode the SAMLResp". |
PD-9821 |
Some high memory usage has been observed. |
PD-10129 |
There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout. |
PD-10131 |
There are some problems attaching files in SharePoint when using WAF with Process Responses enabled and Kerberos Constrained Delegation (KCD). |
PD-10149 |
It has been observed that Alternative Domain selection and handling is not always reliable. While an Alternative Domain may be selected appropriately, the Virtual Service association is not always consistent. As a result, Form Based Authentication (FBA) on the server side is not triggered when expected. Furthermore, some characters are not permitted to be included in the server side FBA post to the Real Server. |
PD-10159 |
When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI. |
PD-10188 |
When adding a Real Server to a Virtual Service or SubVS on a Safari browser, the list of available Real Servers is not available. |
PD-10197 |
Cluster Virtual Service and Real Server home page statistics are reported incorrectly. |
PD-10207 |
The ESP LDAP logs need to be enhanced. |
PD-10259 |
When under load, WAF does not read all of the Real Server responses and closes the connection prematurely. |
PD-10332 |
When you try to add a duplicate VLAN ID/VXLAN ID, text saying "Duplicate VLAN id/VXLAN id Cache-Control: no-cache" appears in the WUI. |
PD-10381 |
Removing Application Generic rule sets from the Virtual Service causes WAF misconfiguration. |
PD-10445 |
Some websites do not work when the WAF Process Responses option is enabled. |
PD-10455 |
Amazon Web Services (AWS) cannot use the admin certificate after a reboot. |
PD-10474 |
A SNORT rule is triggering a false positive in certain scenarios. |
PD-10478 |
Custom SSO image set is not displaying in the SSO Image Set drop-down list after the ESP SSO configuration is restored from a backup. |
PD-10488 |
Occasionally WAF is getting stopped with an "errno 24" error. |
PD-10525 |
Some users are experiencing WAF read errors when connections are closing. |
PD-10538 |
Cannot create body rules when single quotes are in separate capture groups. |
PD-10545 |
Virtual LoadMasters become inaccessible on Azure cloud when the WUI is moved to NIC-1. |
PD-10572 |
The extended log view fails when the selected range is in different years. |
PD-10584 |
There are some SAML User Principal Name (UPN) and SAM-Account-Name interaction issues. |
PD-10590 |
Automatic WAF rule downloads are not working on the second HA node even if it is active. |
PD-10616 |
When WAF Process Responses is enabled, the response is cut. |
PD-10627 |
There are issues when replacing clustered nodes. |
PD-10702 |
There are spurious KCD credentials expired log messages. |
PD-10586 |
If a GEO FQDN is configured with All Available as the Selection Criteria, IPs are returned even if the cluster is disabled. |
PD-10155 |
An issue with configuration corruption is causing some GEO features to not function. |
PD-8725 |
Proximity and Location Based scheduling do not work with IPv6 source addresses. |
PD-8853 |
Location Based failover does not work as expected. |
PD-7156 |
The VSIndex parameter is missing in some API commands. |
PD-9476 |
There is no RESTful API command to get/list the installed custom rule data files. |
PD-9507 |
Unable to add an SDN controller using the RESTful API/WUI in a specific scenario. |
PD-9553 |
There is no API command to disable secure NTP mode. |
PD-9816 |
There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves. |
PD-9947 |
Virtual Services/Real Servers can report as "Up" in the API even if SubVSs are disabled. |
PD-10363 |
The PowerShell API is missing the ServerFbaPath and ServerFBAPost parameters. |
PD-10421 |
Setting options for the syslog server settings multiple times for different levels using the API causes events to repeat. |
PD-10490 |
The vsremovewafrule RESTful API command does not allow multiple rules to be removed. |
PD-10577 |
Some API calls are failing due to NULL pointers. |
PD-10598 |
There is no PowerShell API parameter to modify the IdP Certificate Match option. |