LoadMaster 7.2.47.0 Release Notes
LMOS Version 7.2.47.0 is a feature and bug-fix update released in August 2019. Please read the sections below before installing or upgrading.
Supported LoadMaster Models
This release of LMOS is supported on the Hardware and Virtual platforms specific in the first two columns of the table below. It is not supported and should not be installed on any of the hardware and software listed in the two columns at right.
Supported |
Supported Virtual Models |
UNSUPPORTED Hardware Models |
UNSUPPORTED Virtual Models |
LM-X3 |
VLM-200 |
LM-2000 |
VLM-100 |
If your model number is not listed above, please see the list of End of Life models.
New Features
The following new features have been implemented.
TLS 1.3 Hardware Support
Software-based SSL support for TLS 1.3 was delivered in a previous release, and with this release LoadMaster now supports TLS 1.3 for hardware SSL acceleration as well. Hardware-accelerated SSL is available with specific LoadMaster hardware appliances.
Exchange 2019 Application Template
A new Kemp Application Template for Exchange 2019, with an accompanying Deployment Guide, have been published to the Kemp website. See the Templates section at right and click on the Microsoft link.
URL Hash Scheduling Method
A new Scheduling Method has been added within a Virtual Service’s Standard Options called url hash. This new scheduling method was developed primarily to support Dell EMC Elastic Cloud Storage (ECS) applications and efficient use of ECS-based resources, but could also be used to support other workloads where storage efficiency is the primary goal. The url hash method works by creating a hash value based on the object referenced in the client request’s URL and the number of Real Servers or SubVSs in the Virtual Service. All requests for a particular URL will be sent to the same RS/SubVS, unless a Real Server or SubVS is added or removed – in which case all hash values are recalculated and subsequent traffic will be redistributed accordingly. If a request is received for a URL that matches a hash, but the appropriate Real Server or SubVS is unavailable (e.g., disabled), then only read requests from the client are permitted.
Feature Enhancements
The following feature enhancements have been implemented.
SSL Certificate Assignment
The character limit for the Certificates field in a Virtual Service’s SSL Properties has been increased from 1024 to 8192 characters. The WUI returns an error if you specify a number of certificates that would cause the field to exceed this limit.
ESP Performance
ESP configurations leveraging KCD has been optimized to support customers that require a large number of concurrent sessions.
Serial Console for Public Cloud Platforms
Serial console support has been enhanced so that you can now connect to the LoadMaster serial console in public clouds, such as AWS and Azure. This allows access to all console interface capabilities, including resetting the password for the administrative login (bal).
Metered Licensing Workflow
The process of licensing LoadMaster from a Kemp 360 Central Metered Licensing deployment has been simplified so that in most cases no other action than requesting and successfully retrieving a metered license is required to:
- license the LoadMaster and put it into operation
- add it to Kemp 360 Central and enable monitoring and statistics collection
See the Metered Licensing Management document on the Kemp website for a complete description of the new workflow for deploying a LoadMaster license it from Kemp 360 Central.
WAF Event Logs, Remote Logging, and Disk Space Consumption
When large amounts of WAF data are being generated and remote logging is enabled, it’s possible for temporary WAF log data to exhaust available disk space. To alleviate this issue:
- WAF event log generation is now suspended when used file space grows above 90%. If log suspension occurs, a message will be displayed in the WUI and in the logs.
- WAF event log generation will resume automatically when disk space usage falls below 80%.
- Two new controls have been added to the System Configuration > Logging Options > Extended Log Files page that allow you to Save and Clear Temporary WAF Remote Log Data, so you can manually reduce the amount of disk space consumed by temporary data.
Netconsole IPv6 Support
You can now set an IPv6 address for a Netconsole host, with the restriction that LoadMaster must also have an IPv6 address on the interface chosen in the Netconsole options.
Priority for ChaCha20Poly1305 Ciphers
LoadMaster SSL handshake processing has been enhanced to give priority to ChaCha20Poly1305 ciphers when they are preferred in a client’s request.
Memory and Disk Usage Reporting
Enhancements to memory and disk usage display/reporting in the WUI and API include the following:
- The WUI now displays memory used and free memory in MB (instead of KB).
- The amount of total memory has been added.
- ‘Memory Available’ is renamed to ‘Free’.
- Disk usage partition size is displayed in GB, along with total disk space, and percentage used.
- More information has also been added to the ‘stats’ API output.
SAML Client-Side Authentication with Server Token Server-Side Authentication
When ESP is enabled, SAML is selected for the Client Authentication Mode, and Server Token is selected for the Server Authentication Mode, a new optional parameter appears that allows you to specify a Token Server FQDN. When set, LoadMaster contacts the token server at the given FQDN during sign-on and obtains a permanent access token from that token server. If this parameter is unset, then LoadMaster obtains the token from the Real Server (as in previous releases).
Change Notices
This release includes the following modification to existing behavior that may require changes to procedures and/or scripts currently in use within your organization.
Change to ESP Extended Logging Behavior (Local vs. Remote)
In previous releases, LoadMaster would populate the local extended ESP logs and send the same messages to any configured remote syslog servers. In this release, administrators can now control where extended ESP logs are sent by opening the WUI's System Administration > Logging Options > Extended Log Files page and modifying the new Disable Local Extended ESP Logs check box.
- If Disable Local Extended ESP Logs is OFF (the default), then messages are written to the local extended ESP logs and are not sent to any remote syslog servers that may be defined.
- If Disable Local Extended ESP Logs is ON, then no messages will be written to the local extended ESP logs and are only sent to the remote logger (if one is defined). If no remote logger is defined, then no extended ESP logs are recorded.
The above behavior also means that LoadMaster can no longer be configured to populate the local extended ESP logs and send the same messages to remote syslog servers.
Modify API Scripts that Deploy Metered License LoadMasters
Because of the changes to the Metered Licensing workflow (see the enhancements to the Metered Licensing Workflow, described above), existing scripts that deploy metered license LoadMasters must be modified to use the new usersetsyspassword() routine instead of the set_initial_password() routine, to set the ‘bal’ user password after the LoadMaster is successfully licensed. See the LMOS API Documentation on the Kemp website for more information.
Windows Resource-Based (Adaptive) Server Agent Discontinued
In previous releases, Kemp made available an executable program that could be installed on servers running Windows and used along with LoadMaster's Resource-Based (Adaptive) virtual service scheduling method. This Windows executable has been discontinued and is no longer available. A new document is available here that provides sample server scripts for both Windows and Linux systems. These scripts can be used as-is, or can be modified to provide whatever level of performance information is desired.
Issues Resolved
The following issues have been resolved in this release.
PD-13370 |
WUI: Fixed an issue that caused many "Resource temporarily unavailable" errors to appear in the log, with accompanying loss of access to the WUI. |
PD-13347 |
Licensing: In previous releases, if a password for a Kemp ID contained a "`" (backtick) character the LM would fail to get a license from the Kemp licensing server. This issue has been fixed so that licensing is successful in this case. |
PD-13337 |
HA: In High Availability configurations where the configuration is actively being updated, it is possible for signal 15 and segmentation fault errors to be observed in the log, along with configuration corruption that can only be resolved by failing over to the standby LoadMaster, or by applying a backup. This issue has been fixed. |
PD-13332 |
Virtual Services: In previous releases, a user could not set an Extra Port range on a VS if the length of the integer ranges were different (i.e. 99 has a length of 2 & 100 has a length of 3). This issue has been fixed so that a user can now set an Extra Port range on a VS as long as the first number in the range is less than the second number. |
PD-13308 |
Security: Fixed a potential security vulnerability where javascript could be added to the MOTD via the API. This is now not permitted. |
PD-13307 |
Security: Fixed a potential security vulnerability where a script could be uploaded to the MOTD via the API. This is now not permitted. |
PD-13305 |
GEO: Fixed an issue that caused updates to GEO partners to fail. |
PD-13304 |
Security: In previous releases, it was possible to discover a LoadMaster's private IP address via the API if someone knew only the public IP address. Now, the private IP address is no longer seen in the API response, nor is it seen in the LoadMaster WUI unless a user has logged in. |
PD-13303 |
API: Fixed an issue with the 'lscpi' API that caused an 'xmlParseEntityRef' error to be returned instead of a proper response. |
PD-13293 |
LDAP: In previous releases, configuring multiple LDAP servers on the LDAP Endpoint caused WUI Authentication to fail; however, it works if a single server is specified. This issue has been fixed. |
PD-13266 |
Networking: In LMOS 7.2.46, changes made to the Bonding mode (e.g., from 802.3ad to Active-Backup) reverted back to the previous value. This issue has been fixed. |
PD-13264 |
Browser Support: In previous releases, the LoadMaster WUI Certificate doesn't have a SAN (Server Alternate Name) value, and this causes a certificate error in the Chrome and Firefox browsers. This issue has been fixed by adding a SAN to the certificate. |
PD-13235 |
Health Checks: When upgrading from LMOS 7.2.42 to 7.2.46, Virtual Services using LDAP health checks may fail after upgrade. This issue has been fixed. |
PD-13217 |
SMTP: In previous releases, setting the SMTP Server to "smtp.office365.com" on port 587 does not work. This issue has been fixed, so that "smtp.office365.com" on port 587 with STARTTLS can now be used. |
PD-13154 |
GEO: Fixed an issue that could cause the following spurious error to appear: "GEO_ACL_Automatic_Update: feature is not enabled and/or support is expired. Please contact Kemp support.". |
PD-13103 |
HTTP/2: Fixed an HTTP/2 issue that caused the LoadMaster to reboot when an invalid User Agent string was received. |
PD-13100 |
GEO: Fixed an issue that caused segmentation faults on GEO partners. |
PD-13086 |
SSL Certificates: In previous releases, the LMOS API call 'listcert' is not displaying the 'publickey' field for ECCC certificates. The API now displays the 'publickey' field for ECCC certificates, along with a new 'type' field (with values of 'RSA' or 'ECC'). |
PD-13082 |
SSL Certificates: Fixed an error that occurred when a user tries to upload a 4096 byte SSH Private Key via the API. |
PD-13079 |
Disk Mgmt: Fixed disk partitioning issues observed in LMOS 7.2.46. |
PD-13069 |
HTTP/2: Fixed issues observed on earlier releases with unexpected reboots due to HTTP/2 traffic processing. |
PD-13052 |
Licensing: Fixed a licensing related issue on the Azure platform that could cause intermittent failures when attempting to contact the Kemp licensing server. |
PD-13042 |
SAML/KCD: Fixed an issue that could cause a reboot when SAML + KCD were enabled under certain conditions. |
PD-13041 |
Licensing: Fixed an issue where the LoadMaster configuration does not get cleared after a "Kill_License" is performed via the LMOS API or licensing server. |
PD-13038 |
SSL Certificates: Fixed an issue where 'Elliptic Curve Cryptography' (ECC) certificates in PFX format can't be uploaded to the LM. |
PD-13034 |
OCSP Stapling: Fixed several issues:
|
PD-13031 |
WAF: In previous releases, a false positive was being returned in the WAF event log for a GET call by the WAF Core rule set (rule 942370). This issue has been fixed. |
PD-13027 |
Licensing: Fixed an issue that caused a spurious message to be displayed when "Kill License" is initiated from WUI. |
PD-13051 |
Networking / SSL Errors: In previous releases, all client SSL messages are written to the LoadMaster logs, which can result in spurious client alert messages appearing in the logs. To address this issue, a new parameter setting has been added to the WUI under System Configuration > Miscellaneous Options > Network Options labelled Log SSL errors. This is set by default to log "Fatal errors only", which will suppress client errors and spurious messages from appearing in the log. You can also set this parameter to display client errors (but not spurious messages), or to return to the behavior in previous releases where no messages are suppressed. |
PD-13020 |
SAML: In previous releases, it is possible for a user not in a SAML group to enter a redirect loop during authentication, instead of being returned an error denying them access. This issue has been fixed. |
PD-12998 |
SSL Ciphers (ECDH): In LMOS 7.2.46, OpenSSL was upgraded to version 1.1.1, which removes all support for ECDH ciphers. As a result, any ECDH ciphers specified in the configuration after upgrade could cause issues and should be removed (as stated in the 7.2.46 Release Notes). With 7.2.47, any ECDH ciphers present in a cipher list on LoadMaster will be ignored. |
PD-12986 |
GEO: Fixed an issue that could cause a 'readremote' failure to appear in the log, followed by a GEO Cluster check failure. |
PD-12981 |
Kernel: Fixed an issue that caused spurious kernel call trace warnings to appear in the log. |
PD-12980 |
Virtual Services API: Fixed an API issue where the Virtual Service name was not returned by the 'listclusters' and 'showcluster' API calls. These now display the service name correctly. |
PD-12979 |
Virtual Services API: Fixed an API issue where the Virtual Service name was not returned by the 'listfqdns' and 'showfqdn' API calls. These now display the service name correctly. |
PD-12973 |
GEO: In previous releases, when configuring a Cluster for an FQDN, the Mapping Menu parameter returns an error if a Virtual Service whose name contains a left or right bracket character ('[' or ']') is selected from the drop-down. This issue has been fixed. |
PD-12960 |
Health Checks: Additional Custom Headers of up to 255 characters can be configured for Real Server health checks but due to an internal OS limitation only 144 characters are processed resulting in some Real Server health check failures. This issue has been fixed. |
PD-12864 |
Clustering: When clustering is enabled on previous releases, adaptive scheduling statistics may not be updated as expected on the cluster Administration node. This issue has been fixed. |
PD-12880 |
ESP / Performance: Improved system performance when ESP extended logs are enabled and the system is under heavy load. See the Change Notices section, above. |
PD-12795 |
RADIUS: In previous releases, the Use Local Account only if AAA Fails option may not work as designed when a RADIUS server and a backup RADIUS server are configured, and no response is received from the backup server. This issue has been fixed. |
PD-12774 |
SNMP: In previous releases, the SNMP OIDs vsActiveConns, rsActiveConns and totRSActiveConns were incorrectly set as 'Counter32' type values. The issue has been fixed by changing the type to 'Gauge32'. |
PD-12625 |
SAML: Addressed issues that caused LoadMaster reboots when processing a high volume of SAML authentication requests. |
PD-12622 |
Licensing: In previous releases, the "readeula" REST API does not work after licensing (except when deployed on AWS). This has been fixed to work properly on all cloud, virtual and hardware models. |
PD-12598 |
Logging: In previous releases, no non-debug-mode syslog messages are generated when a Real Server is busy, listening to a different port, or there are no ports available (port exhaustion). This has been addressed by adding non-debug messages for these events. |
PD-12594 |
ESP Logs: Fixed an issue that could cause incorrect ESP log data display when filtering on a single date. |
PD-12496 |
ESP SSO: In previous releases, when ESP is enabled and SSO is being used, it's possible for the user credentials to be normalized incorrectly when the configuration is set to use the 'Username' logon format. |
PD-12449 |
API: In previous releases, the LMOS 'stats' and 'listconfig' APIs show an incorrect interface speed when there is no link detected. This issue has been fixed so that the correct speed ('0') is displayed. |
PD-12422 |
MT: In previous releases, a VNF LoadMaster's Real Time Statistics > Network Usage graphics display the speed as '-1', with misalignment of the graph bars as well. This issue has been fixed. |
PD-12068 |
GEO: In previous releases, with cluster checking set to 'Remote LM', clusters may not appear on the partner device, or may have invalid entries. This issue has been fixed. |
New Known Issues
The following known issues appear in these Release Notes for the first time.
PD-13432 |
Metered Licensing: When a metered license obtained from Kemp 360 Central expires, you cannot re-license the Loadmaster with the same license type. |
PD-12668 |
ActiveSync Virtual Services: Connectivity Issues with ActiveSync Virtual Services may be observed at high traffic volumes. |
Existing Known Issues
The following known issues appeared in the Release Notes for the previous release.
PD-12838 |
ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a subVS. |
PD-12653 |
Networking: A Hyper-V VLM won't boot when a 4th NIC is added. |
PD-12616 |
WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option. |
PD-12492 |
Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package. |
PD-12354 |
Hardware Support: The LoadMasters LM-X25 and LM-X40 do not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF). |
PD-12237 |
HA / NTP: Configuring NTP with LoadMaster's in a HA configuration causes them to go into Master-Master mode. |
PD-12147 |
ESP / RADIUS: In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established. |
PD-12058 |
Browser Support: An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster. |
PD-11861 |
RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication. |
PD-11166 |
Networking: Azure LoadMasters are not translating the additional network address between the Master and Slave correctly. |
PD-11044 |
Sharepoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication. |
PD-11024 |
WUI: The WUI is not accessible on NIC-1 from a non-local subnet. |
PD-10917 |
HA: An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure. |
PD-10784 |
HA: Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work. |
PD-10586 |
GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled. |
PD-10490 |
Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed. |
PD-10474 |
WAF: A SNORT rule is triggering a false positive in certain scenarios. |
PD-10466 |
Hardware Support: The LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF). |
PD-10193 |
Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported. |
PD-10188 |
Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available. |
PD-10159 |
Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI. |
PD-10136 |
Clustering: In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node. |
PD-10129 |
Virtual Services: There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout. |
PD-9854 |
WAF: When WAF is enabled, any requests received that have chunked transfer encoding enabled (e.g., POSTs) are not processed properly and are not forwarded to a real server. |
PD-9816 |
WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves. |
PD-9765 |
GEO: DNS TCP requests from unknown sources are not supported. |
PD-9507 |
Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario. |
PD-9476 |
WAF: There is no RESTful API command to get/list the installed custom rule data files. |
PD-9375 |
SharePoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication. |
PD-8853 |
GEO: Location Based failover does not work as expected. |
PD-8725 |
GEO: Proximity and Location Based scheduling do not work with IPv6 source addresses. |