LoadMaster 7.2.46.0 Release Notes

Refer to the sections below for details about firmware version 7.2.46.0. This was released on 8th May 2019. 

New Features

There are no new features added in this firmware update.

Feature Enhancements

The following feature enhancements are implemented in this firmware update:

  • GSLB cluster checker mapping enhancement.
    • In the FQDN configuration under Global Balancing -> Manage FQDNs the cluster checker mapping menu list now displays the Virtual Service name as well as the IP and Port information. 
  • Improved ESP user log access denied message.
    • Previously when an ESP user exceeded the Failed Login Attempts value when logging into the error logged was "access denied".
    • Now, a blocked access message is generated and the user is prevented from further logging in until they have been administratively unlocked.
  • Improved GEO Statistics have been added to the Global Balancing feature.
    • A new WUI page named GEO Statistics has been added under the Global Balancing menu.
    • This page is divided into a number of sections as follows:
      • GSLB Service Status:
        • Boot time:
          • This is the time the GSLB feature was enabled or the last LoadMaster boot time.
        • Last configuration:
          • The time the configuration was last changed.
      • FQDN Statistics:
        • Details of the FQDN domains configured including name, IP Address, number of requests per second being received and the total request count.
      • Queries:
        • Information on the Query type and the number of request received for that type.
      • DNS Request Information:
        • Information on the type, description and number of requests received.
    • REST and PowerShell API commands have been created to display these statistics. 

General Updates

  • End of Life of support for SafeNet Luna and Cavium Hardware Security Modules (HSM).
    • The HSM Configuration option under the Certificates and Security menu has been removed from the LoadMaster WUI.

Issues Resolved

PD-13078

A fix has been implemented to better manage the increased memory footprint related to the upgrade of OpenSSL to 1.1.1 in 7.2.45.0.

PD-12876

LoadMaster VLM GSLB functionality has been fixed in Azure.

PD-12869

Unusual debug logs related to a UDP configured VS have been removed.

PD-12861

Previously, in a LoadMaster cluster configuration if a non admin cluster node is marked as down, if the admin node in the cluster is rebooted, the down cluster node can never be disabled.

Now, the issue has resolved and after an admin node is rebooted the non admin down cluster node can be disabled.

PD-12852

An issue where a HTTP/2 enabled Virtual Service received an unexpected server disconnect which caused the LoadMaster to reboot has been fixed.

PD-12836

An issue where the defined netmask for an additional static route on any interface when added gets defaulted to /64 has been fixed.

PD-12828

Issues experienced when running read/write commands to a Real Server with caching and compression features enabled on the LoadMaster have been resolved.

PD-12872

Inconsistencies with the status of a HTTPS Real Server healthcheck have been resolved.

PD-12773

The RC4 ciphers that were removed in a previous firmware version have been reinstated.

PD-12759

If HTTP/2 is enabled on the parent Virtual Service it will also be work on a sub Virtual Service level.

PD-12703

ESP Permitted Group SID(s) can now be up to 64 bytes in length (192 characters) in the following format "XX XX XX" and separated by a semi-colon.

PD-12682

With ESP enabled and Client Authentication Mode set to Delegate to Server the configured Allowed Virtual Hosts now work correctly on VSs and subVSs.

PD-12681

Issues related to users initially being unable to login if ESP is configured after firmware update have been resolved.

PD-12655

Previously, the log message FIPS selftest failed was being generated on a LoadMaster configured in HA mode with Software FIPS enabled.

Now, the log message is no longer being generated and the system behaves as expected.

PD-12613

Issues which caused a LoadMaster reboot with a VS configured with WAF and HTTP/2 have been resolved.

PD-12578

An ESP SSO authenticating user is now correctly normalized to the Domain/Realm that is specified in the SSO Domain configuration.

PD-12576

ESP client-side dual-factor authentication now work as expected when using ESP RSA Secure-ID and either LDAPS or SartTLS.

PD-12555

On a VS with WAF logging enabled and Audit mode set to Audit All, the Real Server response header is now correctly logged. It will default with a "200 OK" when Process Responses is not enabled, otherwise it will use the actual response from the Real Server.

PD-12450

Log partition Disk Usage on the LoadMaster WUI under Statistics >> Real Time Statistics is now available when using the REST and PowerShell API commands.

PD-12441

When the Caching feature was enabled the Maximum Cache usage percentage that was set was not always being honored.

PD-12436

An incorrectly formed user name which resulted in LDAP connection failures when configuring users in Windows Logon format (example: DOMAIN\UserName) in the context of Certificate based client Authentication or ESP Domain health check has been fixed.

PD-12370

There were some issues when WAF is enabled on a VS causing error logs to be produced and instability with WAF processing. These issues have now been resolved.

PD-12357

Previously, the LM with Allow Multi-Interface Access set would not allow access to the WUI on any port other than the default port 443.

Now, this has been resolved and the LM WUI can be accessed on any set port on any interface once Multi-Interface Access is set.

PD-12275

Previously, the LDAP response timeout could not be configured and was defaulted to 5 seconds. 

Now, the LDAP timeout can be configure within the range of 5 to 60 secs.

PD-12242

Previously, Not Available Redirection Handling was not being used when Real Server heath checks failed on a VS with ESP enabled and KCD set as server side authentication method.

Now, this functionality has been improved and if Real Server health checks fail Not Available Redirection Handling processing will now be invoked.

PD-11760

Previously, when an Alternate Gateway was set in a cloud environment networking issues occurred.

Now, this option has been removed for the LoadMaster for cloud environments to remove the risk of networking issues.

PD-11641

An issue where some existing LoadMaster users that are configured to use WUI Authentication with LDAP groups experienced login failures has been resolved.

PD-10970

Issues have been resolved where a template is exported from an older version of the LoadMaster and it contains a VS with content rules configured, a newer LoadMaster cannot import it.

PD-10572

Previously, the extended log view was failing when a date rage was selected using different years.

Now, the extended log view works correctly when the selected range spans different years.

PD-9947

An issue where Virtual Services or Real Servers can report as "up" in the API, even if the SubVSs are disabled has been resolved.

 

Known Issues

PD-13122

The GLSB cluster checker RESTful API commands mappedname, listfqdns and showfqdn are not correctly updated if the local or remote LoadMaster VS details are modified or if the VS gets deleted.

PD-13103

LoadMaster instability may occur when using HTTP/2 on a Virtual Service.

PD-13082

The LoadMaster RESTful API will not upload SSH Private keys which are larger than 4096 bytes in size.

PD-13038

Elliptic Curve Cryptography (ECC) certificates in pfx format cannot be uploaded to the LoadMaster.

PD-13031

Under high load the Web Application Firewall (WAF) engine may trigger some false positive rules.

PD-12998

As part of the upgrade by OpenSSL to version 1.1.1 support for Eliptic-Curve Diffie–Hellman (ECDH) ciphers has been removed. Users with these ciphers in the assigned list on the LoadMaster may experience issues when saving the list after modifications have been made.

PD-12981

Spurious OS kernel level warning messages are outputted but are not service affecting.

PD-12980

The following RESTful API commands are missing the VS service name from the GEO Mapping configuration: listclusters and showcluster.

PD-12960

Additional Custom Headers of up to 255 characters can be configured for Real Server health checks but due to an internal OS limitation only 144 characters are processed resulting in some Real Server health check failures.

PD-12864

An issue exists where Adaptive scheduling statistics are not updating on management node in a LoadMaster cluster configuration.

PD-12838

The ESP Permitted Group SID(s) setting is not working as expected when configured on a on a subVS.

PD-12795

The Radius setting of Use Local Account only if AAA Fails does not work as designed when you have a backup Radius server added to the WUI Authorization configuration.

PD-12774

The SNMP OID name vSActivConns Data Type is set incorrectly to Counter32 and should be Gauge32.

PD-12653

A Hyper-V VLM won't boot when a 4th NIC is added.

PD-12616

With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.

PD-12492

If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package.

PD-12354

The LoadMasters LM-X25 and LM-X40 do not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).

PD-12237

Configuring NTP with LoadMaster's in a HA configuration causes them to go into Master-Master mode.

PD-12147

In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.

PD-12068

Issues exist with replication of GEO cluster configuration across nodes.

PD-12058

An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster.

PD-11861

IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication.

PD-11166

Azure LoadMasters are not translating the additional network address between the Master and Slave correctly.

PD-11044

A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.

PD-11024

The WUI is not accessible on NIC-1 from a non-local subnet.

PD-10917

An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure.

PD-10784

Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work.

PD-10586

If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.

PD-10490

The vsremovewafrule RESTful API command does not allow multiple rules to be removed.

PD-10474

A SNORT rule is triggering a false positive in certain scenarios.

PD-10466

The LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF).

PD-10193

A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.

PD-10188

When adding a Real Server to a Virtual Service or SubVS using a Safari browser, the list of available Real Servers is not available.

PD-10159

When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.

PD-10136

In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node.

PD-10129

There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout.

PD-9854

WAF does not support chunked transfer encoding on the POST body.

PD-9816

There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.

PD-9765

GEO does not support DNS TCP requests from unknown sources.

PD-9507

Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.

PD-9476

There is no RESTful API command to get/list the installed custom rule data files.

PD-9375

Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

PD-8853

GEO Location Based failover does not work as expected.

PD-8725

GEO Proximity and Location Based scheduling do not work with IPv6 source addresses.

 

Was this article helpful?

0 out of 0 found this helpful

Comments

Avatar
LifeSciencesAdmin

You guys should categorize these issues / known issues so we don't have to go through the whole list.

For example:
1) We don't use any API so if you had an API category, we wouldn't bother going through that list
2) Our loadmaster is not in Microsoft Azure so that wouldn't apply

Avatar
Nick Smylie

Hi @lifesciencesadmin
Thank you for the feedback I will pass this off to our PM team.

Avatar
itadmin

When will you support certificate chaining for SAML token signing? The current limitation means we can't use publicly issued certificates, this is an issue when using ADFS as changing the token signing certificate to one issued by our local CA will break authentication for all other relying parties.