LoadMaster 7.2.46.0 Release Notes
Refer to the sections below for details about firmware version 7.2.46.0. This was released on 8th May 2019.
New Features
There are no new features added in this firmware update.
Feature Enhancements
The following feature enhancements are implemented in this firmware update:
- GSLB cluster checker mapping enhancement.
- In the FQDN configuration under Global Balancing -> Manage FQDNs the cluster checker mapping menu list now displays the Virtual Service name as well as the IP and Port information.
- Improved ESP user log access denied message.
- Previously when an ESP user exceeded the Failed Login Attempts value when logging into the error logged was "access denied".
- Now, a blocked access message is generated and the user is prevented from further logging in until they have been administratively unlocked.
- Improved GEO Statistics have been added to the Global Balancing feature.
- A new WUI page named GEO Statistics has been added under the Global Balancing menu.
- This page is divided into a number of sections as follows:
- GSLB Service Status:
- Boot time:
- This is the time the GSLB feature was enabled or the last LoadMaster boot time.
- Last configuration:
- The time the configuration was last changed.
- Boot time:
- FQDN Statistics:
- Details of the FQDN domains configured including name, IP Address, number of requests per second being received and the total request count.
- Queries:
- Information on the Query type and the number of request received for that type.
- DNS Request Information:
- Information on the type, description and number of requests received.
- GSLB Service Status:
- REST and PowerShell API commands have been created to display these statistics.
General Updates
- End of Life of support for SafeNet Luna and Cavium Hardware Security Modules (HSM).
- The HSM Configuration option under the Certificates and Security menu has been removed from the LoadMaster WUI.
Issues Resolved
PD-13078 |
A fix has been implemented to better manage the increased memory footprint related to the upgrade of OpenSSL to 1.1.1 in 7.2.45.0. |
PD-12876 |
LoadMaster VLM GSLB functionality has been fixed in Azure. |
PD-12869 |
Unusual debug logs related to a UDP configured VS have been removed. |
PD-12861 |
Previously, in a LoadMaster cluster configuration if a non admin cluster node is marked as down, if the admin node in the cluster is rebooted, the down cluster node can never be disabled. Now, the issue has resolved and after an admin node is rebooted the non admin down cluster node can be disabled. |
PD-12852 |
An issue where a HTTP/2 enabled Virtual Service received an unexpected server disconnect which caused the LoadMaster to reboot has been fixed. |
PD-12836 |
An issue where the defined netmask for an additional static route on any interface when added gets defaulted to /64 has been fixed. |
PD-12828 |
Issues experienced when running read/write commands to a Real Server with caching and compression features enabled on the LoadMaster have been resolved. |
PD-12872 |
Inconsistencies with the status of a HTTPS Real Server healthcheck have been resolved. |
PD-12773 |
The RC4 ciphers that were removed in a previous firmware version have been reinstated. |
PD-12759 |
If HTTP/2 is enabled on the parent Virtual Service it will also be work on a sub Virtual Service level. |
PD-12703 |
ESP Permitted Group SID(s) can now be up to 64 bytes in length (192 characters) in the following format "XX XX XX" and separated by a semi-colon. |
PD-12682 |
With ESP enabled and Client Authentication Mode set to Delegate to Server the configured Allowed Virtual Hosts now work correctly on VSs and subVSs. |
PD-12681 |
Issues related to users initially being unable to login if ESP is configured after firmware update have been resolved. |
PD-12655 |
Previously, the log message FIPS selftest failed was being generated on a LoadMaster configured in HA mode with Software FIPS enabled. Now, the log message is no longer being generated and the system behaves as expected. |
PD-12613 |
Issues which caused a LoadMaster reboot with a VS configured with WAF and HTTP/2 have been resolved. |
PD-12578 |
An ESP SSO authenticating user is now correctly normalized to the Domain/Realm that is specified in the SSO Domain configuration. |
PD-12576 |
ESP client-side dual-factor authentication now work as expected when using ESP RSA Secure-ID and either LDAPS or SartTLS. |
PD-12555 |
On a VS with WAF logging enabled and Audit mode set to Audit All, the Real Server response header is now correctly logged. It will default with a "200 OK" when Process Responses is not enabled, otherwise it will use the actual response from the Real Server. |
PD-12450 |
Log partition Disk Usage on the LoadMaster WUI under Statistics >> Real Time Statistics is now available when using the REST and PowerShell API commands. |
PD-12441 |
When the Caching feature was enabled the Maximum Cache usage percentage that was set was not always being honored. |
PD-12436 |
An incorrectly formed user name which resulted in LDAP connection failures when configuring users in Windows Logon format (example: DOMAIN\UserName) in the context of Certificate based client Authentication or ESP Domain health check has been fixed. |
PD-12370 |
There were some issues when WAF is enabled on a VS causing error logs to be produced and instability with WAF processing. These issues have now been resolved. |
PD-12357 |
Previously, the LM with Allow Multi-Interface Access set would not allow access to the WUI on any port other than the default port 443. Now, this has been resolved and the LM WUI can be accessed on any set port on any interface once Multi-Interface Access is set. |
PD-12275 |
Previously, the LDAP response timeout could not be configured and was defaulted to 5 seconds. Now, the LDAP timeout can be configure within the range of 5 to 60 secs. |
PD-12242 |
Previously, Not Available Redirection Handling was not being used when Real Server heath checks failed on a VS with ESP enabled and KCD set as server side authentication method. Now, this functionality has been improved and if Real Server health checks fail Not Available Redirection Handling processing will now be invoked. |
PD-11760 |
Previously, when an Alternate Gateway was set in a cloud environment networking issues occurred. Now, this option has been removed for the LoadMaster for cloud environments to remove the risk of networking issues. |
PD-11641 |
An issue where some existing LoadMaster users that are configured to use WUI Authentication with LDAP groups experienced login failures has been resolved. |
PD-10970 |
Issues have been resolved where a template is exported from an older version of the LoadMaster and it contains a VS with content rules configured, a newer LoadMaster cannot import it. |
PD-10572 |
Previously, the extended log view was failing when a date rage was selected using different years. Now, the extended log view works correctly when the selected range spans different years. |
PD-9947 |
An issue where Virtual Services or Real Servers can report as "up" in the API, even if the SubVSs are disabled has been resolved. |
Known Issues
PD-13122 |
The GLSB cluster checker RESTful API commands mappedname, listfqdns and showfqdn are not correctly updated if the local or remote LoadMaster VS details are modified or if the VS gets deleted. |
PD-13103 |
LoadMaster instability may occur when using HTTP/2 on a Virtual Service. |
PD-13082 |
The LoadMaster RESTful API will not upload SSH Private keys which are larger than 4096 bytes in size. |
PD-13038 |
Elliptic Curve Cryptography (ECC) certificates in pfx format cannot be uploaded to the LoadMaster. |
PD-13031 |
Under high load the Web Application Firewall (WAF) engine may trigger some false positive rules. |
PD-12998 |
As part of the upgrade by OpenSSL to version 1.1.1 support for Eliptic-Curve Diffie–Hellman (ECDH) ciphers has been removed. Users with these ciphers in the assigned list on the LoadMaster may experience issues when saving the list after modifications have been made. |
PD-12981 |
Spurious OS kernel level warning messages are outputted but are not service affecting. |
PD-12980 |
The following RESTful API commands are missing the VS service name from the GEO Mapping configuration: listclusters and showcluster. |
PD-12960 |
Additional Custom Headers of up to 255 characters can be configured for Real Server health checks but due to an internal OS limitation only 144 characters are processed resulting in some Real Server health check failures. |
PD-12864 |
An issue exists where Adaptive scheduling statistics are not updating on management node in a LoadMaster cluster configuration. |
PD-12838 |
The ESP Permitted Group SID(s) setting is not working as expected when configured on a on a subVS. |
PD-12795 |
The Radius setting of Use Local Account only if AAA Fails does not work as designed when you have a backup Radius server added to the WUI Authorization configuration. |
PD-12774 |
The SNMP OID name vSActivConns Data Type is set incorrectly to Counter32 and should be Gauge32. |
PD-12653 |
A Hyper-V VLM won't boot when a 4th NIC is added. |
PD-12616 |
With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option. |
PD-12492 |
If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package. |
PD-12354 |
The LoadMasters LM-X25 and LM-X40 do not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF). |
PD-12237 |
Configuring NTP with LoadMaster's in a HA configuration causes them to go into Master-Master mode. |
PD-12147 |
In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established. |
PD-12068 |
Issues exist with replication of GEO cluster configuration across nodes. |
PD-12058 |
An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster. |
PD-11861 |
IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication. |
PD-11166 |
Azure LoadMasters are not translating the additional network address between the Master and Slave correctly. |
PD-11044 |
A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication. |
PD-11024 |
The WUI is not accessible on NIC-1 from a non-local subnet. |
PD-10917 |
An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure. |
PD-10784 |
Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work. |
PD-10586 |
If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled. |
PD-10490 |
The vsremovewafrule RESTful API command does not allow multiple rules to be removed. |
PD-10474 |
A SNORT rule is triggering a false positive in certain scenarios. |
PD-10466 |
The LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF). |
PD-10193 |
A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported. |
PD-10188 |
When adding a Real Server to a Virtual Service or SubVS using a Safari browser, the list of available Real Servers is not available. |
PD-10159 |
When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI. |
PD-10136 |
In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node. |
PD-10129 |
There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout. |
PD-9854 |
WAF does not support chunked transfer encoding on the POST body. |
PD-9816 |
There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves. |
PD-9765 |
GEO does not support DNS TCP requests from unknown sources. |
PD-9507 |
Unable to add an SDN controller using the RESTful API/WUI in a specific scenario. |
PD-9476 |
There is no RESTful API command to get/list the installed custom rule data files. |
PD-9375 |
Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication. |
PD-8853 |
GEO Location Based failover does not work as expected. |
PD-8725 |
GEO Proximity and Location Based scheduling do not work with IPv6 source addresses. |
Comments

Hi @lifesciencesadmin
Thank you for the feedback I will pass this off to our PM team.

When will you support certificate chaining for SAML token signing? The current limitation means we can't use publicly issued certificates, this is an issue when using ADFS as changing the token signing certificate to one issued by our local CA will break authentication for all other relying parties.
LifeSciences Admin
You guys should categorize these issues / known issues so we don't have to go through the whole list.
For example:
1) We don't use any API so if you had an API category, we wouldn't bother going through that list
2) Our loadmaster is not in Microsoft Azure so that wouldn't apply